The US' Cyber security and Infrastructure Security Agency (CISA) has published an extensive list of known and actively exploited security vulnerabilities, setting deadlines by which federal civilian agencies must have them all patched.
A total of 291 individual vulnerabilities have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.
Federal civilian agencies across the US have been given six months to patch vulnerabilities that received a common vulnerabilities and exposures (CVE) ID before 2021. They have been given just two weeks to patch any exploited issues assigned a CVE this year. This means the deadlines are set at 22 May 2022 and 17 November 2021 for pre- and post-2021 vulnerabilities respectively.
As part of the binding operational directive (BOD 22-01) issued on Wednesday, all agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.
Agencies are also required to establish a process for ongoing remediation of vulnerabilities identified by CISA that may carry a risk to the federal enterprise, establish internal validation and enforcement procedures to ensure adherence to the directive, and set appropriate internal tracking and reporting requirements, among other measures.
In return, CISA promised to regularly update the catalogue of vulnerabilities, define the thresholds used to add vulnerabilities to the catalogue, and provide an annual progress report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director.
"The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy," said CISA in a written announcement. "In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 - an average of 28 per day - are classified 'critical' or 'high severity' vulnerabilities."
RELATED RESOURCE
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
"The goal of BOD 22-01 is to enable federal agencies, as well as public and private sector organisations, to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks," said CISA. "To accomplish this goal, all organisations should review and refresh their vulnerability management policies and playbooks, refer to the CISA catalogue of known exploited vulnerabilities, and establish a more aggressive turnaround time to protect their networks against urgent, active threats."
The move from CISA follows a similar initiative focused on hardware vulnerabilities. This week, MITRE - the organisation tasked with assigning vulnerabilities their CVE codes and close partner of CISA's - revealed a list of the most important hardware weaknesses of the year.
Like CISA's vulnerability catalogue, the list of weaknesses was published to raise awareness of the issues in common hardware in the hope that it will lead to more secure products on shelves.
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
