A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

Trending 2 months ago

A aegis vulnerability ahead added to CISA's Known Exploited Vulnerability archive (KEV), which was accustomed by CVE Numbering Authorities (CNA), and included in acclaimed blackmail letters is now actuality formally alone by infosec organizations.

CISA removed CVE-2022-28958 from its KEV on December 1, two canicule afterwards the National Vulnerability Database (NVD) revoked its "vulnerability" cachet afterward a months-long review.

The "issue" was anticipation to be a analytical alien cipher beheading (RCE) blemish impacting an end-of-life D-Link router (DIR-816L), accustomed a near-maximum severity account of 9.8. It absolutely had no appulse on the systems it targeted.

VulnCheck CTO Jacob Baines branded it a "fake vulnerability" in December 2022, two months afterwards CISA added it to the KEV, afterwards attractive into the affidavit of abstraction (PoC) cipher provided by the aboriginal reporter.

Baines begin the PoC cipher featured "a audacious error" in that it beatific the awful appeal to the amiss endpoint, acceptation the vulnerability didn't accomplish RCE as ahead believed.

"After account the [PoC] code, it's accessible the researcher's affidavit of abstraction is useless," Baines said. "It doesn't blow the endpoint area the accessible cipher allegedly resides, and the endpoint it does ability doesn't do annihilation with the provided parameters."

Regardless, the aboriginal acknowledgment was abundant to argue cybersecurity org MITRE, which maintains the CVE list, the NVD (which maintains a synchronized CVE database), and CISA that the declared blemish was aces of attention. Attackers additionally best up on the calmness of it all, with the abyss who accomplish Moobot adding it to the botnet's capabilities, alone to acquisition it didn't assignment there either. 

Baines additionally acclaimed its operators encoded the accomplishment incorrectly, so alike if the vulnerability was 18-carat it wouldn't accept formed in Moobot's accomplishing anyway.

"We achieve that CVE-2022-28958 is not a absolute vulnerability and at-scale corruption has never occurred," he added. "The vulnerability should not be listed by MITRE, and it should not be in the CISA Known Exploited Vulnerabilities Catalog. We filed a altercation with MITRE and aggregate our allegation with CISA in October 2022."

When appointment CVE-2022-28958 to the calculation authorities, the aboriginal anchorman submitted three added vulnerabilities, two of which additionally accustomed CVEs that Baines claimed apparently shouldn't accept been assigned in the aboriginal abode either.

CVE-2022-28955 and CVE-2022-28956 are still advised vulnerabilities and they haven't been rejected, it's important to note. However, Baines said the above "appears to be as-designed functionality with low or no aegis impact", and the closing "is a absolute aegis issue, but a alike of four added CVEs."

Internet cartage appraisal bell-ringer Greynoise said this anniversary it would stop tracking CVE-2022-28958 (the non-vulnerability), admitting a drop of exploits still actuality attempted.

"The case of CVE-2022-28958 serves as a admonition of the accent of absolute and accurate vulnerability verification," said Bob Rudis, VP abstracts science, aegis research, and apprehension engineering at Greynoise.

"Incorrectly appear vulnerabilities can advance to accidental all-overs and ability allocation in the cybersecurity community. They can additionally attenuate assurance in the advertisement and cataloging systems that are acute for able vulnerability management." ®