CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to patch two critical Firefox security vulnerabilities exploited in attacks within the next two weeks.

According to a Mozilla advisory published over the weekend, the two bugs (tracked as CVE-2022-26485 and CVE-2022-26486) are Use After Free flaws that allow attackers to trigger crashes and execute maliciously crafted code on targeted devices.

They're rated as critical severity because they could let attackers execute almost any command on systems running vulnerable versions of Firefox, including downloading malware that would give them further access to the device.

Mozilla said it received "reports of attacks in the wild" abusing the two vulnerabilities, likely used for remote code execution (CVE-2022-26485) and escaping the browser sandbox (CVE-2022-26486).

According to a binding operational directive (BOD 22-01) issued in November, Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to secure their systems against these vulnerabilities, with CISA giving them until March 21st to apply patches.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," the US cybersecurity agency explained.

CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence that threat actors are also actively exploiting them in the wild.

One of them tracked as CVE-2021-21973, impacts VMware vCenter servers, leads to information disclosure, and also has to be patched within two weeks.

CVE ID  Vulnerability Name  Due Date 
CVE-2022-26486 Mozilla Firefox Use-After-Free Vulnerability 03/21/22
CVE-2022-26485 Mozilla Firefox Use-After-Free Vulnerability 03/21/22
CVE-2021-21973 VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF) 03/21/22
CVE-2020-8218 Pulse Connect Secure Code Injection Vulnerability 09/07/22
CVE-2019-11581 Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability 09/07/22
CVE-2017-6077 NETGEAR DGN2200 Remote Code Execution Vulnerability 09/07/22
CVE-2016-6277 NETGEAR Multiple Routers Remote Code Execution Vulnerability 09/07/22
CVE-2013-0631 Adobe ColdFusion Information Disclosure Vulnerability 09/07/22
CVE-2013-0629 Adobe ColdFusion Directory Traversal Vulnerability 09/07/22
CVE-2013-0625 Adobe ColdFusion Authentication Bypass Vulnerability 09/07/22
CVE-2009-3960 Adobe BlazeDS Information Disclosure Vulnerability 09/07/22

Even though BOD 22-01 only applies to FCEB agencies, CISA strongly urged all other private and public sector orgs to reduce their exposure to ongoing cyberattacks by prioritizing mitigation of these security flaws.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA added.

CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.

Just last week, on Friday, the agency added 95 bugs to the list, eight of them with high critical severity scores of at least 9.8 and impacting Cisco, Apache, and Exim products.

Since the start of the year, the US cybersecurity agency ordered federal civilian agencies to patch actively exploited bugs in:

Related Articles:

CISA tags Microsoft SharePoint RCE bug as actively exploited

New critical Microsoft Outlook RCE bug is trivial to exploit

Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

Exploit released for Fortinet RCE bug used in attacks, patch now

Fortinet warns of critical RCE bug in endpoint management software