Security News > 2023 > June > U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog
2023-06-24 15:30

The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation.

This comprises three vulnerabilities that Apple patched this week, two flaws in VMware, and one shortcoming impacting Zyxel devices.

CVE-2023-32434 and CVE-2023-32435 are two of many vulnerabilities in iOS that have been abused in the espionage attack.

Take control of your attack surface with NetSPI's Attack Surface Management.

The development comes as CISA issued an alert warning of three bugs in the Berkeley Internet Name Domain 9 Domain Name System software suite that could pave the way for a denial-of-service condition.

The flaws - CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 - could be exploited remotely, resulting in the unexpected termination of the named BIND9 service or exhaustion of all available memory on the host running named, leading to DoS. This is the second time in less than six months that the Internet Systems Consortium has released patches to resolve similar issues in BIND9 that could cause DoS and system failures.


News URL

https://thehackernews.com/2023/06/us-cybersecurity-agency-adds-6-flaws-to.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-23 CVE-2023-32435 Out-of-bounds Write vulnerability in Apple products
A memory corruption issue was addressed with improved state management.
network
low complexity
apple CWE-787
8.8
2023-06-23 CVE-2023-32434 Integer Overflow or Wraparound vulnerability in Apple products
An integer overflow was addressed with improved input validation.
local
low complexity
apple CWE-190
7.8
2023-06-21 CVE-2023-2911 Out-of-bounds Write vulnerability in multiple products
If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
network
low complexity
isc debian fedoraproject netapp CWE-787
7.5
2023-06-21 CVE-2023-2829 A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.
network
low complexity
isc netapp
7.5
2023-06-21 CVE-2023-2828 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers.
network
low complexity
isc debian fedoraproject netapp CWE-770
7.5