Please see Security Advisories for the week ending April 30, 2021
- Cisco Releases Security Updates for Multiple Products
- ISC Releases Security Advisory for BIND
- CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities
- Apple Releases Security Updates
- Google Releases Security Updates for the Chrome Browser
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has discovered and patched numerous vulnerabilities in several products: Cisco Adaptive Security Appliance, Cisco Firepower Management Center, Cisco Firepower Threat Defense Software.
Problem
Unpatched systems are exposed to a multitude of vulnerabilities that could allow attackers to cause denial of service, preform information gathering attacks, conduct a cross-site scripting attacks, and gain complete control of compromised systems.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Cisco advises patching the software and hardware to the most recent securityupdate. There are several security updates so please follow the Cisco technical link provided to ensure all necessary systems are patched.
For a brief overview:
For a more technical overview:
https://tools.cisco.com/security/center/publicationListing.x
________________________________
ISC Releases Security Advisory for BIND
Situation:
The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of ISC Berkeley Internet Name Domain (BIND).
Problem:
BIND uses a security policy called GSSAPI and within GSSAPI, there is a negotiation mechanism called SPNEGO, which has been found to be vulnerable to a buffer overflow attack
Implication:
A remote attacker could exploit this vulnerability to take control of an affected system.
Need:
CISA encourages administrators and end-users to review ISC advisory CVE-2021-25216 and to apply the necessary updates or workarounds.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/04/29/isc-releases-security-advisory-bind
________________________________
CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities
Situation:
CISA has released Industrial Control Systems Advisory to provide notice of multiple vulnerabilities found in real-time operating systems (RTOS) and supporting libraries.
Problem:
CISA has become aware of a report called “BadAlloc”, which details vulnerabilities in many real-time operating systems and their libraries. For example, in CWE-190, Amazon FreeRTOS 10.4.1 is vulnerable to integer wrap-around in multiple memory management API functions, which can lead to arbitrary memory allocation, resulting in potential crashes or remote code injection/execution.
Implication:
Successful exploitation of these vulnerabilities could result in unexpected behavior such as remote code injection/execution or a crash.
Need:
CISA encourages administrators and end-users to review the ICS Advisory for mitigation recommendations and available updates.
For a brief overview:
________________________________
Apple Releases Security Updates
Situation:
Apple has released security updates to address vulnerabilities in multiple products.
Problem:
Apple has addressed several vulnerabilities across multiple products: iCloud for Windows 12.3, Xcode 12.5, Safari 14.1, macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, and tvOS 14.5. These vulnerabilities range from arbitrary code execution, authentication bypass, buffer overflow, memory corruption, and more.
Implication:
An attacker could exploit some of these vulnerabilities to take control of an affected system or trigger file corruption or system instability.
Need:
CISA recommends that administrators and end users review the Apple securitypages and apply the updates as soon as possible.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/04/27/apple-releases-security-updates
________________________________
Google Releases Security Updates for the Chrome Browser
Situation
Google has released a new version of Chrome (90.0.4430.93) that addresses a number of vulnerabilities for Windows, Mac, and Linux.
Problem
The nine vulnerabilities Google found range from low to high and include heap buffer overflow, use after free, insufficient data validation, insufficient policy enforcement, and more.
Implication
if an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take over the affected system.
Need
Google has released Chrome version 90.0.4430.93 for Windows, Mac, and Linux operating systems. It’s recommended to update to latest Chrome version to protect against these vulnerabilities.
For a more technical overview:
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html