March 04, 2023 03:30 pm | Updated 03:30 pm IST

The Indian Computer Emergency Response Team (CERT-In) released multiple vulnerability notes detailing security bugs detected in commonly used software from Apple, Google, and Cisco.

In Apple, security bugs were detected in iOS, watchOS, macOS, and tvOS. In Google, bugs were detected in the Chrome browser. For Cisco, security bugs were detected in its ESA, secure mail and web manager.

Apple iOS, watchOS, macOS and tvOS

Multiple high severity security bugs were detected in Apple products. These security bugs could be exploited by remote attackers by persuading users to visit a maliciously crafted website.

The security bugs could be exploited by attackers to gain elevated privileges, execute arbitrary code, access sensitive information by bypassing security restrictions, and could even lead to denial-of-services on targeted systems.

The bugs were found to exist due to a type confusion flaw in Webkit and DriverKit components, leak of sensitive kernel state in kernel and Wifi components, access of sensitive data in the Apple Mobile integrity component, and logic issue in Exchange, Maps, Weather, Windows Installer, and mail drafts components.

Bugs were also found to exist due to buffer overflow in dcerpc component, privacy issue in screen time and shortcut components flaw in the Intel graphics driver component, memory corruption in imageIO and race condition in the Crash Reporter component.

Apple has released updates fixing the security bugs and advised users to update their software to avoid exploitation.

Google Chrome for Windows and Linux

Multiple high severity bugs were detected in Google Chrome for Windows and Linux, which could be exploited by an attacker to execute arbitrary code and gain access to sensitive information on targeted systems.

These vulnerabilities were found to exist due to use after free in prompts, Web payments API, Swiftshader, heap buffer overflow in video and integer overflow in PDF.

The bugs could be exploited by remote attackers by persuading the victim to visit a specially crafted web page.

Google has released updates fixing the bugs and requested users to update to the latest security patch.

Cisco products

Multiple high severity security bugs were detected in Cisco products including Cisco ESA and Cisco secure mail and web manager.

The bugs could be exploited by an authenticated remote and local attacker to root and execute arbitrary commands on targeted devices.

The privilege escalation vulnerability in Cisco products was found to exist in the web UI and CLI of Cisco ESA and Secure email and web manager. The bugs were found to exist due to improper validation of an uploaded Simple Network Management Protocol configuration file which is used to provide network devices such as routers, servers and printers, with a common language for sharing information with a network management system.

An attacker could exploit the bug by authenticating to the affected device and uploading a specially crafted SNMP configuration file.

Vulnerability was also detected due to improper input validation in the CLI of Cisco ESA, which is used to provide data loss prevention and email encryption services for outbound emails. The vulnerability could be exploited by an attacker by injecting operating system commands into a legitimate command.

Successful exploitation could allow an attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system.

Cisco has released updates fixing the security bugs.