Overview
Apple have released multiple security updates, addressing different aspects of their services.
- iOS 17.4 and iPadOS 17.4: various vulnerabilities have been addressed, focusing on privacy issues with improved private data redaction for log entries (CVE-2024-23291), and improvements made to buffer overflow memory handling (CVE-2024-23286).
- iOS 16.7.6 and iPadOS 16.7.6: various vulnerabilities have been addresses, focusing on a timing-side channel with improvements to constant-time computation in cryptographic functions (CVE-2024-23218), and a memory corruption with improved validation (CVE-2024-23225).
- Other security updates: Further updates have been released for Safari 17.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, macOS Monterey 12.7.4, watchOS 10.4, tvOS 17.4, and visionOS 1.1.
Cisco have released security advisories addressing vulnerabilities recently found in their products. CVE-2024-20337 has a base score of 8.2, and affects CISCO Secure Client. This vulnerability could allow an attacker to execute arbitrary script code in the browser or access sensitive browser-based information. CVE-2024-20338 has a base score of 7.3, and affects CISCO devices if they are running a vulnerable release of Secure Client for Linux with the ISE Posture Module installed. Successful exploitation could allow attackers to execute arbitrary code on an affected device with root privileges.
QNAP have released a warning about critical bypass flaws found in their products, including QTS, QuTS Hero, QuTScloud and myQNAPcloud. CVE-2024-21899 is an improper authentication mechanism which could allow attackers to compromise a system remotely. CVE-2024-21900 could allow unauthorised users to execute arbitrary commands on the system via a network. CVE-2024-21901 could allow attackers to inject malicious SQL code through the network.
Fortinet have released security updates addressing vulnerabilities in multiple products. Three vulnerabilities have been classified as severe, with base scores above 9.0. CVE-2023-42789 and CVE-2023-42790 affect FortiOS and FortiProxy, and are out-of-bounds write and stack-based buffer overflow vulnerabilities respectively. CVE-2023-48788 affects FortiClientEMS, and is a malicious SQL injection vulnerability that could allow unauthorised attackers to execute unauthorised commands on an affected system. Other vulnerability information can be found through the link below.
Microsoft have released their March security. Two vulnerabilities have been classified as critical. CVE-2024-21334 has a base score of 9.8, and affects Open Management Infrastructure (OMI). Successful exploitation could allow remote unauthorised attackers to send specifically crafted requests to trigger a use-after-free vulnerability. CVE-2024-21400 has a base score of 9.0, and affects Microsoft Azure Kubernetes Service Confidential Container (AKSCC). Successful exploitation allows an attacker to steal credentials and affect resources beyond the security scope managed by AKSCC.
Adobe have released multiple security bulletins addressing a number of vulnerabilities found in their products. While none of the vulnerabilities have base scores greater than 8.6, a large number have been discovered. Adobe recommend users of their products review the individual updates and apply the relevant mitigations.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Apple – iOS 17.4, iOS 16.7.6, and Security Bulletins
CISCO – CVE-2024-20337 and CVE-2024-20338
QNAP – Vulnerability Update
Fortinet – Advisory Links
Microsoft – Security Update
Adobe – Update Links
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.