The Department of Homeland Security’s cybersecurity unit recently added 95 actively exploited bugs to its Known Exploited Vulnerabilities Catalog established last year and ordered federal agencies to apply patches to cover the bugs.
The order is particular timely considering ongoing concerns about Russia’s invasion of the Ukraine, and the heightened cybersecurity risks associated with the conflict.
It is the latest order and largest number of vulnerabilities added to the registry since the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare Binding Operative Directive (BOD-21) ordering federal agencies to immediately fix hundreds of known hardware and software vulnerabilities already exploited by threat actors to attack government networks and systems. More than 475 vulnerabilities are now listed in the catalog.
Since 2015, DHS and CISA have issued only 10 BODs around pressing issues, two of which were subsequently revoked and superseded.
(Note: To view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.)
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA said of the new listings. Although BOD 22-01 only applies to federal agencies, CISA said it “strongly urges” all organizations to prioritize “timely remediation” of vulnerabilities contained in the catalog. CISA said it will continue to add vulnerabilities to the catalog that meet the specified criteria.
The order has multiple implications for managed security service providers (MSSPs):
MSSPs that proactively patched government systems before the order arrived could potentially solidify their reputations within and across U.S. government agencies. Government-focused MSSPs late to the patching effort could be left scrambling to close agency vulnerabilities. MSSPs seeking to enter the U.S. government market or expand their vertical market footprint can pitch vulnerability assessment and patch management services to help win business.
The latest entries in CISA’s catalog of known exploited vulnerabilities affects products mostly from Microsoft (Windows, Office), Cisco and other big names. Of the newly added bugs, 38 are linked to Cisco vulnerabilities, 27 to Microsoft, 16 to Adobe and seven to Oracle. Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700, and CVE-2022-20708 – are rated 10 out 10 on the CVSS rating scale.
The deadline for federal agencies to apply patches for most of the bugs is March 24 but for 27 of the highest danger the due date is March 17th.
Meanwhile, the National Security Agency (NSA) has issued a new set of guidelines and best practices for network infrastructure security directed at network administrators. “Guidance for securing networks continues to evolve as new vulnerabilities are exploited by adversaries, new security features are implemented, and new methods of securing devices are identified,” the report said. “An administrator’s role is critical to securing the network against adversarial techniques and requires dedicated people to secure the devices, applications, and information on the network.”
The report presents guidance on network infrastructure and design; security maintenance; authentication; passwords; remote logging and monitoring; remote administration; routing; interface ports and notification banners. The report is intended to assist administrators in preventing an adversary from exploiting their network.