Full Report
CISA has added five more CVEs into its known exploited vulnerabilities catalog
Analysis Summary
# Vulnerability: Multiple Actively Exploited Flaws in Cisco, Microsoft, Hitachi Vantara, and Progress Software
## CVE Details
- CVE ID: Multiple (CVE-2023-20118, CVE-2018-8639, CVE-2022-43939, CVE-2022-43769, CVE-2024-4885)
- CVSS Score: Not specified for all, but all are critical enough to be targeted by CISA for immediate patching.
- CWE:
- CVE-2023-20118: Command Injection (Implied)
- CVE-2018-8639: Improper Resource Shutdown or Release (Improper Cleanup)
- CVE-2022-43939: Server Authorization Bypass (Implied)
- CVE-2022-43769: Special Element Injection (Implied)
- CVE-2024-4885: Path Traversal (Implied)
## Affected Systems
- Products:
- Cisco Small Business RV Series routers
- Microsoft Windows Win32k
- Hitachi Vantara Pentaho BA (Business Analytics) servers
- Progress WhatsUp Gold network monitoring software
- Versions: Not specifically listed in the summary, but all versions susceptible to the specific CVEs mentioned.
- Configurations:
- Cisco: Affects the web-based management interface.
- Microsoft: Requires local access and authentication.
## Vulnerability Description
CISA has identified five specific vulnerabilities across several major vendors as being actively exploited in the wild, prompting an emergency directive for federal agencies to remediate them immediately.
1. **CVE-2023-20118 (Cisco):** A command injection flaw in the web-based management interface. Successful exploitation allows a remote, authenticated attacker to gain root-level privileges and access unauthorized data.
2. **CVE-2018-8639 (Microsoft):** An improper resource shutdown or release vulnerability in Windows Win32k. This allows a local, authenticated attacker to execute arbitrary code in kernel mode.
3. **CVE-2022-43939 (Hitachi Vantara Pentaho BA):** A server authorization bypass vulnerability.
4. **CVE-2022-43769 (Hitachi Vantara Pentaho BA):** A special element injection vulnerability.
5. **CVE-2024-4885 (Progress WhatsUp Gold):** A path traversal vulnerability in the network monitoring software.
## Exploitation
- Status: **Exploited in the wild** (CISA added these to the KEV catalog).
- Complexity: Varies per CVE. Cisco flaw requires authentication but permits remote execution; MS flaw requires local access.
- Attack Vector: Network (Cisco/Hitachi/Progress) and Local (Microsoft).
## Impact
- Confidentiality: High (Unauthorized data access via root privileges/kernel execution is possible).
- Integrity: High (Ability to run arbitrary code in kernel or gain root privileges allows for system modification).
- Availability: Potentially High (System compromise or denial of service resulting from execution).
## Remediation
### Patches
Patch information is not detailed in the summary, but users must consult official vendor advisories for the specific patches corresponding to the listed CVEs (Cisco, Microsoft Security Updates, Hitachi Vantara, Progress Software).
### Workarounds
No specific workarounds were provided in the summary for these flaws, emphasizing immediate patching.
## Detection
- Indicators of compromise (IOCs): Not detailed.
- Detection methods and tools: Organizations should prioritize scanning for evidence of exploitation related to command injection, privilege escalation mechanisms, and unauthorized modifications targeting the affected components (Cisco RV management interface, Win32k activity, Pentaho system access, WhatsUp Gold file access patterns).
## References
- Vendor advisories for CVE-2023-20118, CVE-2018-8639, CVE-2022-43939, CVE-2022-43769, and CVE-2024-4885.
- Relevant links - defanged: hxxps://www[.]infosecurity-magazine[.]com/news/cisa-govt-patch-exploited-cisco/