Among the thousands of vulnerabilities disclosed so far in 2022, we highlight five and explain why they matter.

With over 6,000 vulnerabilities disclosed this year, cyber security teams have faced, as usual, a challenge to keep up, especially as a number of these software bugs have captured significant media attention. In this article, we’ll provide guidance and clarity on five vulnerabilities to help you better understand why they had an impact and why they all should be on your radar screen. As you will read, these vulnerabilities share common traits, and a closer examination of them offers insights into the breadth and depth of the current vulnerability landscape. 

CVE

Description

VPR*

CVE-2022-1096

Google Javascript V8 Chrome engine Vulnerability

9.6

CVE-2022-0847

Linux Kernel Vulnerability

9.8

CVE-2022-26809

Zero-click – Microsoft RPC Vulnerability

9.6

CVE-2022-22965

Spring4Shell – Spring Core Framework Vulnerability

9.7

CVE-2022-1388

F5 BIG-IP Vulnerability

9.6

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on DATE and reflects VPR at that time.

CVE-2022-1096 | Google Chrome

Tags: ahead of NVD coverage, zero-day vulnerability

On March 23, Google announced a zero-day vulnerability in the Google JavaScript V8 Chrome engine potentially impacting billions of users. 

Reserved with the CVE-2022-1096 identifier on the National Vulnerability Database (NVD), it is a type-confusion vulnerability affecting Chrome’s core. 

As Google reported, it has been confirmed that this security flaw is being exploited in the wild. Upon successful exploitation, the security flaw allows attackers to execute arbitrary code on the affected asset. 

Although the vulnerability was disclosed, its details haven’t yet been published in the NVD. Tenable provided Nessus plugin coverage as of March 25.

Exploitation and how Tenable helps

As of today, there are no public proof of concept (PoC) exploits available, although the vulnerability is being exploited in the wild. Google released an emergency update with a security fix in Chrome 99.0.4844.84. A patch is also available for Chromium-based Microsoft Edge. Other Chromium-based browsers include Opera, Samsung Internet and Amazon Silk.

CVE-2022-0847 | Linux Kernel 

Tags: ahead of NVD coverage 

Discovered on February 20 and reserved in the NVD as CVE-2022-0847, this vulnerability also known as Dirty Pipe affects the Linux kernel 5.8, and allows attackers to overwrite data in arbitrary read-only files upon successful exploitation. 

Although it was disclosed in the NVD on March 10, Tenable provided plugin coverage as of March 7. 

Exploitation and how Tenable helps

Exploitation for this vulnerability is known, with a PoC released on the same day of the vulnerability’s discovery. A patch is available for this vulnerability. 

CVE-2022-26809 | Microsoft

Tags: ahead of NVD coverage, zero-click 

With more than a million potentially impacted machines, this vulnerability is likely eliciting bad WannaCry memories among many security teams. 

On April 12, Microsoft announced a remote code execution (RCE) vulnerability affecting Microsoft RPC. Reserved as CVE-2022-26809 in the NVD, this vulnerability, known as “Zero Click,” allows an unauthenticated, remote attacker to perform a remote code execution by sending “a specially crafted RPC call to an RPC host.”

The vulnerability was added to the NVD on April 15. Tenable provided plugin coverage on April 12. 

Exploitation and how Tenable helps

On April 20, Microsoft provided guidance for mitigation. A patch is available for this vulnerability. For more information on this vulnerability and Tenable support, check out our Microsoft Patch Tuesday alert from Tenable Research.

CVE-2022-22965 | Spring Core Framework

Tags: ahead of NVD coverage, zero-day vulnerability

 

Discovered on March 30, this vulnerability is better known as Spring4Shell. Reserved as CVE-2022-22965 in the NVD, it is an RCE vulnerability affecting the Spring Core Framework. 

It was disclosed in the NVD on April 1st. Tenable provided plugin coverage as of March 31. 

Exploitation and how Tenable helps

Exploit for this vulnerability is known and there’s a patch available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team. 

CVE-2022-1388 | F5 BIG-IP

Tags: CISA-Known Exploit, Exploited in the wild

Announced on May 4 and reserved as CVE-2022-1388 in the NVD, this authentication bypass vulnerability affects the REST component of BIG-IP’s iControl API. This vulnerability allows undisclosed requests to possibly bypass iControl REST authentication.

Exploitation and how Tenable helps

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities. A list of Tenable plugins to identify this vulnerability can be found here. A patch is available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team. 

 

Conclusion

This article provided awareness of some critical vulnerabilities that security teams should have pinned on their maps, as they pursue proper and proactive cyber hygiene in their IT environments. 

These five vulnerabilities are admittedly only the tip of the overall vulnerabilities iceberg, but they represent the variety of challenges and complexities in the current vulnerability landscape. They are examples of critical vulnerabilities that a proactive security team must be aware of and prepared for so that they can protect their organizations from attacks that try to exploit these vulnerabilities.

It is worth mentioning how Tenable provided plugin coverage ahead of NVD coverage for most of the highlighted vulnerabilities. To shed some light on the area: the process of defining vulnerabilities in the NVD can be a lengthy one due to its by-design formalization rules. At Tenable, we aim to offer a proactive approach to vulnerability management and fast-response detection and we advise that you do too. 

Learn More

Download Tenable’s 2021 Threat Landscape Retrospective
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Read the blogs: 

https://www.tenable.com/blog/the-2021-threat-landscape-retrospective-targeting-the-vulnerabilities-that-matter-most
https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out

Follow our Cyber Exposure Alerts

Read More

Interesting paper by Lennart Maschmeyer: “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations“:

Abstract: Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utility in both warfare and low-intensity competition. Underlying these expectations are broadly shared assumptions that information technology increases operational effectiveness. But a growing body of research shows how cyber operations tend to fall short of their promise. The reason for this shortfall is their subversive mechanism of action. In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. The mismatch between promise and practice is the consequence of the subversive trilemma of cyber operations, whereby speed, intensity, and control are negatively correlated. These constraints pose a trilemma for actors because a gain in one variable tends to produce losses across the other two variables. A case study of the Russo-Ukrainian conflict provides empirical support for the argument. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media. Findings show that the subversive trilemma limited the strategic utility of all five major disruptive cyber operations in this conflict.

Read More

Interpol helps Nigerian investigators pounce

Read More