Executive Summary

Date: October 04, 2024

On August 21, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities are actively being exploited in the wild and pose significant risks to various sectors, particularly targeting federal enterprises. The vulnerabilities include CVE-2021-33044 and CVE-2021-33045, both affecting Dahua IP Cameras, CVE-2022-0185, a heap-based buffer overflow in the Linux Kernel, and CVE-2021-31196, which impacts Microsoft Exchange Server. CISA's Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by specified deadlines, emphasizing the urgency for all organizations to prioritize remediation efforts.

Technical Information

The vulnerabilities added to the CISA KEV Catalog are critical and warrant immediate attention.

CVE-2021-33044 and CVE-2021-33045 are both associated with Dahua IP Cameras. These vulnerabilities allow for authentication bypass, which can lead to unauthorized access to the camera's functionalities. Attackers exploiting these vulnerabilities can manipulate camera settings, access live feeds, and potentially use the cameras for surveillance purposes without the knowledge of the legitimate users.

CVE-2022-0185 is a heap-based buffer overflow vulnerability in the Linux Kernel. This vulnerability can lead to arbitrary code execution, allowing attackers to execute malicious code with the same privileges as the user running the affected application. This can result in complete system compromise, making it a severe threat to any organization utilizing affected versions of the Linux Kernel.

CVE-2021-31196 affects Microsoft Exchange Server and allows for information disclosure. This vulnerability can expose sensitive data to unauthorized users, potentially leading to data breaches and significant reputational damage for organizations. The exploitation of this vulnerability can have far-reaching consequences, especially for organizations that handle sensitive information.

Exploitation in the Wild

Evidence indicates that these vulnerabilities are being actively exploited by various threat actors, including Advanced Persistent Threat (APT) groups. The exploitation of CVE-2021-31196 has been particularly concerning, as it has been linked to APT groups targeting government and enterprise networks. These groups aim to extract sensitive information, which can be used for espionage or other malicious activities.

Indicators of Compromise (IOCs) associated with these vulnerabilities include unusual network traffic patterns, unauthorized access attempts to camera feeds, and unexpected system behavior in devices running the affected versions of the Linux Kernel and Microsoft Exchange Server. Organizations are advised to monitor their networks closely for these signs of exploitation.

APT Groups using this vulnerability

CVE-2021-31196 has been linked to APT groups that focus on government and enterprise sectors, indicating a targeted approach to data extraction and espionage. These groups often employ sophisticated techniques to exploit vulnerabilities, making it imperative for organizations to remain vigilant and proactive in their cybersecurity measures.

Affected Product Versions

The vulnerabilities affect a range of products and versions. For Dahua IP Cameras, specific models impacted by CVE-2021-33044 and CVE-2021-33045 include various models within Dahua's IP camera line. For detailed model information, refer to Dahua's security advisory at https://www.dahuasecurity.com.

The CVE-2022-0185 vulnerability affects multiple versions of the Linux Kernel. For a comprehensive list of affected versions, consult the National Vulnerability Database (NVD) at https://nvd.nist.gov.

CVE-2021-31196 impacts several versions of Microsoft Exchange Server. For specific version details, refer to Microsoft's security advisory at https://www.microsoft.com/en-us/security/blog.

Workaround and Mitigation

Organizations are strongly encouraged to implement immediate remediation measures to mitigate the risks associated with these vulnerabilities. For Dahua IP Cameras, users should apply firmware updates provided by the manufacturer to address the authentication bypass vulnerabilities.

For the Linux Kernel, organizations should ensure they are running the latest stable version and apply any available patches to mitigate the heap-based buffer overflow vulnerability.

In the case of Microsoft Exchange Server, it is crucial to apply the latest security updates and patches to prevent information disclosure. Additionally, organizations should review their access controls and monitor for any unauthorized access attempts.

CISA's BOD 22-01 emphasizes the importance of timely remediation, and organizations are encouraged to integrate these vulnerabilities into their vulnerability management practices.

References

CISA Adds Four Known Exploited Vulnerabilities to Catalog: https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exploited-vulnerabilities-catalog

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

National Vulnerability Database: https://nvd.nist.gov

Dahua Security Advisory: https://www.dahuasecurity.com

Microsoft Security Advisory: https://www.microsoft.com/en-us/security/blog

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complexities of cybersecurity through our Continuous Threat and Exposure Management (CTEM) platform. Our platform provides organizations with the tools and insights needed to identify, assess, and remediate vulnerabilities effectively. We are happy to answer any questions you might have about this report or any other issues at ops@rescana.com.