Sept 29, 2023
Here are newly identified product-alerts and cyber-security highlights for the last week of September:
The high-severity zero-day vulnerability (CVE-2023-5217) is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, a flaw whose impact ranges from app crashes to arbitrary code execution.
CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users.
Google noted that the exploit for CVE-2023-5217 exists in the wild, so users are recommended to update as soon as possible.
Who is affected?
This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.
How could an attacker exploit this vulnerability?
An unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service.
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Apply latest Security Update.
In the following table the first column lists Cisco Catalyst SD-WAN Manager releases and the subsequent columns indicate whether a release is affected by one or more of the vulnerabilities that are described in this advisory and the first fixed release for each vulnerability.
|Earlier than 20.3||Not affected.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.|
|20.3||Not affected.||Migrate to a fixed release.||20.3.4||Migrate to a fixed release.||20.3.7|
|20.4||Not affected.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.|
|20.5||Not affected.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.||Migrate to a fixed release.|
|20.6||Not affected.||20.6.2||20.6.1||220.127.116.11||Migrate to a fixed release.|
|20.7||Not affected.||20.7.1||20.7.1||Migrate to a fixed release.||Migrate to a fixed release.|
|20.8||Not affected.||20.8.1||Not affected.||Migrate to a fixed release.||Migrate to a fixed release.|
|20.10||Not affected.||20.10.1||Not affected.||18.104.22.168||Migrate to a fixed release.|
|20.11||Migrate to a fixed release.1||20.11.1||Not affected.||22.214.171.124||20.11.1|
|20.12||Not affected.||Not affected.||Not affected.||Not affected.||20.12.1|
For CVE-2023-20252, only releases 126.96.36.199 and 188.8.131.52 are affected. Previous releases in the 20.9 and 20.11 trains are not affected.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
How can I see the version of the browser?
How can I find out what version of Teams I am running?
Where do I get the latest version of Teams?
The latest version of Microsoft Teams can be downloaded at https://teams.microsoft.com/download.
What is the version information for this release?
|Microsoft Edge Channel||Microsoft Edge Version||Based on Chromium Version||Date Released|
Is Microsoft Teams developing an update to address CVE-2023-4863?
We are aware that certain versions of Teams applications are affected by this vulnerability. Some updates are currently available. Please see the Security Updates table for more information.
Microsoft is working to identify and address this vulnerability in all affected products as soon as possible. We will keep this page updated with the latest information and advice.
Is Microsoft Skype developing an update to address CVE-2023-4863?
We are aware that certain versions of Skype applications are affected by this vulnerability. Microsoft is working to identify and address this vulnerability as soon as possible. We will keep this page updated with the latest information and advice.