** Please note this CTI alert contains 3 Sections – Cisco IOS XE Software, Google Chrome and Apple macOS Catalina vulnerabilities **

Cisco Patches Critical IOS XE Software for Catalyst 9000 Family Wireless Controllers RCE Vulnerability

Cisco has patched a critical severity remote code execution vulnerability affecting multiple Catalyst 9000 family wireless controllers.

The vulnerability may allow remote attackers to execute arbitrary code with administrative privileges on affected product.

 The Vulnerability:

• CVE-2021-34770 (CVSS 3.1: 10.0, Critical)

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers.

The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets. An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition.

Affected Products:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches.
• Catalyst 9800 Series Wireless Controllers.
• Catalyst 9800-CL Wireless Controllers for Cloud.
• Embedded Wireless Controller on Catalyst Access Points.

Mitigation:

CYREBRO  urges all clients to update relevant products up to the latest available releases in accordance with Cisco’s Advisory.

References: Cisco Security Advisory

Google Patches Exploited in the Wild Zero-Day RCE vulnerability in Chrome

Google has released Chrome 94.0.4606.61 for Windows, Mac and Linux, an emergency update addressing a high severity zero-day remote code execution vulnerability, currently exploited in the wild.

The Vulnerability:

• CVE-2021-37973

A use after free vulnerability in Portals, Google’s web page navigation system for Chrome. Successful exploitation can let remote attackers execute arbitrary code on computers running unpatched Chrome versions.

Affected Products:

• Google Chrome browser versions prior to 94.0.4606.61

Mitigation:

CYREBRO urges all clients to update Chrome for Desktop to the latest available release (94.0.4606.61 at minimum).

References: Google Chrome Releases, Bleeping Computer

Apple Patches an Exploited in the Wild Zero-Day RCE vulnerability in macOS Catalina & iOS

Apple has patched a zero-day remote code execution vulnerability exploited in the wild to hack both iPhones and Macs.

The Vulnerabiliity:

• CVE-2021-30869

An XNU type confusion issue. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.

Affected Products:

• macOS Catalina prior to Security Update 2021-006.
• iOS prior to version 12.5.5.

Mitigation:

CYREBRO urges all clients to update relevant products up to the earliest fixed version available (macOS Catalina Security Update 2021-006, iOS 12.5.5)

References: Apple Security Updates