CISA Issues Warnings on Seven New Exploited Vulnerabilities

Multiple Apple Devices, Veritas Backup, Microsoft Windows At Risk Without Immediate Update and Remediation, CISA Says

Since April 3, CISA has published warnings about seven known exploited vulnerabilities, adding them to the Known Exploited Vulnerabilities Catalog, ordering federal agencies to remediate the identified vulnerabilities immediately, and encouraging all organizations to do the same.

The flaws were discovered by Google’s Threat Analysis Group and Amnesty International Security Lab while being exploited in attacks, CISA reported. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks,” the agency said.

Two of the newly reported vulnerabilities impact the following Apple devices:

  • iPhone 8 and later

  • iPad Pro (all models)

  • iPad Air 3rd generation and later

  • iPad 5th generation and later

  • iPad mini 5th generation and later

  • Macs running MacOS Ventura 

Following are the published details on the seven new exploited vulnerabilities, the exploitation potential of each, and information on remediation steps:

  • CVE-2023-28206 Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability: Updates iOS 16.4.1 and iPadOS 16.4.1 address reported security issues with IOSurfaceAccelerator. A malicious app could execute arbitrary code with kernel privileges prior to this update, and Apple said it is aware of a report that this issue may have been actively exploited. In the new OS updates, an out-of-bounds write issue was addressed with improved input validation. 

  • CVE-2023-28205 Apple iOS, iPadOS, and macOS WebKit Use-After-Free Vulnerability: Updates iOS 16.4.1 and iPadOS 16.4.1 address reported security issues with WebKit. Processing maliciously crafted web content may lead to arbitrary code execution, and Apple said it is aware of a report that this issue may have been actively exploited. In the new OS updates, a use after free issue was addressed with improved memory management.

  • CVE-2021-27876 Veritas Backup Exec Agent File Access Vulnerability: An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an agent requires successful authentication, typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges. 

  • CVE-2021-27877 Veritas Backup Exec Agent Improper Authentication Vulnerability: An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands. 

  • CVE-2021-27878 Veritas Backup Exec Agent Command Execution Vulnerability: An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges. 

  • CVE-2019-1388 Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability.’ 

  • CVE-2023-26083 Arm Mali GPU Kernel Driver Information Disclosure Vulnerability: Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata. 

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • Stylized illustration showing cybersecurity elements like shields, padlocks, and secure cloud icons on a neutral, minimalist digital background

    Microsoft Announces Security Advancements

    Microsoft has announced major security advancements across its product portfolio and practices. The work is part of its Secure Future Initiative (SFI), a multiyear cybersecurity transformation the company calls the largest engineering project in company history.

  • glowing futuristic laptop with a holographic screen displaying digital text

    New Turnitin Product Brings AI-Powered Tools to Students with Instructor Guardrails

    Academic integrity solution provider Turnitin has introduced Turnitin Clarity, a paid add-on for Turnitin Feedback Studio that provides a composition workspace for students with educator-guided AI assistance, AI-generated writing feedback, visibility into integrity insights, and more.

  • illustration of a football stadium with helmet on the left and laptop with ed tech icons on the right

    The 2025 NFL Draft and Ed Tech Selection: A Strategic Parallel

    In the fast-evolving landscape of collegiate football, the NFL, and higher education, one might not immediately draw connections between the 2025 NFL Draft and the selection of proper educational technology for a college campus. However, upon closer examination, both processes share striking similarities: a rigorous assessment of needs, long-term strategic impact, talent or tool evaluation, financial considerations, and adaptability to a dynamic future.

  • futuristic AI interface with glowing data streams and abstract neural network patterns

    OpenAI Launches Its Largest AI Model Yet in Research Preview

    OpenAI has announced the launch of GPT-4.5, its largest AI model to date, code-named Orion. The model, trained with more computing power and data than any previous OpenAI release, is available as a research preview to select users.