Want relief keeping up with product patching, upgrades, and more?  Learn how our Managed Services for law firms can help you.

End-of-the-month Security Alerts for September 2023

Sept 29, 2023

Cornerstone.IT Cisco Partner

Google Chrome Zero-Day Exploit

The high-severity zero-day vulnerability (CVE-2023-5217) is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, a flaw whose impact ranges from app crashes to arbitrary code execution.

CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users.
Google noted that the exploit for CVE-2023-5217 exists in the wild, so users are recommended to update as soon as possible.

Source:

Microsoft Internet Connection Sharing (ICS) Remote Code Execution Exploit

Who is affected?

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

How could an attacker exploit this vulnerability?

An unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service.

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Remediation

Apply latest Security Update.

Source:

Cisco Catalyst SD-WAN Manager Vulnerabilities

In the following table the first column lists Cisco Catalyst SD-WAN Manager releases and the subsequent columns indicate whether a release is affected by one or more of the vulnerabilities that are described in this advisory and the first fixed release for each vulnerability.

ReleaseCVE-2023-20252
Critical SIR
CVE-2023-20253
High SIR
CVE-2023-20034
High SIR
CVE-2023-20254
High SIR
CVE-2023-20262
Medium SIR
Earlier than 20.3Not affected.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.
20.3Not affected.Migrate to a fixed release.20.3.4Migrate to a fixed release.20.3.7
20.4Not affected.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.
20.5Not affected.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.Migrate to a fixed release.
20.6Not affected.20.6.220.6.120.6.3.4Migrate to a fixed release.
20.7Not affected.20.7.120.7.1Migrate to a fixed release.Migrate to a fixed release.
20.8Not affected.20.8.1Not affected.Migrate to a fixed release.Migrate to a fixed release.
20.920.9.3.4120.9.1Not affected.20.9.3.220.9.3
20.10Not affected.20.10.1Not affected.20.10.1.2Migrate to a fixed release.
20.11Migrate to a fixed release.120.11.1Not affected.20.11.1.220.11.1
20.12Not affected.Not affected.Not affected.Not affected.20.12.1

For CVE-2023-20252, only releases 20.9.3.2 and 20.11.1.2 are affected. Previous releases in the 20.9 and 20.11 trains are not affected.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Sources:

Microsoft Edge (Chromium-based) Heap buffer overflow in WebP Vulnerability

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

  1. In your Microsoft Edge browser, click on the 3 dots (…) on the very right-hand side of the window
  2. Click on Help and Feedback
  3. Click on About Microsoft Edge

How can I find out what version of Teams I am running?

  1. Click on the User Avatar at the top right of the Teams Windows.
  2. Click on About, then Version.
  3. The version will be displayed in the banner below the Search bar.

Where do I get the latest version of Teams?

The latest version of Microsoft Teams can be downloaded at https://teams.microsoft.com/download.

What is the version information for this release?

Microsoft Edge ChannelMicrosoft Edge VersionBased on Chromium VersionDate Released
Stable117.0.2045.31117.0.5938.62/.639/15/2023
Version 109109.0.1518.140109.0.5414.1659/15/2023

Is Microsoft Teams developing an update to address CVE-2023-4863?

We are aware that certain versions of Teams applications are affected by this vulnerability. Some updates are currently available. Please see the Security Updates table for more information.

Microsoft is working to identify and address this vulnerability in all affected products as soon as possible. We will keep this page updated with the latest information and advice.

Is Microsoft Skype developing an update to address CVE-2023-4863?

We are aware that certain versions of Skype applications are affected by this vulnerability. Microsoft is working to identify and address this vulnerability as soon as possible. We will keep this page updated with the latest information and advice.

Source:

We are always here to help. Feel free to contact us if you have any questions or need assistance.

Cornerstone.IT