The US Cybersecurity and Infrastructure Security Agency (CISA) has added half a dozen vulnerabilities to its catalog of known exploited vulnerabilities and is directing federal agencies to follow vendor instructions to fix them.

Of the six security vulnerabilities, only one was revealed this year. This impacts Trend Micro’s Apex One platform for automated threat detection and response.

Ancient Bugs Resurrected

CISA is giving federal agencies until October 6 to fix security vulnerabilities that were reported between 2010 and 2022.

Exploiting most of them gives an attacker administrator-level (local privilege elevation – LPE) permissions on the system while for two the result is remote code execution (RCE).

Most of the vulnerabilities that CISA added to its KEV catalog were disclosed in 2013 and have been used to root Android devices at the time, through the Tizi malware.

• CVE-2013-6282 (LPE) – Incorrect Linux kernel input validation that allows memory read/write, used to root Android devices [VROOT]
• CVE-2013-2597 (LPE) – stack-based buffer overflow in Code Aurora audio driver
• CVE-2013-2596 (LPE) – Linux kernel integer overflow
• CVE-2013-2094 (LPE) – Linux Kernel Privilege Elevation

The oldest bug CISA has ordered federal agencies to fix dates back to 2010 and was used to spread the Stuxnet worm that damaged centrifuges at the Natanz uranium enrichment plant to slow the progress of the countries towards the development of nuclear weapons.

• CVE-2010-2568 (RCE) – Microsoft Windows parses shortcuts incorrectly, allowing code execution when displaying an icon of a maliciously crafted shortcut file

The security issue affecting Trend Micro Apex One and Apex One as a Service is the most recent. It was unveiled earlier this month (CVE-2022-40139) and hackers have exploited it for at least one attack.

According to binding operational directive 22-01 Beginning in November 2021, all federal civilian executive branch agencies must patch security vulnerabilities that CISA adds to its KEV catalog for a more secure environment.

While the directive is aimed at organizations in the United States, businesses and corporations around the world can use CISA’s catalog to improve the security of their networks.