Hackers exploiting 36 ‘significant’ vulnerabilities, CISA warns

The United States Cybersecurity and Infrastructure Security Agency (CISA) has encouraged consumers to patch immediately after listing 36 additional security flaws on its database of vulnerabilities that are known to be exploited by cyber criminals.

CISA has added flaws in Microsoft, Google, Adobe, Cisco, Netgear, and QNAP into its vulnerabilities catalogue and issued an alert about the security flaws being frequent attack vectors for malicious attackers that pose "significant risk".

Vulnerabilities in Microsoft products include CVE-2012-4969, a buffer overflow vulnerability in Microsoft Office that allows cyber criminals to launch remote attacks. CVE-2012-0151, a flaw in the Authenticode Signature Verification function in Microsoft Windows that allows user-assisted attackers to execute remote code, and a vulnerability in Internet Explorer that allows remote execution of code, CVE-2013-1331, have also been added to the catalog.

Several vulnerabilities in Google's Chromium V8 Engine, CISA warned, which include CVE-2016-1646 and CVE-2016-5198, which allow remote attackers to cause a denial of service, as well as flaws like CVE-2018-17463 and CVE-2017-5070, which, if left unpatched, allow attackers to remotely execute code that they could exploit to access networks.

Adobe software vulnerabilities have been added to the catalogue, including CVE-2009-4324, a flaw in Adobe Acrobat and Reader, which allows remote attackers to execute code via a crafted PDF file, and CVE-2010-1297, a memory corruption vulnerability in Adobe Flash Player that allows remote attackers to execute code or cause denial of service.

Several flaws in routers and other internet-connected devices have also been added to CISA's catalogue, including CVE-2017-6862, which is a buffer overflow vulnerability in multiple Netgear devices that allows for authentication bypass and remote code execution, and CVE-2019-15271, a flaw in Cisco RV series routers that could allow an attacker to execute code with root privileges.

A number of vulnerabilities in QNAP products have also been identified by CISA, including CVE-2019-7192, a flaw in QNAP Network Attached Storage (NAS) devices running Photo Station, which contains an improper access control vulnerability allowing remote attackers to gain unauthorised access to the system.

CISA strongly advises that applying cyber security patches that fix known vulnerabilities is one of the best ways to stay protected from cyber attacks. Organisations, particularly those associated with federal government, are urged to apply the security updates as soon as possible.