CISA Warns of Multiple Old Linux Vulnerabilities Used in Attacks

Highlights:

• CISA included the vulnerabilities in their Known Exploited Vulnerabilities catalog, a “living list” of Common Vulnerabilities and Exposure that pose significant risks to federal enterprises.
• While the vulnerabilities enumerated are recently added to CISA’s database, most are old, with one dating as far back as 2010.

The U.S. Cybersecurity and Infrastructure Security Agency catalog has been updated with seven additional vulnerabilities related to Linux. The agency has warned that these vulnerabilities are currently being actively exploited.

Vulnerabilities commonly exploit the identified vulnerabilities and present substantial risks to federal enterprises. While the vulnerabilities enumerated are recently added to CISA’s database, most are old, with one dating as far back as 2010.

The list of vulnerabilities includes CVE-2023-25717, which is a cross-site forgery request and remote code execution vulnerability found in multiple Ruckus Wireless Products. Another vulnerability is CVE-2021-3560, an incorrect authorization vulnerability in Red Hat Polkit. Additionally, there is CVE-2014-0196, a race condition vulnerability in the Linux Kernel, and CVE-2010-3904, an improper input validation vulnerability in the Linux Kernel. Furthermore, the list includes CVE-2015-5317, an information disclosure vulnerability in the Jenkins user interface; CVE-2016-3427, an unspecified vulnerability in Oracle Java S.E. and JRockit; and CVE-2016-8735, an RCE vulnerability in Apache Tomcat.

CISA included the vulnerabilities in their Known Exploited Vulnerabilities catalog, a “living list” of Common Vulnerabilities and Exposures that pose significant risks to federal enterprises. CISA recommended that all organizations prioritize promptly remedying vulnerabilities listed in the catalog to minimize their cyberattack exposure.

The recent inclusion of vulnerabilities dating back 13 years in CISA’s catalog has not gone unnoticed. Mike Parkin, a senior technical engineer at Vulcan Cyber Ltd., a cyber-risk management firm, highlighted that adding older CVEs is uncommon and noteworthy.

Parkin stated, “Standard change management processes should have had these systems updated or out of service long ago, which begs the question of what exploit activity is CISA seeing now that warrants adding these to the Known Exploited Vulnerabilities catalog? For the newer CVEs, it’s time to patch. For the older ones, if an organization finds they are still using end-of-life applications or haven’t patched for seven-plus-year-old vulnerabilities, it’s time to review their application management procedures. Because no one should still be affected by these vulnerabilities.”

Bud Broomhead, the CEO of Viakoo Inc., an Internet of Things security platform company, observed a trend indicating that the recent additions to the catalog affirm the growing use of open-source software and IoT, operational technology, and industrial control system devices by threat actors. These technologies are exploited to gain unauthorized access and facilitate remote code execution.

Broom clarified, “These seven vulnerabilities are focused on open source software components, and the recent addition of 15 vulnerabilities aimed at industrial control systems is much harder and more time-consuming to remediate than traditional I.T. vulnerabilities. These new vulnerabilities face organizations with a new imperative to have full visibility of all digitally connected assets, awareness of what software components they have, and an automated method to remediate and restore these mission-critical devices to full operations.”