The high-severity vulnerabilities that CISA has added to its patch-now list include SeriousSAM privilege escalation and SMB remote code execution. The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its catalog of flaws that are actively exploited in the wild by hackers. Some are older dating back to 2014, but two are from the past two years and are in Windows components.“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the agency said in its advisory. The CISA Known Exploited Vulnerabilities Catalog is updated regularly based on observations from real world attacks and each flaw receives a deadline by which federal agencies have an obligation to patch it on their systems.SeriousSAM and privilege escalationOne of the flaws that were just added to the list is CVE-2021-36934, which is also known in the security community as SeriousSAM because it’s located in the Microsoft Windows Security Accounts Manager (SAM). This vulnerability has a CVSS severity score of 8 out of 10 and its impact is described as privilege escalation on Windows 10 systems.The flaw stems from improper file access permissions on the file that stores the SAM database, allowing attackers with low privilege access to extract password hashes for other accounts, including the SYSTEM one and execute code with elevated privileges. The flaw was reported publicly in July 2021, forcing Microsoft to issue an out-of-band patch at the time. Researchers also showed that it’s possible to exploit CVE-2021-36934 to extract hashes which could then allow the remote execution of code with SYSTEM privileges on other systems, making the flaw a serious risk for lateral movement inside environments.CISA assigned a patch deadline of February 24 for it despite being the newest vulnerability on the list and despite the other ones receiving a patch deadline of August 10. This suggests that the agency sees this as an immediate high risk even though it’s a privilege escalation flaw. Privilege escalation vulnerabilities have lower severity scores than remote code execution ones because they require the attacker to already obtain some level of access to a system. However, this is a low bar considering the multitude of ways in which attackers could get their code to execute on a system: email phishing, drive-by downloads, exploitation of vulnerabilities in low-privileged apps and services, social engineering, etc. Privilege escalation flaws are an essential part of modern exploit chains and should be treated just as seriously as remote code execution ones.SMB remote code executionThe second most recent flaw added to the list by CISA is CVE-2020-0796 and is rated critical. This flaw was patched by Microsoft in March 2020 and stems from the way the SMBv3 protocol handles certain requests with compression. It can result in remote code execution, both from clients to a server or from a server to clients and impacts Windows 10 and Windows Server core installations.SMB remote code execution flaws are dangerous because SMB is the main protocol that sits at the core of all Windows networks, enabling file sharing, printer sharing, network browsing and service-to-service communication. In the past, SMB exploits like EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145) enabled global ransomware warms like WannaCry that caused billions in damages. In fact, EternalBlue and EternalRomance are also among the 15 flaws that were added to the catalog.The other flawsThe list of vulnerabilities added to the catalog impact a variety of common enterprise software, from operating systems like Windows and Apple’s OS X, to automation servers like Jenkins, development frameworks like Apache Struts, web application servers like Oracle WebLogic, the Apache ActiveMQ open-source message broker and even router firmware. The full list is:CVE-2021-36934 – Microsoft Windows SAM Local Privilege Escalation VulnerabilityCVE-2020-0796 – Microsoft SMBv3 Remote Code Execution VulnerabilityCVE-2018-1000861 – Jenkins Stapler Web Framework Deserialization of Untrusted Data VulnerabilityCVE-2017-9791 – Apache Struts 1 Improper Input Validation VulnerabilityCVE-2017-8464 – Microsoft Windows Shell (.lnk) Remote Code Execution VulnerabilityCVE-2017-10271 – Oracle Corporation WebLogic Server Remote Code Execution VulnerabilityCVE-2017-0263 – Microsoft Win32k Privilege Escalation VulnerabilityCVE-2017-0262 – Microsoft Office Remote Code Execution VulnerabilityCVE-2017-0145 – Microsoft SMBv1 Remote Code Execution VulnerabilityCVE-2017-0144 – Microsoft SMBv1 Remote Code Execution VulnerabilityCVE-2016-3088 – Apache ActiveMQ Improper Input Validation VulnerabilityCVE-2015-2051 – D-Link DIR-645 Router Remote Code ExecutionCVE-2015-1635 – Microsoft HTTP.sys Remote Code Execution VulnerabilityCVE-2015-1130 – Apple OS X Authentication Bypass VulnerabilityCVE-2014-4404 – Apple OS X Heap-Based Buffer Overflow Vulnerability Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe