Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities Exynos modems made by Samsung. The four most serious-CVE-2023-24033CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498 — enable Internet-to-baseband remote code execution, the researchers wrote in a blogging. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a baseband-level phone without user intervention, and only that the attacker knows the victim’s phone number,” they wrote.
Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as the Pixel 6 and Pixel 7 series from Google.
Patch timelines vary by manufacturer, but affected Pixel devices have received a fix for all four of the serious Internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.
Google has released Chrome 111 of its popular browser, fixing eight security bugs, seven of which are memory security bugs with a high severity rating. Four use-after-free vulnerabilities include a very serious issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access bug in WebHID.
Meanwhile, CVE-2023-1530 is a ‘use-after-free’ bug in PDF reported by the UK’s National Cyber Security Centerand CVE-2023-1531 is a very serious use-after-free vulnerability in ANGLE.
None of the issues are known to Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.
Enterprise software giant Cisco has published the biennial security bundle for the IOS and IOS XE software, which fixes 10 vulnerabilities. Six of the issues resolved by Cisco are rated as having a high impact, including CVE-2023-20080a denial of service bug, and CVE-2023-20065, a privilege escalation bug.
At the beginning of the month, Cisco fixed Multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated remote attacker to execute arbitrary code or cause a denial of service. With a CVSS score of 9.8 is the worst CVE-2023-20078A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones.
An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on an affected device’s underlying operating system.”
Privacy-conscious developer Mozilla has issued Firefox 111, fixes 13 vulnerabilities, seven of which are rated as high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have caused third-party apps to open without a prompt.
Meanwhile, two memory security bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. have been exploited to execute arbitrary code,” said Mozilla.
It is another month with major updates for software maker SAP, which has issued 19 new security notes in the March Security Patch Day guidance. Issues resolved during the month include four with a CVSS score greater than 9.
One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console could allow an attacker to inject arbitrary code with a “strong negative impact” on system integrity, confidentiality and availability, security firm Onapsis reports. said.
Finally, with a CVSS score of 9.9, CVE-2023-23857 is an incorrect access control error in SAP NetWeaver AS for Java. The vulnerability could allow an unauthenticated attacker to connect to an open interface and use an open naming and directory API to access services.