U.S. CISA adds Microsoft Windows Kernel, Mozilla Firefox and SolarWinds Web Help Desk bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows Kernel, Mozilla Firefox and SolarWinds Web Help Desk bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-30088 (CVSS score 7.0) Microsoft Windows Kernel TOCTOU Race Condition Vulnerability
  • CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability
  • CVE-2024-28987 (CVSS score 9.1) SolarWinds Web Help Desk Hardcoded Credential Vulnerability

An attacker could exploit the vulnerability CVE-2024-30088 to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

Last week Mozilla released an emergency security update for the Firefox browser to address the critical use-after-free vulnerability CVE-2024-9680, which is actively exploited in attacks.

The flaw CVE-2024-9680 resides in Animation timelines. Firefox Animation Timelines is a feature in the Firefox Developer Tools suite that allows developers to inspect, edit, and debug animations directly within the browser. It provides a visual interface for managing animations, including CSS animations and transitions, as well as those created with the Web Animations API.

An attacker could exploit this vulnerability to achieve code execution in the content process.

SolarWinds addressed the CVE-2024-28987 flaw in August, it could allow remote unauthenticated attackers to gain unauthorized access to vulnerable instances.

SolarWinds describes WHD as an affordable Help Desk Ticketing and Asset Management Software that is widely used by large enterprises and government organizations.

“The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.” reads the advisory published by the company.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by November 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)