The Cybersecurity and Infrastructure Agency (CISA) has ordered all federal civilian agencies to patch two critical Firefox vulnerabilities tracked as CVE-2022-26485 and CVE-2022-26486 by March 21. The bugs are rated critical as they can let attackers execute almost any command on systems running the vulnerable version of the browser.
The two bugs are Use After Free flaws allowing attackers to trigger system crashes and execute malicious code on the target device, including downloading malware that could give them further access. Mozilla has reported that exploits are using the vulnerability potentially for remote code execution and getting out of the browser sandbox.
Additionally, the CISA has added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalogue based on evidence of being exploited by threat actors. Even though the order only applies to federal civilian agencies, the CISA has urged the public and private sector organisations to get their systems patched.
Hunting the bugs down
The vulnerabilities in Firefox were discovered and reported to Mozilla by a Chinese cybersecurity company called Qihoo 360 ATA. Following the disclosure, Mozilla released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix both the bugs.
As mentioned above, both vulnerabilities are Use After Free in nature. This happens when a program tries to access or use memory that has already been cleaned. Exploiting this vulnerability can cause programs to crash while allowing commands to be executed simultaneously without permission. The actual method of attack hasn’t been disclosed at the moment.
A VMware vCenter server vulnerability needs to be fixed on the same deadline. A total of 11 vulnerabilities were added to the catalogue, including those mentioned above.
|CVE Code||Vulnerability||Due Date|
|CVE-2022-26486||Mozilla Firefox Use-After-Free Vulnerability||21/03/22|
|CVE-2022-26485||Mozilla Firefox Use-After-Free Vulnerability||21/03/22|
|CVE-2022-26485||VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)||21/03/22|
|CVE-2020-8218||Pulse Connect Secure Code Injection Vulnerability||07/09/22|
|CVE-2019-11581||Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability||07/09/22|
|CVE-2017-6077||NETGEAR DGN2200 Remote Code Execution Vulnerability||07/09/22|
|CVE-2016-6277||NETGEAR Multiple Routers Remote Code Execution Vulnerability||07/09/22|
|CVE-2013-0631||Adobe ColdFusion Information Disclosure Vulnerability||07/09/22|
|CVE-2013-0629||Adobe ColdFusion Directory Traversal Vulnerability||07/09/22|
|CVE-2013-0625||Adobe ColdFusion Authentication Bypass Vulnerability||07/09/22|
|CVE-2009-3960||Adobe BlazeDS Information Disclosure Vulnerability||07/09/22|
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.