In this 17th edition of the patch watch blog, we bring to you the vulnerabilities that CISA has recommended be patched between September 5, 2022 and September 9, 2022.
Why should organizations take notice of these vulnerabilities?
The vulnerabilities listed in the KEVs are those that have a history of repeated exploitation by attackers. An unpatched KEV is an attack vector offered on a silver platter.
Let us look at the analysis of all the vulnerabilities below:
-
Of the vulnerabilities to be patched this week, 93% have known exploits, implying that tried and tested code is readily available to misuse products with this exposure, with RCE/PE belonging to the category of most dangerous exploits from an impact perspective.
-
Attackers are constantly looking out for available instances of 60% of these vulnerabilities that are trending in deep and dark web searches.
-
Vulnerabilities with ransomware and APT associations are most critical for an organization as they can cause devastating impacts ranging from being locked out of your own systems to data leaks, data corruption, sensitive data availability to malicious attackers, and even national-level threats.
How Far Back Do They Go?
The CVEs range from 2009 to 2022. Beware that old CVEs have many more exploits than the latest discovered ones. Added to that, older the CVE, more mature is a given exploit code, allowing for deeper penetration into networks.
Which Vendors Are Affected?
Adobe has the highest count of CVEs that need to be patched this week.
The chart represents count of CVEs to be patched by each vendor and the due date for patching them
We call upon vendors to take the initiative to inform their customers of existing flaws and the measures to be taken to keep their products safe from attacks.
Severity Scores
Patching these vulnerabilities is of high priority, as many rank high and critical on the CVSS scoring scale. These are the vulnerabilities which, when exploited, allow attackers to engage in achieving their motives faster and with lesser effort, owing to the attack capabilities offered by the vulnerabilities.
CVE-2022-32894, CVE-2022-32893, CVE-2022-2856 do not have any CVSS scores assigned to them. Organizations that depend solely on the NVD would not prioritize these vulnerabilities due to lack of a severity rating, although they are associated with a higher threat context.
Software Weaknesses
The following CWEs have caused the vulnerabilities that need to be patched this week.
Seven CVEs (CVE-2022-26923, CVE-2022-32894, CVE-2022-32893, CVE-2009-3960, CVE-2017-15944, CVE-2022-21971, CVE-2022-2856) do not have any associated CWE. With no readily available mapping, organizations are at a loss to understand how these vulnerabilities can be utilized in a cyber attack.
Table: DHS CISA KEVs
We urge organizations to implement patches for these CVEs at the earliest. Some of the vulnerabilities are present in devices/products used everyday in organizations and serve as easy targets.
With CSW’s threat-based approach and vulnerability intelligence, security teams can prioritize the threats, including all KEVs, and minimize their attack surface.
For the latest news regarding vulnerabilities that are exploited and critical threats, read our blog on Weekly Threat Intelligence.