Meanwhile, Google’s Project Zero researchers reported 18 zero-day vulnerabilities in Samsung’s Exynos modems. The four most severe his CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and his CVE-2023-26498 allow remote code execution from the internet to baseband, he said. The researchers wrote on their blog. “Tests conducted by Project Zero have confirmed that four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level and without user intervention. you just need to know, ”they wrote.
Affected devices include S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series devices and Google’s Pixel 6 and Pixel 7 series.
Patch timelines vary by manufacturer, but affected Pixel devices received fixes for all four critical Internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling for her and Voice-over-LTE (VoLTE) for him in their device settings. said Google.
google chrome
Google has released Chrome 111 of its popular browser, fixing eight security flaws. Seven of them are high severity memory safety bugs. The four use-after-free vulnerabilities include the high-severity issue tracked as CVE-2023-1528 in passwords and his CVE-2023-1529, an out-of-bounds memory access flaw in WebHID. increase.
On the other hand, CVE-2023-1530 is a PDF use-after-free bug reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free bug in ANGLE. Vulnerability.
While no issues are known by Google to be used in attacks, it makes sense to update Chrome if possible given the impact.
Cisco
Enterprise software giant Cisco has released its biannual security bundle for its IOS and IOS XE software, fixing 10 vulnerabilities. The six issues fixed by Cisco, including CVE-2023-20080 (denial of service flaw) and CVE-2023-20065 (privilege escalation bug), are rated high impact.
Earlier this month, Cisco announced multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. fixed. With a CVSS score of 9.8, the worst is CVE-2023-20078. This is a vulnerability in the web-based management interface of the Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones.
An attacker could exploit this vulnerability by sending a crafted request to a web-based management interface, Cisco said, stating, “A successful exploit could allow an attacker to could be able to execute arbitrary commands on the underlying operating system.”
firefox
Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities. Seven of them are rated as high impact. These include his three flaws in Firefox for Android, including CVE-2023-25749, which could allow third-party apps to open without prompting.
Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. It was exploited to execute arbitrary code,” Mozilla said.
SAP
Another big update month for software maker SAP, which released 19 new security notes in March’s Security Patch Day guidance. Issues fixed this month include 4 issues with a CVSS score greater than 9.
One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. Security firm Onapsis said the vulnerability in the central management console would allow attackers to inject arbitrary code that would “strongly adversely affect” the integrity, confidentiality and availability of the system.
Finally, CVE-2023-23857 with a CVSS score of 9.9 is an improper access control bug in SAP NetWeaver AS for Java. “This vulnerability allows unauthenticated attackers to attach to open interfaces and leverage open name and directory APIs to access services,” he said.
