CISA Adds Eight Known Exploited Vulnerabilities to Catalog

Original release date: January 28, 2022

CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE Number CVE Title Required Action Due Date
CVE-2022-22587 Apple IOMobileFrameBuffer Memory Corruption Vulnerability 2/11/2022
CVE-2021-20038 SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability 2/11/2022
CVE-2014-7169 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 7/28/2022
CVE-2014-6271 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 7/28/2022
CVE-2020-0787 Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability 7/28/2022
CVE-2014-1776 Microsoft Internet Explorer Use-After-Free Vulnerability 7/28/2022
CVE-2020-5722 Grandstream Networks UCM6200 Series SQL Injection Vulnerability 7/28/2022
CVE-2017-5689 Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability 7/28/2022

 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products

Original release date: January 27, 2022

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

FBI Releases PIN on Iranian Cyber Group Emennet Pasargad

Original release date: January 27, 2022

The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) that provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures to enable readers to identify and defend against the group’s malicious cyber activities.

CISA encourages users and administrators to review FBI PIN: Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad and apply the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Publishes Infographic on Layering Network Security Through Segmentation

Original release date: January 24, 2022

CISA has published an infographic to emphasize the importance of implementing network segmentation—a physical or virtual architectural approach that divides a network into multiple segments, each acting as its own subnetwork, to provide additional security and control that can help prevent or minimize the impact of a cyberattack.

CISA encourages network architects, defenders, and administrators to review the infographic, Layering Network Security Through Segmentation, and implement its recommendations where possible.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

Original release date: January 21, 2022

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE Number CVE Title Required Action Due Date
CVE-2006-1547 Apache Struts 1 ActionForm Denial of Service Vulnerability 07/21/2022
CVE-2012-0391 Apache Struts 2 Improper Input Validation Vulnerability 07/21/2022
CVE-2018-8453 Microsoft Windows Win32k Privilege Escalation Vulnerability 07/21/2022
CVE-2021-35247 SolarWinds Serv-U Improper Input Validation Vulnerability 02/04/2022

 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

McAfee Releases Security Update for McAfee Agent for Windows 

Original release date: January 21, 2022

McAfee has released McAfee Agent for Windows version 5.7.5, which addresses vulnerabilities CVE-2021-31854 and CVE-2022-0166. An attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review McAfee Security Bulletin SB10378 and apply the necessary update. CISA also encourages users and administrators to review the CERT Coordination Center Vulnerability Note VU#287178 for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

F5 Releases January 2022 Quarterly Security Notification

Original release date: January 20, 2022

F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.

CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: January 20, 2022

Google has released Chrome version 97.0.4692.99 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Drupal Releases Security Updates

Original release date: January 20, 2022

Drupal has released security updates to address vulnerabilities affecting Drupal 7, 9.2, and 9.3. An attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Drupal security advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Final Version of Guidance: IPv6 Considerations for TIC 3.0

Original release date: January 20, 2022

CISA has released the final version of Internet Protocol version 6 (IPv6) Considerations for Trusted Internet Connections (TIC) 3.0. This guidance supports the federal government-wide deployment and use of the modernized network protocol. The final version includes feedback provided during the public comment period that ended in October 2021. See the fact sheet Response to Comments on Guidance: IPv6 Considerations for TIC 3.0 for a comprehensive analysis of comments received. This release is in accordance with Office of Management and Budget (OMB) Memorandum 21-07, which entrusts CISA with enhancing the TIC program to support IPv6 implementation in federal IT systems.

CISA encourages IT decision-makers and administrators in all federal government agencies and organizations to review the Internet Protocol version 6 (IPv6) Considerations for Trusted Internet Connections (TIC) 3.0 for guidance in facilitating IPv6 implementation in federal IT systems.

This product is provided subject to this Notification and this Privacy & Use policy.