U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2012-4792 Microsoft Internet Explorer Use-After-Free Vulnerability
- CVE-2024-39891 Twilio Authy Information Disclosure Vulnerability
Below are the descriptions of the flaws added to the KEV catalog:
CVE-2012-4792 (CVSS score of 9.3) is a use-after-free issue in Microsoft Internet Explorer 6 through 8. Remote attackers can exploit the flaw to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
CVE-2024-39891 (CVSS score of 5.3) is a Twilio Authy information disclosure vulnerability. In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. An endpoint was discovered that could receive phone numbers and return information indicating whether each number was registered with Authy. Importantly, while this endpoint confirmed the registration status, it did not compromise Authy accounts themselves.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by August 13, 2024.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)