Cisco Patches Critical IOS XE Software RCE, Apple Patches Zero-Day RCE in Catalina, Google Patches Zero-Day RCE in Chrome
** Please note this CTI alert contains 3 Sections – Cisco IOS XE Software, Google Chrome and Apple macOS Catalina vulnerabilities **
Cisco Patches Critical IOS XE Software for Catalyst 9000 Family Wireless Controllers RCE Vulnerability
Cisco has patched a critical severity remote code execution vulnerability affecting multiple Catalyst 9000 family wireless controllers.
The vulnerability may allow remote attackers to execute arbitrary code with administrative privileges on affected product.
- CVE-2021-34770 (CVSS 3.1: 10.0, Critical)
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers.
The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets. An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition.
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches.
- Catalyst 9800 Series Wireless Controllers.
- Catalyst 9800-CL Wireless Controllers for Cloud.
- Embedded Wireless Controller on Catalyst Access Points.
CYREBRO urges all clients to update relevant products up to the latest available releases in accordance with Cisco’s Advisory.
References: Cisco Security Advisory
Google Patches Exploited in the Wild Zero-Day RCE vulnerability in Chrome
Google has released Chrome 94.0.4606.61 for Windows, Mac and Linux, an emergency update addressing a high severity zero-day remote code execution vulnerability, currently exploited in the wild.
A use after free vulnerability in Portals, Google’s web page navigation system for Chrome. Successful exploitation can let remote attackers execute arbitrary code on computers running unpatched Chrome versions.
- Google Chrome browser versions prior to 94.0.4606.61
CYREBRO urges all clients to update Chrome for Desktop to the latest available release (94.0.4606.61 at minimum).
References: Google Chrome Releases, Bleeping Computer
Apple Patches an Exploited in the Wild Zero-Day RCE vulnerability in macOS Catalina & iOS
Apple has patched a zero-day remote code execution vulnerability exploited in the wild to hack both iPhones and Macs.
An XNU type confusion issue. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.
- macOS Catalina prior to Security Update 2021-006.
- iOS prior to version 12.5.5.
CYREBRO urges all clients to update relevant products up to the earliest fixed version available (macOS Catalina Security Update 2021-006, iOS 12.5.5)
References: Apple Security Updates