“The attacker needs no privileges, nor does the user need to perform any action,” it added.
Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.
Google Android
It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.
One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.
The June Android patch also includes CVE-2023-21127, a critical RCE flaw in the framework and CVE-2022-33257 and CVE-2022-40529—two serious bugs in the Qualcomm closed-source components.
The Android security update is available for Google’s Pixel phones and is starting to roll out to Samsung’s Galaxy range.
Google Chrome 114
Google has released Chrome 114, fixing several serious flaws. The patched bugs include CVE-2023-3214, a critical use-after-free vulnerability in Autofill payments.
CVE-2023-3215 is another use-after-free flaw in WebRTC rated as having a high impact, while CVE-2023-3216 is a high severity type confusion bug in V8. A final use-after-free in WebXR is also rated as high.
Earlier in the month, Google released a fix for an already exploited type confusion bug, CVE-2023-3079. “Google is aware that an exploit for CVE-2023-3079 exists in the wild,” the browser maker said.
MOVEit
Right at the end of May, software maker Progress discovered a SQL injection vulnerability in its MOVEit Transfer product that could lead to escalated privileges and unauthorized access. Tracked as CVE-2023-34362, the flaw was used in real-life attacks in May and June 2023.
“Depending on the database engine being used, an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements,” Progress warned in an advisory.
It soon emerged that the attacks were carried out by the Clop ransomware group, which threatened to leak data if victim organizations—which include several US government agencies—didn’t respond by mid-June. However, while researchers at security company Huntress were monitoring exploitation of the flaw, they found additional vulnerabilities, resulting in another patch release. In the second round of patched bugs are SQL injection vulnerabilities tracked as CVE-2023-35036.
Then on June 15, a third round of flaws tracked as CVE-2023-35708 emerged, prompting another patch release.
Needless to say, if you haven’t patched already, it’s urgent to do so as soon as you can.
VMWare
Software giant VMWare has issued patches for flaws in its Aria Operations for Networks that are already being used in attacks. Tracked as CVE-2023-20887, the first is marked as critical with a CVSS score of 9.8. “A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” VMWare warned in an advisory.
CVE-2023-20888 is an authenticated deserialization vulnerability with a CVSS score of 9.1. Meanwhile, CVE-2023-20889 is information disclosure vulnerability in the important severity range with a CVSS score of 8.8.