U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2020-3259 Cisco ASA and FTD Information Disclosure Vulnerability
- CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by March 7, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)