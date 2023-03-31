



Meanwhile, Google’s Project Zero researchers reported 18 zero-day vulnerabilities in Samsung’s Exynos modems. His four most severe CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498 allow remote code execution from the Internet to baseband, researchers say. I am writing on my blog. Tests conducted by Project Zero confirmed that four vulnerabilities allow an attacker to remotely compromise a phone at baseband he level without user intervention.

Affected devices include S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series devices and Google’s Pixel 6 and Pixel 7 series.

Patch timelines vary by manufacturer, but affected Pixel devices received fixes for all four critical Internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling for her and Voice-over-LTE (VoLTE) for him in their device settings. said Google.

google chrome

Google has released Chrome 111 of its popular browser, fixing eight security flaws. Seven of them are high severity memory safety bugs. The four use-after-free vulnerabilities include the high-severity issue tracked as CVE-2023-1528 in passwords and his CVE-2023-1529 out-of-bounds memory access flaw in WebHID. included.

On the other hand, CVE-2023-1530 is a PDF use-after-free bug reported by the UKsNational Cyber ​​Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

While no issues are known by Google to be used in attacks, it makes sense to update Chrome if possible given the impact.

Cisco

Enterprise software giant Cisco has released its biannual security bundle for its IOS and IOS XE software, fixing 10 vulnerabilities. The six issues fixed by Cisco, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug, are rated high impact.

Earlier this month, Cisco announced multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service. fixed. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of the Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones.

An attacker could exploit this vulnerability by sending a crafted request to a web-based management interface, Cisco said.

firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities. Of these, seven are rated high impact. These include his three flaws in Firefox for Android, including CVE-2023-25749, which could allow third-party apps to open without prompting.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. Some of these bugs show evidence of memory corruption, and it is speculated that given enough effort some of these could have been exploited. To run arbitrary code, Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which released 19 new security notes in March’s Security Patch Day guidance. Issues fixed this month include 4 issues with a CVSS score greater than 9.

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows attackers to inject arbitrary code that significantly impacts system integrity, confidentiality, and availability (security company Onapsissaid).

Finally, CVE-2023-23857 with a CVSS score of 9.9 is an improper access control bug in SAP NetWeaver AS for Java. According to Onapsis, the vulnerability allows unauthenticated attackers to attach to open interfaces and leverage open naming and directory APIs to access services.

