CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks
CISA has recently added 12 security flaws to its list of bugs exploited in attacks. These new flaws include two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.
On Monday, QNAP network-attached storage (NAS) appliance maker warned customers that it patched a zero-day bug in the Photo Station software, tracked as CVE-2022-27593, and actively exploited in widespread DeadBolt ransomware attacks. The two critical D-Link security flaws (CVE-2022-28958 and CVE-2022-26258) are being targeted by the Mirai-based Moobot botnet to gain remote code execution and take over unpatched devices.
Federal agencies have been given until September 29th to ensure that exploitation attempts would be blocked and products are patched, per binding operational directive (BOD 22-01), which was published in November. Although DHS' BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urges U.S. organizations in the private and public sectors to make patching these bugs a priority.
Mitigation:
Companies should check inventory and assets to ensure that the following CVE’s are patched:
- Google Chromium Insufficient Data Validation Vulnerability
- 2022-09-29
- D-Link DIR-816L Remote Code Execution Vulnerability
- 2022-09-29
- QNAP Photo Station Externally Controlled Reference Vulnerability
- 2022-09-29
- D-Link DIR-820L Remote Code Execution Vulnerability
- 2022-09-29
- Apple iOS, iPadOS, and macOS Input Validation Vulnerability
- 2022-09-29
- MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
- 2022-09-29
- D-Link Multiple Routers OS Command Injection Vulnerability
- 2022-09-29
- Oracle WebLogic Server Unspecified Vulnerability
- 2022-09-29
- Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
- 2022-09-29
- NETGEAR Multiple Devices Exposure of Sensitive Information
- 2022-09-29
- D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability
- 2022-09-29
- Android OS Privilege Escalation Vulnerability
- 2022-09-29
Source:
https://www.bleepingcomputer.com/ne...to-patch-chrome-d-link-flaws-used-in-attacks/