The Cybersecurity and Infrastructure Security Agency (CISA) has added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include Apple, Mitel, Google Chromium, and the RedHat “PwnKit” vulnerability (CVE-2021-4034) in Polkit’s pkexec tool.
An attacker could exploit these vulnerabilities to take control of impacted systems.
In total, five Apple vulnerabilities were added to the exploited vulnerability catalog:
- CVE-2021-30983: Apple iOS and iPadOS Buffer Overflow Vulnerability.
- CVE-2020-3837: Apple Multiple Products Memory Corruption Vulnerability.
- CVE-2020-9907: Apple Multiple Products Memory Corruption Vulnerability.
- CVE-2019-8605: Apple Multiple Products Use-After-Free Vulnerability.
- CVE-2018-4344: Apple Multiple Products Memory Corruption Vulnerability.
To add, the Critical vulnerability (CVE-2022-29499) in the Service Appliance component in Mitel MiVoice Connect could allow a hacker to remotely execute code due to incorrect data validation. Affected Service Appliances are SA 100, SA 400, and Virtual SA.
NIST has rated this vulnerability a CVSS score of 9.8.
Earlier this year, researchers discovered a “trivially exploitable” local privilege escalation vulnerability (CVE-2021-4034) in Polkit’s pkexec tool that affected likely every major Linux distribution.
The Qualys Research Team discovered the vulnerability dubbed “PwnKit” in polkit’s pkexec, a setuid program installed by default in Linux distributions, and is used to allow an authorized user to execute programs as another user.
An attacker without privileges could exploit this vulnerability to gain root privileges on a vulnerable system.
Finally, CISA added a Google Chromium Security Bypass Vulnerability (CVE-2021-30533) to the Exploit Catalog.
Readers can check out the full CISA Known Exploited Vulnerabilities Catalog for a complete list of the most recently added exploited vulnerabilities as of June 27, 2022.
- PwnKit: “Trivially exploitable” vulnerability found in Linux Polkit’s pkexec tool
- Linux Cgroup vulnerability can cause container escape
- CISA adds 7 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include Dirty Pipe Linux kernel vulnerability)
- Microsoft April 2022 Security Updates addresses 117 vulnerabilities (to include 2 zero-days)
- Dirty Pipe privilege escalation vulnerability found in Linux kernel