Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. "The could lead to remote code execution with no additional execution privileges needed," Google said. The update is available for Google's Pixel and Samsung's Galaxy series, so if you have an Android device, check your settings ASAP. Cisco. Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog. "Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access," the researchers warned. The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. Cisco "Strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses," the firm wrote in an advisory. VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8. Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC and NetScaler Gateway. Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information. CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. "Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible." SAP. SAP's October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8. With only nine new and updated security notes, SAP's October Patch Day "Belongs to the calmest of the last five years," security firm Onapsis said. While SAP's October flaw count was much smaller than its peers', attackers are still out there, so you should still keep up to date and get patching as soon as you can.
This Cyber News was published on www.wired.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000