CISA Adds Three Known Exploited Vulnerabilities to Catalog
(CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, citing active exploitation. These vulnerabilities include critical issues in ImageMagick, the Linux Kernel, and SonicWall SonicOS, each posing significant risks to affected systems.
Introduction
September 9, 2024 – The Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, citing active exploitation. These vulnerabilities include critical issues in ImageMagick, the Linux Kernel, and SonicWall SonicOS, each posing significant risks to affected systems.
These vulnerabilities were discovered through reports and active exploitation data, prompting CISA to update the catalogue. CISA's Binding Operational Directive (BOD) 22-01, aimed at reducing the risks posed by known exploited vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities. While BOD 22-01 is mandatory for federal agencies, CISA strongly encourages all organizations to act swiftly to patch these vulnerabilities.
Report Overview
- CVE-2016-3714: Known as "ImageTragick," this vulnerability in ImageMagick (versions before 6.9.3-10 and 7.x before 7.0.1-1) allows attackers to execute arbitrary code via shell metacharacters in crafted images. Exploitations have been documented in the wild since 2016, making it a severe risk for systems running outdated versions of ImageMagick.
- CVE-2017-1000253: This vulnerability impacts Linux distributions running kernels without proper patching. The issue arises when Position Independent Executable (PIE) binaries are loaded into the wrong memory spaces, leading to stack buffer corruption. This can potentially allow attackers to execute malicious code.
- CVE-2024-40766: Found in SonicWall's SonicOS, this improper access control issue affects Gen 5, Gen 6, and Gen 7 firewall devices. It can allow unauthorized users to gain access to restricted resources or, in some cases, cause the firewall to crash, leading to a denial of service.
Insights and Analysis
These vulnerabilities are common entry points for malicious actors and pose severe risks to organizations across sectors. Exploitation of CVE-2016-3714 could allow attackers to fully compromise systems by executing arbitrary code remotely. If unpatched, the Linux Kernel PIE flaw may lead to privilege escalation or remote code execution. For organizations using SonicWall, the SonicOS vulnerability could expose critical infrastructure to unauthorized access and potentially disrupt network operations through device crashes.
CISA urges all organizations to prioritize patching these vulnerabilities immediately. Specific actions include:
- ImageMagick users should update to version 7.0.1-1 or later.
- Linux Kernel users should ensure their distributions are patched with the fix from 2015 (commit a87938b2e246).
- To mitigate the improper access control issue, SonicWall users should upgrade to SonicOS versions newer than 7.0.1-5035.
Failing to patch these vulnerabilities can open systems to exploitation, leading to data breaches, system compromise, and denial of service attacks. Organizations are encouraged to integrate these vulnerabilities into their regular vulnerability management practices, ensuring timely patching.
Indicators of Compromise (IOCs)
No specific Indicators of Compromise (IOCs) were provided in the source material.
MITRE ATT&CK TTPs
Tactic | Technique | ID | Description |
---|---|---|---|
Execution | Command and Scripting Interpreter | T1059 | ImageMagick's improper input validation may allow remote execution of arbitrary shell commands. |
Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Linux Kernel stack buffer corruption could enable privilege escalation via improperly mapped PIE binaries. |
Initial Access | Exploit Public-Facing Application | T1190 | SonicWall SonicOS improper access control could be exploited by attackers to gain unauthorized access. |
Comments ()