CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities

The US cybersecurity agency CISA on Tuesday added four bugs impacting multiple Qualcomm chipsets to its Known Exploited Vulnerabilities Catalog.
All four issues were identified by Google's Threat Analysis Group and Google Project Zero, which often report security defects exploited by commercial spyware vendors.
Three of the flaws, tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063, were patched in October 2023 as zero-days, after Qualcomm learned from Google's researchers that they were likely exploited in the wild.
All three vulnerabilities are described as memory corruption bugs.
These types of flaws lead to crashes or unexpected behavior and may allow attackers to gain unauthorized access to systems and even execute arbitrary code.
The fourth vulnerability, CVE-2022-22071, was patched in May 2023, but Google revealed in October that it was likely being exploited as well.
The issue is described as a use-after-free bug, which could allow attackers to execute arbitrary code.
Neither Google nor Qualcomm have shared details on the observed exploitation but, given Google's track record of uncovering exploit chains attributed to spyware vendors, it is possible that all four vulnerabilities were targeted in surveillance campaigns.
Per Binding Operational Directive 22-01, federal agencies have three weeks to identify vulnerable appliances and patch the bugs that CISA has added to KEV. For the Qualcomm issues, the deadline is December 26.
BOD 22-01 only applies to federal agencies, but CISA urges all organizations to take the necessary steps to address the security flaws included in its must-patch list.
In addition to the Qualcomm bugs, CISA this week added to the KEV catalog two WebKit vulnerabilities that Apple addressed last week.
Tracked as CVE-2023-42916 and CVE-2023-42917, the bugs were likely exploited against older iPhones, but Apple patched them in newer iOS and iPadOS versions too, as well as in macOS and Safari.


This Cyber News was published on www.securityweek.com. Publication date: Wed, 06 Dec 2023 13:13:04 +0000


Cyber News related to CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities

CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
4 months ago Securityaffairs.com
Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo - We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. Ensuring agencies have access to adequate IT infrastructure,. We base our remarks on our experience helping US Federal agencies transform their ...
9 months ago Securityboulevard.com
CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities - The US cybersecurity agency CISA on Tuesday added four bugs impacting multiple Qualcomm chipsets to its Known Exploited Vulnerabilities Catalog. All four issues were identified by Google's Threat Analysis Group and Google Project Zero, which often ...
10 months ago Securityweek.com
Majority of Gao's Cybersecurity Recommendations Not Implemented by Federal Agencies - The Government Accountability Office has recently reported that federal agencies have been slow to implement a majority of the recommendations it made for improving the cybersecurity of federal agencies. Despite the implementation progress at some ...
1 year ago Securityweek.com
CISA Seeks Public Comment on Newly Developed Secure Configuration Baselines for Google Workspace - As federal civilian agencies continue to modernize IT enterprises, increased reliance on cloud services, platform services, and external providers has introduced new types of risks. Recent threat activity from groups such as Storm-0558 have ...
9 months ago Cisa.gov
Security Alert! CISA Reports Refund Scam Targeting Federal Agencies Through Remote Management Software - The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert to federal agencies about a refund scam targeting them through remote management software. According to the alert, hackers have been using the remote software to ...
1 year ago Therecord.media
CISA warns of actively exploited Juniper pre-auth RCE exploit chain - CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its ...
10 months ago Bleepingcomputer.com
CISA orders federal agencies to patch Looney Tunables Linux bug - Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions. Dubbed 'Looney Tunables' by Qualys' Threat Research Unit and ...
10 months ago Bleepingcomputer.com
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
3 months ago Securityaffairs.com
CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities - WASHINGTON - Today, the Cybersecurity and Infrastructure Security Agency issued Emergency Directive 24-01 in response to observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances by ...
8 months ago Cisa.gov
CISA pledges to resolve issues with threat sharing system after watchdog report - On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law. The nation’s ...
1 week ago Therecord.media
CISA warns agencies of fourth flaw used in Triangulation spyware attacks - The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla. The Known Exploited Vulnerabilities ...
9 months ago Bleepingcomputer.com
CISA: Thousands of bugs remediated in second year of vulnerability disclosure program - With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and ...
1 week ago Therecord.media
CISA Directs Federal Agencies to Immediately Mitigate Significant Risk From Russian State-Sponsored Cyber Threat - WASHINGTON - Today, the Cybersecurity and Infrastructure Security Agency publicly issued Emergency Directive 24-02 in response to a recent campaign by Russian state-sponsored cyber actor Midnight Blizzard targeting Microsoft corporate email accounts ...
5 months ago Cisa.gov
How Cloud Solutions Can Lead to Stronger, More Secure IT Operations - Cloud services, which offer tools such as networks, servers, and data storage, can help federal agencies deliver better IT services while minimizing costs. Without adequate security measures, these services can expose agencies to cyberattacks. The ...
6 months ago Cyberdefensemagazine.com
CISA's OT Attack Response Team Understaffed: GAO - The US Government Accountability Office has conducted a study focusing on the operational technology cybersecurity products and services offered by CISA and found that some of the security agency's teams are understaffed. OT environments continue to ...
6 months ago Securityweek.com
CISA pushes federal agencies to patch Citrix RCE within a week - Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week. Citrix urged ...
8 months ago Bleepingcomputer.com
US Federal Agencies Miss Deadline for Incident Response Requirements - Although US federal agencies have made progress in preparing for and responding to cyber threats, too many have failed to meet the deadline to implement incident response capabilities required by law, according to the US Government Accountability ...
10 months ago Infosecurity-magazine.com
GAO: Federal Agencies Yet to Fully Implement Incident Response Capabilities - US federal agencies have made progress in implementing mature incident response plans, but many are still steps away from fully achieving this goal, a new report from the Government Accountability Office shows. According to GAO's report, out of 23 ...
10 months ago Securityweek.com
CISA Reports Federal Agencies Hacked Using Legitimate Remote Desktop Tools - The Cybersecurity and Infrastructure Security Agency (CISA), the agency in charge of overseeing the security of the United States government’s networks and critical infrastructure, has issued an alert warning federal agencies to beware of hackers ...
1 year ago Bleepingcomputer.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
5 months ago Securityboulevard.com
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
4 months ago Cisa.gov
CISA warns of hackers exploiting Chrome, EoL D-Link bugs - The U.S. Cybersecurity & Infrastructure Security Agency has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalog, one impacting Google Chrome and two affecting some D-Link routers. Adding the issues to the KEV catalog ...
4 months ago Bleepingcomputer.com
Best Strategies for Avoiding Security Breaches in the U.S. Federal Agencies - U.S. federal agencies are an appealing target for malicious actors and hackers, so it is important for them to be equipped with the best tactics to prevent security breaches and data losses. In this article, we will cover how hackers use legitimate ...
1 year ago Heimdalsecurity.com
Enabling Threat-Informed Cybersecurity: Evolving CISA's Approach to Cyber Threat Information Sharing - One of CISA's most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange ...
9 months ago Cisa.gov

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)