CISA Adds Microsoft Privilege Escalation Vulnerability to Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a new vulnerability to its Known Exploited Vulnerabilities Catalog, a Microsoft Win32k privilege escalation vulnerability known as CVE-2022-21882.
The addition was based on evidence that threat actors are actively exploiting the vulnerabilities of this CVE, which the agency said carries “significant risk” to the federal enterprise.
Vulnerabilities in privilege management are almost always viewed as a high-level risk, especially given the damage that cybercriminals can do with root access privileges, such as placing malware, controlling critical infrastructure or covering the tracks of a threat actor.
“An attacker with privileged access can be a serious issue. However, this vulnerability requires local access to exploit and exploitation is a non-trivial challenge,” said Mike Parkin, engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation. “Both of those factors reduce the risk. While it shouldn’t be ignored, it also appears unlikely to become a widespread problem.”
A Long List of Vulnerabilities
He added that the list of vulnerabilities that have the potential to be problematic to the federal enterprise is long; in this particular case, however, the risk assessment can be summed up as “the vulnerabilities that are known and unpatched pose the greatest risk.”
Parkin said following industry best practices can help mitigate the unpublished and zero-day threats, but remediating the known threats is always required.
“Organizations like CISA can, and do, relay risk assessments of newly revealed vulnerabilities,” he said. “But it’s up to individual organizations to assess their own environment and prioritize mitigating the threats that are most relevant to them.”
He added this prioritization is especially important for organizations that may have limited resources and don’t have the capacity to react quickly to every alert.
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cybersecurity hygiene, said there has been a noticeable increase in open source vulnerabilities and vulnerabilities in standard libraries used by many software development teams.
“When they are aimed at IoT and critical infrastructure they become the most significant risk to the federal enterprise. By their nature they require a lot of effort to remediate because they span multiple systems, each requiring a separate patch,” he said.
Compounded Risks
When exploited on IoT and critical infrastructure the risk is compounded because those systems are often hard to reach because of geography or scale, and traditional IT patch management solutions do not work.
“The result is a large attack surface that remains exploitable longer than vulnerabilities exploited on traditional IT systems,” he said.
Broomhead added the CISA’s efforts to highlight exploitable vulnerabilities and their advocacy for software bills of materials (SBOMs) are both significantly helping organizations spot vulnerabilities.
However, he pointed out that their focus on timing and mandates for remediating vulnerabilities must be matched with advice and best practices for remediating vulnerabilities in IoT systems.
“Spotting vulnerabilities is not where organizations need the most help—it’s in remediating them,” he said. “The slow pace of remediating IoT vulnerabilities, in particular, must be addressed in order for organizations to truly reduce risk.”
From his perspective, CISA needs to go further in this direction to complement their otherwise great efforts in spotting and focusing on the most exploitable vulnerabilities.
Broomhead said the CISA’s focus on exploitable vulnerabilities is one of the great strengths of their catalog program—with most security organizations overworked and understaffed, CISA is doing a “great service” by focusing those resources on the most critical vulnerabilities.
Delayed Reaction
The security vulnerability notice was first released by Microsoft on January 11 and only added to the CISA’s Known Exploited Vulnerabilities Catalog on February 4. The deadline for organizations to remediate this vulnerability is February 18, according to CISA.
“Initially Microsoft did not think this vulnerability was being actively exploited; that initial judgment likely delayed CISA adding it to their catalog,” Broomhead explained. Parkin also pointed out the CISA has an established process and timeline for dealing with new vulnerabilities and getting them out to the public.
“The timelines are adjusted based on multiple factors and, in this case, the adjustments led to them taking several weeks to add a new vulnerability to their list,” he said.
