Product Security Alerts:
Microsoft On-Premises Exchange Servers / Google Chrome and Edge Browsers / Cisco

April 15, 2021

Alert 1: Mitigate New Microsoft Exchange Server Vulnerabilities

Alert 2: Zero-Day Exploits for Google Chrome and Microsoft Edge – Update Now!

Alert 3: Vulnerabilities on Multiple Cisco Products

Scope

An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities. CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. CVE-2021-28480 and CVE-2021-28481 have a critical severity score of 9.8 out of 10 and could be exploited without authentication.

Who is affected?

Businesses using Microsoft On-Premises Exchange Server 2013, 2016 and 2019

Remediation/Action Plan

Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit. CISA requires that agencies immediately apply the Microsoft April 2021 update to all affected Exchange Servers.

Exchange Server 2013 CU23

Exchange Server 2016 CU19 and CU20

Exchange Server 2019 CU8 and CU9

Two update paths provided by Microsoft:

Scope

On Tuesday, Google released a fix on the reported 2 critical and exploitable flaws in their browser, Google Chrome:

• CVE-2021-21206: Use after free in Blink browser engine
• CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64

Reports indicates that Microsoft Edge and other Chromium-based browsers like Brave, Opera and Vivaldi are also at risk.

Who is affected?

User who are using Google Chrome browser, Microsoft Edge

Remediation/Action Plan

Latest Chrome version as of this writing 90.0.4430.72 is available. Users can update to the latest version by heading to

Settings > Help > About Google Chrome

to mitigate the risk associated with the flaws. This goes the same with Microsoft Edge where the most recent version as of writing is 89.0.774.77. To upgrade their browser version, go to Settings > Help and Feedback > About Microsoft Edge

Scope

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. Please click below respective Cisco advisory links on how to remediate affected products:

• Cisco SD-WAN vManage Software Vulnerabilities cisco-sa-vmanage-YuTVWqy
• Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability cisco-sa-rv-rce-q3rxHnvm
• Cisco Small Business RV Series Routers Vulnerabilities cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
• Cisco Small Business RV Series Routers Link Layer Discovery Protocol Vulnerabilities cisco-sa-rv-multi-lldp-u7e4chCe
• Cisco Unified Communications Products Remote Code Execution Vulnerability cisco-sa-cucm-rce-pqVYwyb
• Cisco Advanced Malware Protection for Endpoints Windows Connector, ClamAV for Windows, and Immunet DLL Hijacking Vulnerability cisco-sa-amp-imm-dll-tu79hvkO

Who is affected?

Businesses using the affected Cisco products listed above

Remediation/Action Plan

CISA strongly urge businesses and users to assess Cisco products their using and check the Cisco Security Advisory links posted for any workarounds or fixed software version released by Cisco.