The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added eight new vulnerabilities to its known exploited vulnerabilities (KEV) catalog, six were now-patched security flaws that impacted Samsung mobile devices and the two others are D-Link router and access point vulnerabilities, also with available patches, exploited by a variant of a Mirai botnet.
All of the bugs being exploited and identified by CISA have been patched for several years.
The most severe Samsung bug is a vulnerability (CVE-2021-25487) classified as an out-of-bounds read error impacting the handset modem interface driver. The flaw can lead to arbitrary code execution by an adversary. Both Samsung and NIST classified the bug as “high severity,” with NIST giving it a 7.8 CVSS score and Samsung a 7.3.
One of the D-Link vulnerabilities (CVE-2019-17621), remote command injection bug, was recently identified by Palo Alto Networks Unit 42 as being exploited by a new variant of the Mirai botnet targeting D-Link's DIR-859 router. Also targeted by the Mirai variant are multiple vulnerabilities in Zyxel and Netgear devices, according to Unit 42.
Patrick Garrity, a researcher at Nucleus Security, pointed out in a social media post that despite being several years old, most exploited vulnerabilities have been known for more than one year.
Garrity took credit for tipping CISA off to the bugs being exploited in the wild. However, he did not indicate how widely exploited the bugs were. "I'm pretty confident that there is a high likelihood that these vulnerabilities persist today in several places across the federal government and large enterprises," he wrote.
The five other Samsung bugs include the following:
- CVE-2021-25489, a low-severity format string bug in the modem interface driver that can lead to a DoS condition.
- CCVE-2021-25394 and CVE-2021-25395: moderate-severity use-after-free bugs in the MFC charger drivers. Allows local attackers to bypass signature check given a radio privilege is compromised.
- CVE-2021-25371: a moderate-severity vulnerability inside the DSP driver.
- CVE-2021-25372: a moderate-severity An improper boundary check in DSP driver.
- The remaining D-Link bug – CVE-2019-20500 – was an OS command injection vulnerability.