CISA adds 8 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include PwnKit)

The Cybersecurity and Infrastructure Security Agency (CISA) has added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include Apple, Mitel, Google Chromium, and the RedHat “PwnKit” vulnerability (CVE-2021-4034) in Polkit’s pkexec tool.

An attacker could exploit these vulnerabilities to take control of impacted systems.

Apple exploits

In total, five Apple vulnerabilities were added to the exploited vulnerability catalog:

  • CVE-2021-30983: Apple iOS and iPadOS Buffer Overflow Vulnerability.
  • CVE-2020-3837: Apple Multiple Products Memory Corruption Vulnerability.
  • CVE-2020-9907: Apple Multiple Products Memory Corruption Vulnerability.
  • CVE-2019-8605: Apple Multiple Products Use-After-Free Vulnerability.
  • CVE-2018-4344: Apple Multiple Products Memory Corruption Vulnerability.

Mitel

To add, the Critical vulnerability (CVE-2022-29499) in the Service Appliance component in Mitel MiVoice Connect could allow a hacker to remotely execute code due to incorrect data validation. Affected Service Appliances are SA 100, SA 400, and Virtual SA.

NIST has rated this vulnerability a CVSS score of 9.8.

RedHat PwnKit

Earlier this year, researchers discovered a “trivially exploitable” local privilege escalation vulnerability (CVE-2021-4034) in Polkit’s pkexec tool that affected likely every major Linux distribution.

The Qualys Research Team discovered the vulnerability dubbed “PwnKit” in polkit’s pkexec, a setuid program installed by default in Linux distributions, and is used to allow an authorized user to execute programs as another user.

An attacker without privileges could exploit this vulnerability to gain root privileges on a vulnerable system.

Chromium

Finally, CISA added a Google Chromium Security Bypass Vulnerability (CVE-2021-30533) to the Exploit Catalog.

Readers can check out the full CISA Known Exploited Vulnerabilities Catalog for a complete list of the most recently added exploited vulnerabilities as of June 27, 2022.

Related Articles