Some of them include high severity bugs like the local privilege escalation and an RCE bug in certain elements of highly used system OS – Windows. Since most of the noted bugs have patches, CISA asked the agencies to apply them, and use workarounds for those that don’t have patches.
CISA Catalog of Known Exploited Vulnerabilities
Regularly the US Cybersecurity and Infrastructure Security Agency (CISA) updates its catalog of Known Exploited Vulnerabilities (KEV) with new bugs found in the widely used software in federal agencies. This directive, named the BOD 22-01, should be adhered to by all federal agencies without failing. In the latest update, CISA added ten new security bugs that are actively exploited in wild. One among them includes a high severity local privilege escalation vulnerability in the Windows Common Log File System Driver, tracker as CVE-2022-24521. This was reported by CrowdStrike and the US National Security Agency and even received a patch by Microsoft in April Patch Tuesday update. But, it’s still the job of end system admins to apply this update to have that bug patched. Another bug includes a pre-auth remote code execution vulnerability spotted in the Microsoft Remote Procedure Call (RPC) Runtime Library, which received a severity score of 9.8/10. A patch for this vulnerability too is included by Microsoft in April’s 2022 Patch Tuesday update. CISA has given the agencies time upto May 2nd (three weeks from now) to update their systems and be secured. Though this directive is aimed at all the Federal Civilian Executive Branch Agencies (FCEB), CISA recommends this to all other US organizations too. Here’s the list of all 10 bugs added to the latest directive;