HackDig : Dig high-quality web security articles

CISA: Patch actively exploited Firefox zero-days until March 21st

2022-03-08 06:47

CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to patch two critical Firefox security vulnerabilities exploited in attacks within the next two weeks.

According to a Mozilla advisory published over the weekend, the two bugs (tracked as CVE-2022-26485 and CVE-2022-26486) are Use After Free flaws that allow attackers to trigger crashes and execute maliciously crafted code on targeted devices.

They're rated as critical severity because they could let attackers execute almost any command on systems running vulnerable versions of Firefox, including downloading malware that would give them further access to the device.

Mozilla said it received "reports of attacks in the wild" abusing the two vulnerabilities, likely used for remote code execution (CVE-2022-26485) and escaping the browser sandbox (CVE-2022-26486).

According to a binding operational directive (BOD 22-01) issued in November, Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to secure their systems against these vulnerabilities, with CISA giving them until March 21st to apply patches.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the US cybersecurity agency explained.

CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence that threat actors are also actively exploiting them in the wild.

One of them tracked as CVE-2021-21973, impacts VMware vCenter servers, leads to information disclosure, and also has to be patched within two weeks.

CVE ID Vulnerability Name Due Date 
CVE-2022-26486Mozilla Firefox Use-After-Free Vulnerability03/21/22
CVE-2022-26485Mozilla Firefox Use-After-Free Vulnerability03/21/22
CVE-2021-21973VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)03/21/22
CVE-2020-8218Pulse Connect Secure Code Injection Vulnerability09/07/22
CVE-2019-11581Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability09/07/22
CVE-2017-6077NETGEAR DGN2200 Remote Code Execution Vulnerability09/07/22
CVE-2016-6277NETGEAR Multiple Routers Remote Code Execution Vulnerability09/07/22
CVE-2013-0631Adobe ColdFusion Information Disclosure Vulnerability09/07/22
CVE-2013-0629Adobe ColdFusion Directory Traversal Vulnerability09/07/22
CVE-2013-0625Adobe ColdFusion Authentication Bypass Vulnerability09/07/22
CVE-2009-3960Adobe BlazeDS Information Disclosure Vulnerability09/07/22

Even though BOD 22-01 only applies to FCEB agencies, CISA strongly urged all other private and public sector orgs to reduce their exposure to ongoing cyberattacks by prioritizing mitigation of these security flaws.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA added.

CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.

Just last week, on Friday, the agency added 95 bugs to the list, eight of them with high critical severity scores of at least 9.8 and impacting Cisco, Apache, and Exim products.

Since the start of the year, the US cybersecurity agency ordered federal civilian agencies to patch actively exploited bugs in:


Source: litnu-syad-orez-xoferif-detiolpxe-ylevitca-hctap-asic/ytiruces/swen/moc.retupmocgnipeelb.www

Read:1218 | Comments:0 | Tags:Security exploit CISA

“CISA: Patch actively exploited Firefox zero-days until March 21st”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud