Jump to content
  • CISA: Hackers exploit critical Bitbucket Server flaw in attacks

    alf9872000

    • 254 views
    • 3 minutes
     Share


    • 254 views
    • 3 minutes

    The Cybersecurity and Infrastructure Security Agency (CISA) has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days.

     

    CISA's Known Exploited Vulnerabilities (KEV) catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.

     

    While Microsoft hasn't yet released security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.

     

    "Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," Microsoft said earlier today.

     

    The third security flaw CISA added to its KEV list today (tracked as CVE-2022-36804) is a critical severity command injection vulnerability in Atlassian's Bitbucket Server and Data Center, with publicly available proof of concept exploit code.

     

    Attackers can gain remote code execution by exploiting the flaw via malicious HTTP requests. Still, they must have access to a public repository or read permissions to a private one.

     

    This RCE vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.

     

    BinaryEdge and GreyNoise confirmed that attackers have been scanning and attempting to exploit CVE-2022-36804 in the wild [12] since at least September 20th.

     

    Federal agencies ordered to mitigate

    All Federal Civilian Executive Branch Agencies (FCEB) agencies apply patches or mitigation measures for these three actively exploited bugs after being added to CISA's KEV catalog as required by a binding operational directive (BOD 22-01) from November.

     

    The federal agencies were given three weeks, until October 21st, to ensure that exploitation attempts would be blocked.

     

    The U.S. cybersecurity agency also strongly urged all private and public sector organizations worldwide to prioritize patching these vulnerabilities, although BOD 22-01 only applies to U.S. FCEB agencies.

     

    Applying patches ASAP will help them decrease the attack surface potential attackers could target in breach attempts.

     

    "These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA explained on Thursday.

     

    Since the BOD 22-01 binding directive was issued last year, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks while requiring federal agencies to address them on a tighter schedule.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...