US govt: Here are another 15 security bugs under attack right now

The US government has added 15 vulns under active attack to a little-known but very useful public database: its Known Exploited Vulnerabilities catalogue.

Building on numerous advisory notes over the past few years warning of currently exploited tools, the Cybersecurity and Infrastructure Security Agency (CISA) now maintains a public list of vulnerabilities that are, or have been, actively exploited.

These latest additions to the database include CVEs as old as 2017 and affecting products from Microsoft, Oracle, and Apple. Each entry comes with a "remediation due date" – though all but one of the latest entries all have remediation dates in August.

The exception is CVE-2021-36394, last summer's HiveNightmare Windows privilege escalation flaw. These make-me-admin vulns were possible through exploitation of a misconfigured access control list for specified Windows registry hive files in Windows 10 build 1809.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," said CISA in its advisory.

• Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism
• As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others
• BlackMatter ransomware gang will target agriculture for its next harvest – Uncle Sam
• Biden said to be assembling cyber dream team to sort out US govt computer security

Other vulns include years-old remote code execution flaws in Oracle Weblogic and a variety of Windows and Microsoft privilege escalation and code execution issues – along with a vuln in continuous delivery platform Jenkins.

CISA provides these public warnings in order to have vulnerable software updated, while Britain's National Cyber Security Centre keeps all of its vuln notifications behind closed doors through its Cyber Security Information Sharing Partnership. Australia, like America, maintains a public alerts page – but no CISA-style database in public.

The database was ordered to be established in November last year, with a three-month grace period to create "a living list of known CVEs that carry significant risk to the federal enterprise." It is likely to become of great interest to IT pros from around the world.

While there are arguments to be made about whether publishing vuln notifications just draws baddies' attention to their contents, in today's world with entire economies dependent upon timely patching of critical vulns, more information in public about things that need urgent patching can only be a public good. ®