CISA is putting the thumbscrews on federal agencies to get them to patch an actively exploited Windows vulnerability.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it added the vulnerability – tracked as CVE-2022-21882 and with a CVSS criticality rating of 7.0 – to its Known Exploited Vulnerabilities Catalog.
The move means that Federal Civilian Executive Branch (FCEB) agencies have until Feb. 18, 2022 to remediate the vulnerability, which affects all unpatched versions of Windows 10.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” CISA said.
CVE-2022-21882 is a privilege-escalation bug in Windows 10 that doesn’t require much in the way of privileges to exploit: a nasty scenario, particularly given that an exploit requires zero user interaction.
It’s been tagged with an “Exploitation More Likely” exploitability index assessment.
Microsoft addressed the bug as part of its January 2022 Patch Tuesday updates: a sprawling set of patches that dealt with 97 security vulnerabilities, of which nine were critical CVEs, including a self-propagator with a 9.8 CVSS score.
January’s Exploding Patch Tuesday
Unfortunately, despite the fact that it was a fat Patch Tuesday stuffed full of critical patches, it was also a fat Patch Tuesday to which many organizations likely developed an allergic reaction.
That’s because, at least for some customers, the updates blew up immediately, breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.
Within two days of the Jan. 11 release, Microsoft had yanked the January Windows Server cumulative updates, rendering them unavailable via Windows Update.
PoC Has Been Out for Weeks
A proof-of-concept (PoC) exploit for CVE-2022-21882, which Microsoft had addressed as part of those January 2022 Patch Tuesday updates, has been available in the wild for a few weeks. The PoC was released by Gil Dabah, founder and CEO of Privacy Piiano, which offers “PII by design.”
As Dabah tweeted on Jan. 28, he found the bug two years ago but decided not to report it at the time, given that Microsoft still owed him money for “other stuff,” as he claimed. Besides which, he wasn’t happy about Microsoft’s shrinking bug bounty awards, which “reduced awards to nothing almost,” Dabah said.
The reason I didn’t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that’s the story how it went unfixed. @ja_wreck https://t.co/PtRuNDAEYQ
— Gil Dabah (@_arkon) January 28, 2022
On Friday, CISA said that it added the bug to the known exploited vulnerability database based on evidence that threat actors are actively exploiting it. Although CISA’s fix-it deadline only applies to FCEB agencies, CISA’s got sway, and It’s hoping to use it to convince non-federal outfits to patch.
“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” according to its notice.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.