End-of-the-month Security Alerts for September 2023

Google Chrome Zero-Day Exploit

The high-severity zero-day vulnerability (CVE-2023-5217) is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, a flaw whose impact ranges from app crashes to arbitrary code execution.

CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users.
Google noted that the exploit for CVE-2023-5217 exists in the wild, so users are recommended to update as soon as possible.

Source:

• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

Microsoft Internet Connection Sharing (ICS) Remote Code Execution Exploit

Who is affected?

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

How could an attacker exploit this vulnerability?

An unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service.

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Remediation

Apply latest Security Update.

Source:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38148

Cisco Catalyst SD-WAN Manager Vulnerabilities

In the following table the first column lists Cisco Catalyst SD-WAN Manager releases and the subsequent columns indicate whether a release is affected by one or more of the vulnerabilities that are described in this advisory and the first fixed release for each vulnerability.

For CVE-2023-20252, only releases 20.9.3.2 and 20.11.1.2 are affected. Previous releases in the 20.9 and 20.11 trains are not affected.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Sources:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
• https://www.cisa.gov/news-events/alerts/2023/09/28/cisco-releases-security-advisories-multiple-products

Microsoft Edge (Chromium-based) Heap buffer overflow in WebP Vulnerability

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (…) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

How can I find out what version of Teams I am running?

1. Click on the User Avatar at the top right of the Teams Windows.
2. Click on About, then Version.
3. The version will be displayed in the banner below the Search bar.

Where do I get the latest version of Teams?

The latest version of Microsoft Teams can be downloaded at https://teams.microsoft.com/download.

What is the version information for this release?

Is Microsoft Teams developing an update to address CVE-2023-4863?

We are aware that certain versions of Teams applications are affected by this vulnerability. Some updates are currently available. Please see the Security Updates table for more information.

Microsoft is working to identify and address this vulnerability in all affected products as soon as possible. We will keep this page updated with the latest information and advice.

Is Microsoft Skype developing an update to address CVE-2023-4863?

We are aware that certain versions of Skype applications are affected by this vulnerability. Microsoft is working to identify and address this vulnerability as soon as possible. We will keep this page updated with the latest information and advice.

Source:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863