The U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog with ten new vulnerabilities. The update, which was published on Friday, includes a critical issue in Delta Electronics’ industrial automation software.
According to experts, exploiting this vulnerability might lead to arbitrary code execution. This problem affects DOPSoft 2 versions 2.00.07 and earlier and is identified as CVE-2021-38406 with a CVSS score of 7.8 points.
As per what has been explained, an out-of-bounds write that permits code execution in Delta Electronics DOPSoft 2 exists due to “improper input validation” of user-supplied data.
This is not the first time this flow has been reported. CVE-2021-38406 was disclosed in September 2021 as part of an industrial control systems (ICS) alert.
In its update, CSA warns that “the impacted product is end-of-life and should be disconnected if still in use” since there are no fixes available to resolve the issue. All Federal Civilian Executive Branch (FCEB) agencies must comply by September 15, 2022.
While details on the specific attacks that take advantage of the security flaw are few, a recent analysis by Palo Alto Networks Unit 42 identified incidents of attacks exploiting the flaw in the wild between February and April 2022.
Web shells, cryptocurrency miners, botnets, and remote access trojans (RATs) are often used in this kind of attacks, followed by initial access brokers (IABs) that prepare the way for ransomware.
CVE-2021-31010 is another high-severity flaw added to the KEV Catalog with a CVSS score of 7.5. It represents a deserialization vulnerability in Apple’s Core Telephony that might be used to escape sandbox restrictions.
A fix for the flaw was published by Apple in September 2021 in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina), and watchOS 7.6.2.
Despite there being no signs at the time of addressing it that the flaw was being exploited, a few months later, on May 25 this year, the IT giant seems to have quietly updated its advisories to include the vulnerability. According to Apple, this flaw may have been actively exploited at the time of release, with credit for the discovery going to Google’s Project Zero and Citizen Lab.
These new revelations only prove that attackers are getting better and quicker at taking advantage of newly reported vulnerabilities as soon as they are disclosed, which in turn leads to random and opportunistic scanning attempts that take advantage of delays in patching.