A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list
Apparently no one thought to check if this D-Link router 'issue' was actually exploitable
A security vulnerability previously added to CISA's Known Exploited Vulnerability catalog (KEV), which was recognized by CVE Numbering Authorities (CNA), and included in reputable threat reports is now being formally rejected by infosec organizations.
CISA removed CVE-2022-28958 from its KEV on December 1, two days after the National Vulnerability Database (NVD) revoked its "vulnerability" status following a months-long review.
The "issue" was thought to be a critical remote code execution (RCE) flaw impacting an end-of-life D-Link router (DIR-816L), carrying a near-maximum severity score of 9.8. It actually had no impact on the systems it targeted.
VulnCheck CTO Jacob Baines branded it a "fake vulnerability" in December 2022, two months after CISA added it to the KEV, after looking into the proof of concept (PoC) code provided by the original reporter.
Baines found the PoC code featured "a glaring error" in that it sent the malicious request to the wrong endpoint, meaning the vulnerability didn't achieve RCE as previously believed.
"After reading the [PoC] code, it's obvious the researcher's proof of concept is useless," Baines said. "It doesn't touch the endpoint where the vulnerable code allegedly resides, and the endpoint it does reach doesn't do anything with the provided parameters."
Regardless, the original disclosure was enough to convince cybersecurity org MITRE, which maintains the CVE list, the NVD (which maintains a synchronized CVE database), and CISA that the supposed flaw was worthy of attention. Attackers also picked up on the seriousness of it all, with the criminals who operate Moobot adding it to the botnet's capabilities, only to find it didn't work there either.
Baines also noted its operators encoded the exploit incorrectly, so even if the vulnerability was genuine it wouldn't have worked in Moobot's implementation anyway.
"We conclude that CVE-2022-28958 is not a real vulnerability and at-scale exploitation has never occurred," he added. "The vulnerability should not be listed by MITRE, and it should not be in the CISA Known Exploited Vulnerabilities Catalog. We filed a dispute with MITRE and shared our findings with CISA in October 2022."
When submitting CVE-2022-28958 to the numbering authorities, the original reporter submitted three other vulnerabilities, two of which also received CVEs that Baines claimed probably shouldn't have been assigned in the first place either.
CVE-2022-28955 and CVE-2022-28956 are still considered vulnerabilities and they haven't been rejected, it's important to note. However, Baines said the former "appears to be as-designed functionality with low or no security impact", and the latter "is a real security issue, but a duplicate of four other CVEs."
Internet traffic analysis vendor Greynoise said this week it would stop tracking CVE-2022-28958 (the non-vulnerability), despite a handful of exploits still being attempted.
"The case of CVE-2022-28958 serves as a reminder of the importance of thorough and rigorous vulnerability verification," said Bob Rudis, VP data science, security research, and detection engineering at Greynoise.
"Incorrectly reported vulnerabilities can lead to unnecessary alarm and resource allocation in the cybersecurity community. They can also undermine trust in the reporting and cataloging systems that are crucial for effective vulnerability management." ®