Four of the vulnerabilities are Windows zero-day bugs that Microsoft disclosed in its November security update; three affect Samsung mobile devices.
The US Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive 22-01 issued in Nov. 2021 requires all federal civilian executive branch agencies to address software bugs that are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog within a specified timeframe.
CISA implemented the mandate to ensure that federal agencies prioritize cybersecurity issues that attackers are actively exploiting in the wild. The directive only applies to civilian federal agencies. However, CISA recommends that all stakeholders implement a similar requirement for addressing high-risk vulnerabilities in their environment.
The following are seven security issues that FCEBs must address by month end. Microsoft disclosed four of them in its November 2022 security update.
Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability (CVE-2022-41091)
The vulnerability allows attackers to sneak malicious files past Microsoft’s Mark of the Web security feature for identifying files downloaded from untrusted and potentially unsafe sources. The flaw impacts multiple Windows versions including Windows 10, Windows 11, Windows Server 2022, 2016 and 2019. CISA added CVE-2022-41091 to the KVE catalog on Nov. 8th.
Microsoft Windows Print Spooler Privilege Escalation Vulnerability (CVE-2022-41073)
The bug is the latest in a long list of security vulnerabilities that researchers have discovered in Print Spooler over the years. The flaw gives attackers a way to gain system level privileges on an affected system. The vulnerability affects multiple Windows Server versions including Windows Server 2022, 2019 and 2016. A threat actor would need local access to exploit the flaw. But Microsoft has described the vulnerability as something than an attacker with low access privileges would be able to exploit relatively easily.
Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability (CVE-2022-41125)
Microsoft has not released too many details about this vulnerability besides the fact that an attacker could use it to gain system level privileges. The flaw impacts Windows Server 2012, 2016, Windows 8.1, Windows RT 8 and other Windows versions. Threat actors can use it to escalate privileges and gain system administrator level access on affected systems. Attack complexity is low, meaning no specific access conditions or circumstances need to exist for an attacker to be able to exploit the flaw.
Microsoft Windows Scripting Languages Remote Code Execution Vulnerability (CVE-2022-41128)
This is an unspecified bug in the JScript9 scripting language that attackers can exploit to gain remote code execution on affected systems. To exploit the flaw however, an attacker would need to lure the victim to a hacked or malicious site. The flaw exists in Windows 10, Windows 11, Windows Server 2016, Windows Server 2019 and other Windows versions. Attack complexity is low, meaning no specific access conditions or circumstances need to exist for an attacker to be able to exploit the flaw.
Samsung Mobile Device Vulnerabilities: (CVE-2021-25337); (CVE-2021-25369); (CVE-2021-25370)
CISA added the three Samsung mobile devices vulnerabilities to its KVE catalog after researchers from Google’s Project Zero team reported observing a commercial surveillance vendor attempting to use it in a campaign early November. CVE-2021-25337 and CVE-2021-25369 are improper access control vulnerabilities and CVE-2021-25370 is a memory corruption vulnerability. Google said it had observed the surveillance vendor chaining the three vulnerabilities in its exploit and using CVE-2021-25337 for initial arbitrary file read and write.
Google reported the vulnerabilities to Samsung in late 2020. Samsung issued updates March 2021.