The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
The Android Pixel vulnerability, tracked as CVE-2023-21237, resides in applyRemoteView of NotificationContentInflater.java. The exploitation of this vulnerability could lead to local information disclosure with no additional execution privileges needed. The exploitation doesn’t require user interaction.
Google addressed the issue in June 2023, the IT giant is aware of “limited, targeted exploitation.”
“There are indications that CVE-2023-21237 may be under limited, targeted exploitation.” reads the security bulletin published by the company.
The issue is likely chained with other flaws in an exploit used by a commercial spyware vendor or a nation-state actor.
The second issue added to the Catalog is an OS Command Injection vulnerability in Sunhillo SureLine. The exploitation of the flaw can allow to execute arbitrary commands with root privileges.
The exploitation can lead to complete system compromise.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by March 26, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – ransomware, CISA)