TIP: Click on subject to list as thread! ANSI
echo: politics
to: All
from: Mike Powell
date: 2024-12-18 10:30:00
subject: US government warns feder
US government warns federal agencies to patch dangerous Windows kernel bug

Date:
Tue, 17 Dec 2024 15:13:00 +0000

Description:
CISA warns of a bug being abused in the wild, so patch now.

FULL STORY

The US Cybersecurity and Infrastructure Agency (CISA) has added a new Windows
flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal
agencies a deadline to apply a patch, or stop using the software altogether. 

The bug is a Microsoft Windows Kernel-Mode Driver Untrusted Pointer
Dereference Vulnerability with a high severity score of 7.8, tracked as
CVE-2024-35250. 

The bug can be used to gain system privileges in low-complexity attacks that
dont even require any user interaction.

Adobe ColdFusion 

"An attacker who successfully exploited this vulnerability could gain SYSTEM
privileges," Microsoft said in its advisory. 

Since Microsoft did not share any further details about this vulnerability,
the publication cited the DEVCORE Research team, who demonstrated how the bug
works during this years Pwn2Own Vancouver hackathon. The same team reported
the bug to Microsoft, who patched it in Junes Patch Tuesday cumulative 
update, A proof-of-concept (PoC) was released to GitHub a few months later. 

When a vulnerability is added to KEV, that means that there is evidence of
in-the-wild abuse. Federal agencies have a three-week deadline to apply the
patch, or stop using the flawed software. 

At the same time, CISA also added an Adobe ColdFusion vulnerability, tracked
as CVE-2024-20767. This one is described as an improper access control
weakness that grants unauthenticated remote threat actors the ability to read
sensitive files. It affects ColdFusion versions 2023.6, 2021.12 and earlier,
and has a high severity score of 7.4 - and Adobe patched it in March 2024. 

An attacker could leverage this vulnerability to access or modify restricted
files, reads the flaws description on CVE.org. Exploitation of this issue 
does not require user interaction. Exploitation of this issue requires the
admin panel be exposed to the internet. 

CISA stressed that these types of vulnerabilities are frequent attack vectors
for malicious cyber actors and as such pose a significant risk to the federal
enterprise. 

Agencies have until January 6, 2025 to apply the fixes. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/us-government-warns-federal-agencies-to
-patch-dangerous-windows-kernel-bug

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SOURCE: echomail via QWK@pharcyde.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.