** Please note this CTI alert contains 3 Sections – Cisco IOS XE Software, Google Chrome and Apple macOS Catalina vulnerabilities **
Cisco Patches Critical IOS XE Software for Catalyst 9000 Family Wireless Controllers RCE Vulnerability
Cisco has patched a critical severity remote code execution vulnerability affecting multiple Catalyst 9000 family wireless controllers.
The vulnerability may allow remote attackers to execute arbitrary code with administrative privileges on affected product.
- CVE-2021-34770 (CVSS 3.1: 10.0, Critical)
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers.
The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets. An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition.
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches.
- Catalyst 9800 Series Wireless Controllers.
- Catalyst 9800-CL Wireless Controllers for Cloud.
- Embedded Wireless Controller on Catalyst Access Points.
CYREBRO urges all clients to update relevant products up to the latest available releases in accordance with Cisco’s Advisory.
References: Cisco Security Advisory
Google Patches Exploited in the Wild Zero-Day RCE vulnerability in Chrome
Google has released Chrome 94.0.4606.61 for Windows, Mac and Linux, an emergency update addressing a high severity zero-day remote code execution vulnerability, currently exploited in the wild.
A use after free vulnerability in Portals, Google’s web page navigation system for Chrome. Successful exploitation can let remote attackers execute arbitrary code on computers running unpatched Chrome versions.
- Google Chrome browser versions prior to 94.0.4606.61
CYREBRO urges all clients to update Chrome for Desktop to the latest available release (94.0.4606.61 at minimum).
Apple Patches an Exploited in the Wild Zero-Day RCE vulnerability in macOS Catalina & iOS
Apple has patched a zero-day remote code execution vulnerability exploited in the wild to hack both iPhones and Macs.
An XNU type confusion issue. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.
- macOS Catalina prior to Security Update 2021-006.
- iOS prior to version 12.5.5.
CYREBRO urges all clients to update relevant products up to the earliest fixed version available (macOS Catalina Security Update 2021-006, iOS 12.5.5)
References: Apple Security Updates