Among the thousands of vulnerabilities disclosed so far in 2022, we highlight five and explain why they matter.
With over 6,000 vulnerabilities disclosed this year, cyber security teams have faced, as usual, a challenge to keep up, especially as a number of these software bugs have captured significant media attention. In this article, we’ll provide guidance and clarity on five vulnerabilities to help you better understand why they had an impact and why they all should be on your radar screen. As you will read, these vulnerabilities share common traits, and a closer examination of them offers insights into the breadth and depth of the current vulnerability landscape.
CVE
Description
VPR*
CVE-2022-1096
Google Javascript V8 Chrome engine Vulnerability
9.6
CVE-2022-0847
Linux Kernel Vulnerability
9.8
CVE-2022-26809
Zero-click – Microsoft RPC Vulnerability
9.6
CVE-2022-22965
Spring4Shell – Spring Core Framework Vulnerability
9.7
CVE-2022-1388
F5 BIG-IP Vulnerability
9.6
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on DATE and reflects VPR at that time.
CVE-2022-1096 | Google Chrome
Tags: ahead of NVD coverage, zero-day vulnerability
On March 23, Google announced a zero-day vulnerability in the Google JavaScript V8 Chrome engine potentially impacting billions of users.
Reserved with the CVE-2022-1096 identifier on the National Vulnerability Database (NVD), it is a type-confusion vulnerability affecting Chrome’s core.
As Google reported, it has been confirmed that this security flaw is being exploited in the wild. Upon successful exploitation, the security flaw allows attackers to execute arbitrary code on the affected asset.
Although the vulnerability was disclosed, its details haven’t yet been published in the NVD. Tenable provided Nessus plugin coverage as of March 25.
Exploitation and how Tenable helps
As of today, there are no public proof of concept (PoC) exploits available, although the vulnerability is being exploited in the wild. Google released an emergency update with a security fix in Chrome 99.0.4844.84. A patch is also available for Chromium-based Microsoft Edge. Other Chromium-based browsers include Opera, Samsung Internet and Amazon Silk.
CVE-2022-0847 | Linux Kernel
Tags: ahead of NVD coverage
Discovered on February 20 and reserved in the NVD as CVE-2022-0847, this vulnerability also known as Dirty Pipe affects the Linux kernel 5.8, and allows attackers to overwrite data in arbitrary read-only files upon successful exploitation.
Although it was disclosed in the NVD on March 10, Tenable provided plugin coverage as of March 7.
Exploitation and how Tenable helps
Exploitation for this vulnerability is known, with a PoC released on the same day of the vulnerability’s discovery. A patch is available for this vulnerability.
CVE-2022-26809 | Microsoft
Tags: ahead of NVD coverage, zero-click
With more than a million potentially impacted machines, this vulnerability is likely eliciting bad WannaCry memories among many security teams.
On April 12, Microsoft announced a remote code execution (RCE) vulnerability affecting Microsoft RPC. Reserved as CVE-2022-26809 in the NVD, this vulnerability, known as “Zero Click,” allows an unauthenticated, remote attacker to perform a remote code execution by sending “a specially crafted RPC call to an RPC host.”
The vulnerability was added to the NVD on April 15. Tenable provided plugin coverage on April 12.
Exploitation and how Tenable helps
On April 20, Microsoft provided guidance for mitigation. A patch is available for this vulnerability. For more information on this vulnerability and Tenable support, check out our Microsoft Patch Tuesday alert from Tenable Research.
CVE-2022-22965 | Spring Core Framework
Tags: ahead of NVD coverage, zero-day vulnerability
Discovered on March 30, this vulnerability is better known as Spring4Shell. Reserved as CVE-2022-22965 in the NVD, it is an RCE vulnerability affecting the Spring Core Framework.
It was disclosed in the NVD on April 1st. Tenable provided plugin coverage as of March 31.
Exploitation and how Tenable helps
Exploit for this vulnerability is known and there’s a patch available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team.
CVE-2022-1388 | F5 BIG-IP
Tags: CISA-Known Exploit, Exploited in the wild
Announced on May 4 and reserved as CVE-2022-1388 in the NVD, this authentication bypass vulnerability affects the REST component of BIG-IP’s iControl API. This vulnerability allows undisclosed requests to possibly bypass iControl REST authentication.
Exploitation and how Tenable helps
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities. A list of Tenable plugins to identify this vulnerability can be found here. A patch is available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team.
Conclusion
This article provided awareness of some critical vulnerabilities that security teams should have pinned on their maps, as they pursue proper and proactive cyber hygiene in their IT environments.
These five vulnerabilities are admittedly only the tip of the overall vulnerabilities iceberg, but they represent the variety of challenges and complexities in the current vulnerability landscape. They are examples of critical vulnerabilities that a proactive security team must be aware of and prepared for so that they can protect their organizations from attacks that try to exploit these vulnerabilities.
It is worth mentioning how Tenable provided plugin coverage ahead of NVD coverage for most of the highlighted vulnerabilities. To shed some light on the area: the process of defining vulnerabilities in the NVD can be a lengthy one due to its by-design formalization rules. At Tenable, we aim to offer a proactive approach to vulnerability management and fast-response detection and we advise that you do too.
Learn More
Download Tenable’s 2021 Threat Landscape Retrospective
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Read the blogs:
https://www.tenable.com/blog/the-2021-threat-landscape-retrospective-targeting-the-vulnerabilities-that-matter-most
https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out
Follow our Cyber Exposure Alerts
More Stories
Interpol Identifies Over 140 Human Traffickers in New Initiative
A new digital operation has enabled Interpol to identify scores of human traffickers operating between South America and Europe Read...
ICO Warns of Mobile Phone Festive Privacy Snafu
The Information Commissioner’s Office has warned that millions of Brits don’t know how to erase personal data from their old...
Friday Squid Blogging: Squid Sticker
A sticker for your water bottle. Blog moderation policy. Read More
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
OpenAI must also initiate a six-month public awareness campaign across Italian media, explaining how it processes personal data for AI...
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
The Security Service of Ukraine has accused Russian-linked actors of perpetrating a cyber-attack against the state registers of Ukraine Read...
LockBit Admins Tease a New Ransomware Version
The LockBitSupp persona said LockBit 4.0 will be launched in February 2025 Read More