The US cybersecurity company CISA on Tuesday introduced that it has added 5 extra security defects to its Identified Exploited Vulnerabilities catalog, warning organizations of assaults exploiting an Adobe Acrobat and Reader flaw that got here to mild earlier this 12 months.
The Adobe Acrobat and Reader difficulty is CVE-2023-21608, a use-after-free vulnerability which will be exploited to attain distant code execution (RCE) with the privileges of the present person.
Adobe launched patches for this flaw in January 2023, however quite a few proof-of-concept (PoC) exploits and technical write-ups have been revealed since, creating alternatives for menace actors to start out concentrating on the problem in assaults.
Though there look like no public stories describing in-the-wild exploitation of CVE-2023-21608, CISA says it solely provides CVEs to the KEV listing primarily based on stable proof that exploitation has occurred.
CISA additionally expanded KEV with CVE-2023-20109, an out-of-bounds write flaw within the Group Encrypted Transport VPN (GET VPN) function of Cisco IOS and IOS XE.
Additionally resulting in RCE, the bug was patched on the finish of September, when Cisco warned that it had noticed exploitation makes an attempt concentrating on it.
On the identical day that Microsoft launched patches for 2 zero-days impacting Skype for Enterprise (CVE-2023-41763) and WordPad (CVE-2023-36563), CISA added each flaws to KEV. Neither Microsoft nor CISA have supplied particulars on the noticed assaults.
The fifth vulnerability that CISA has added to KEV on Tuesday is a zero-day within the HTTP/2 protocol, which has been exploited in a number of the largest distributed denial-of-service (DDoS) assaults up to now.
Known as HTTP/2 Fast Reset, the assault technique entails repeatedly sending requests and instantly canceling them. All purposes and servers operating the usual implementation of HTTP/2 are susceptible to this assault.
“Most of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA’s warning reads.
As per the Binding Operational Directive (BOD) 22-01, federal companies have 21 days to establish the susceptible merchandise inside their networks and apply the obtainable patches and mitigations.
CISA’s BOD 22-01 solely applies to federal companies, however CISA encourages all organizations to overview the KEV catalog and prioritize remediation of the security defects in it, or discontinue using the susceptible merchandise if mitigations usually are not obtainable.
