- CISA added two new flaws to its KEV catalog
- One of the bugs affects the Windows kernel, the other one was found in an Adobe product
- US government agencies ordered to patch now or risk attack
The US Cybersecurity and Infrastructure Agency (CISA) has added a new Windows flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline to apply a patch, or stop using the software altogether.
The bug is a Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability with a high severity score of 7.8, tracked as CVE-2024-35250.
The bug can be used to gain system privileges in low-complexity attacks that don’t even require any user interaction.
Adobe ColdFusion
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in its advisory.
Since Microsoft did not share any further details about this vulnerability, the publication cited the DEVCORE Research team, who demonstrated how the bug works during this year’s Pwn2Own Vancouver hackathon. The same team reported the bug to Microsoft, who patched it in June’s Patch Tuesday cumulative update, A proof-of-concept (PoC) was released to GitHub a few months later.
When a vulnerability is added to KEV, that means that there is evidence of in-the-wild abuse. Federal agencies have a three-week deadline to apply the patch, or stop using the flawed software.
At the same time, CISA also added an Adobe ColdFusion vulnerability, tracked as CVE-2024-20767. This one is described as an improper access control weakness that grants unauthenticated remote threat actors the ability to read sensitive files. It affects ColdFusion versions 2023.6, 2021.12 and earlier, and has a high severity score of 7.4 – and Adobe patched it in March 2024.
“An attacker could leverage this vulnerability to access or modify restricted files,” reads the flaw’s description on CVE.org. “Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.”
CISA stressed that these types of vulnerabilities are “frequent attack vectors for malicious cyber actors” and as such pose a significant risk to the federal enterprise.
Agencies have until January 6, 2025 to apply the fixes.
Via BleepingComputer
Leave a comment