The Cybersecurity and Infrastructure Security Agency (CISA) has added a Critical WatchGuard and two Microsoft Active Directory (AD) flaws, along with five other vulnerabilities to its Known Exploited Vulnerabilities Catalog.
An attacker could exploit these vulnerabilities to take over impacted systems.
WatchGuard CVE-2022-23176
According to CISA, one of exploited flaws is the authentication bypass vulnerability CVE-2022-23176 that affects WatchGuard Firebox and XTM devices.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” WatchGuard explained in the advisory.
WatchGuard previously released firmware updates for affected products as noted in the NIST security advisory for CVE-2022-23176 (CVSS score 8.8):
- Enhancements and Resolved Issues in Fireware 12.1.3 Update 7
- Enhancements and Resolved Issues in Fireware 12.7 Update 1
- Enhancements and Resolved Issues in WSM v12.7.2 Update 3
Back on February 23, 2022, WatchGuard wrote in a blog post that the company worked with CISA, the Federal Bureau of Investigation (FBI) and other authorities to investigate Cyclops Blink, an advanced modular botnet allegedly linked to Sandworm APT group and new attacks against limited number of WatchGuard firewall appliances.
Sandworm threat actors were also recently discovered earlier this year using Cyclops Blink in cyber attacks against small office/home office (SOHO) routers and network attached storage (NAS) devices.
WatchGuard also developed tools to help remediate the Cyclops Blink malware:
“In response to this sophisticated, state-sponsored botnet, WatchGuard has developed and released a set of simple and easy-to-use Cyclops Blink detection tools, as well as a 4-Step process to help customers diagnose, remediate if necessary, and prevent future infection.”
AD and other exploited vulnerabilities
Moreover, CISA also added the following seven exploited vulnerabilities to the Catalog:
| CVE | Vulnerability Name |
|---|---|
| CVE-2021-42287 | Microsoft Active Directory Domain Services Privilege Escalation Vulnerability |
| CVE-2021-42278 | Microsoft Active Directory Domain Services Privilege Escalation Vulnerability |
| CVE-2021-39793 | Google Pixel Out-of-Bounds Write Vulnerability |
| CVE-2021-27852 | Checkbox Survey Deserialization of Untrusted Data Vulnerability |
| CVE-2021-22600 | Linux Kernel Privilege Escalation Vulnerability |
| CVE-2020-2509 | QNAP Network-Attached Storage (NAS) Command Injection Vulnerability |
| CVE-2017-11317 | Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability |
The two Microsoft Active Directory (AD) vulnerabilities (CVE-2021-42287 and CVE-2021-42278) should also be prioritized for remediation given the criticality of AD in most enterprise organizations. Not to mention the history of other severe hacker exploits against AD domain controllers or related services, such as Zerologon (CVE-2020-1472).
Another of the notable exploited issues is the QNAP command injection vulnerability (CVE-2020-2509). This issue could allow a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials.
Readers can check out the most recent CISA post on April 11, 2022, as well the complete Known Exploited Vulnerabilities Catalog.
Related Articles
- Sandworm threat actors using new malware Cyclops Blink to target SOHO devices
- CISA adds 3 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include Sudo, SMBv1Â vulnerabilities)
- Legacy QNAP NAS devices vulnerable to zero-day cyberattacks
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations