CISA adds 41 vulnerabilities to list of bugs used in cyberattacks

The Cybersecurity & Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR.

The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday.

The Cisco IOS XR vulnerability is tracked as CVE-2022-20821, allowing attackers to write arbitrary files in the containerized filesystem, retrieve Redis database information, or write to the Redis in-memory database.

Other flaws of interest are two Android Linux Kernel flaws tracked as CVE-2021-1048 and CVE-2021-0920. While both of these flaws are in the Linux kernel, they are only known to be used in limited attacks against Android devices.

"A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition," explains RedHat's security bulletin about the CVE-2021-0920 vulnerability.

As for CVE-2021-1048, Google's Threat Analysis Group (TAG) recently reported it was used with other zero-days in an attack chain that installed the Predator spyware.

CISA has given federal agencies until June 13th, 2022, to apply security updates for the Android and Cisco vulnerabilities.

Other vulnerabilities

The remaining thirty-eight flaws added in CISA's catalog all have a known status of active exploitation, so the agency merely includes them as part of its regular additions.

The flaws concern Cisco, Microsoft, Apple, Google, Mozilla, Facebook, Adobe, and Webkit GTK software products, ranging from 2018 to 2021.

Included is a Windows elevation of privileges vulnerability tracked as CVE-2020-0638 that was disclosed in 2020 but found to be still used by the Conti ransomware gang in attacks on corporate networks.

As threat actors continue to use older vulnerabilities in attacks, admins must install updates on all devices, including older versions that may still be operating in corporate environments.

CISA requires federal agencies to patch all flaws added on Monday by June 13th, 2022, while the other 20 added today need to be fixed by June 14th, 2022.

To see the current list of exploited vulnerabilities, you can view CISA's Known Exploited Vulnerabilities Catalog, which can be downloaded in various offline formats.