CISA identifies critical vulnerabilities for Spring, Apple and D-Link routers

The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a helpful overview of known vulnerabilities that attackers exploit. On 5 April, the agency added four new vulnerabilities to this overview. Here you can find out what they are, what the risks are and how you can protect yourself against them.

What happened?

The “Spring4Shell” vulnerability (CVE-2022-22965) is currently worrying cybersecurity experts. The open source framework Spring provides tools and utilities for enterprise applications based on the Java programming language. Spring helps to reduce the effort required to create applications.

On 31 March, the company confirmed the zero-day vulnerability and released a patch to fix the problem.

However, the American security company Sonatype found this week that despite the release of the patch, more than 80% of recent downloads are potentially vulnerable versions. Apparently, programmes from companies that use Spring and are used worldwide are affected. The CERT (Computer Emergency Response Team) of Carnegie Mellon University has published a list of companies that are affected.

Cybersecurity firm Kasada also found that cybercriminals are using automated vulnerability scanner tools to test thousands of URLs and find out which systems have not yet been patched.

What risks does Spring4Shell pose to my business?

If the vulnerability is maliciously exploited, it can be used for remote code executions, also called remote code execution (RCE): Cybercriminals can remotely access computers and other endpoints and make changes to them or install malicious programmes.

What can I do?

  • Check with the manufacturer of your software, programmes and services to see if your applications are affected. Spring has published a guide to help users find out if and to what extent they are affected.
  • If immediate patching is not possible, Spring has published workarounds to work around the problem for now.
  • For IT administrators: Isolate affected systems into a “vulnerable VLAN” (Virtual Local Area Network).
  • Watch for unauthorised configuration changes on all systems.

Apple releases and closes two critical security vulnerabilities

What happened?

In addition to Spring4Shell, CISA catalogued two vulnerabilities (CVE-2022-22675 and CVE-2022-22674) announced by Apple on 1 April that affect its most widely used devices iPhone, iPad and Mac.

In the case of vulnerability CVE-2022-22675, the audio and video decoding component affects AppleAVD. This vulnerability can also lead to remote code execution. In combination with the second vulnerability CVE-2022-22674, which allows reading of macOS kernel memory, cybercriminals could also obtain sensitive information about their potential victims. Apple said that both vulnerabilities had been fixed. However, there was a risk that the vulnerabilities had already been exploited.

What can I do?

The iOS and iPad security updates (iOS 15.4.1 and macOS Monterey 12.3.1) are available for iPhone 6S and newer, all models of iPad Pro, all models of iPad Air 2 and newer, iPad 5th generation and newer, iPad Mini 4 and newer, and iPod Touch (7th generation). Anyone using one of these devices should install the updates as soon as possible and not wait for an automatic security update from Apple:
Open the settings on your iPhone or iPad. Click on “General”, then on “Software Update” and finally on “Update Now”.
Mac users open the Apple menu, go to the menu item “Software Update” and click on “Update now”.

Remote code execution on D-Link routers 

Also added to the CISA overview is vulnerability CVE-2021-45382. It affects the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L router models from D-Link. The vulnerability also opens the door for remote code executions.

No more updates are available for these devices – the last one was released on 19 December 2021 – as they are so-called end-of-life devices. The products have reached the end of their service life and are no longer maintained.  Accordingly, vulnerabilities develop in these devices and thus become a popular attack target – especially since the devices are constantly switched on and connected to the internet. Compromised routers are often used by cybercriminals to disguise their location while launching attacks.

What can I do?

D-Link itself advises to phase out and replace the aforementioned models. For companies to comply with Binding Operational Directive 22-01, this must be done before 25 April 2022.