- CISA added two new rulings to its KEV catalog
- One of the bugs affects the Windows kernel, the other was found in an Adobe product
- US Government Agencies Ordered to Patch Now or Risk Attack
The US Cybersecurity and Infrastructure Agency (CISA) has added a new Windows flaw to its catalog of Known Exploited Vulnerabilities (KEV), giving federal agencies a deadline to apply a patch or stop using the software full.
The bug is an untrusted pointer dereferencing vulnerability in the Microsoft Windows kernel-mode driver with a high severity score of 7.8, tracked as CVE-2024-35250.
The bug can be used to gain system privileges in low complexity attacks that do not even require user interaction.
Adobe ColdFusion
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in its advisory.
Since Microsoft did not share more details about this vulnerability, the publication cited the DEVCORE research team, who demonstrated how the bug works during this year’s Vancouver Pwn2Own hackathon. The same team reported the bug to Microsoft, who fixed it in the June Patch Tuesday cumulative update. A few months later a proof of concept (PoC) was released on GitHub.
When a vulnerability is added to KEV, that means there is evidence of abuse in the wild. Federal agencies have three weeks to apply the patch or stop using the defective software.
At the same time, CISA also added an Adobe ColdFusion vulnerability, tracked as CVE-2024-20767. This is described as an inadequate access control weakness that gives unauthenticated remote threat actors the ability to read sensitive files. It affects ColdFusion versions 2023.6, 2021.12, and earlier and has a high severity score of 7.4, and was patched by Adobe in March 2024.
“An attacker could exploit this vulnerability to access or modify restricted files,” reads the description of the flaw on CVE.org. “Exploitation of this problem does not require user interaction. Exploiting this issue requires the administration panel to be exposed to the Internet.”
CISA emphasized that these types of vulnerabilities are “frequent attack vectors for malicious cyber actors” and, as such, represent a significant risk to the federal enterprise.
Agencies have until January 6, 2025 to apply the fixes.
Through beepcomputer
