ID CVE-2020-9791 Type cve Reporter cve@mitre.org Modified 2020-06-11T00:46:00
Description
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. Processing a maliciously crafted audio file may lead to arbitrary code execution.
{"zdi": [{"lastseen": "2020-06-22T11:40:42", "bulletinFamily": "info", "cvelist": ["CVE-2020-9791"], "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AudioToolboxCore module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2020-06-22T00:00:00", "published": "2020-05-27T00:00:00", "id": "ZDI-20-671", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-671/", "title": "Apple macOS AudioToolboxCore AIFF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T19:27:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-9827", "CVE-2020-9792", "CVE-2020-9856", "CVE-2020-9791", "CVE-2020-9824", "CVE-2020-9844", "CVE-2020-9852", "CVE-2020-3882", "CVE-2020-3878", "CVE-2020-9804", "CVE-2020-9831", "CVE-2020-9788", "CVE-2020-9815", "CVE-2020-9855", "CVE-2020-9825", "CVE-2020-9851", "CVE-2020-9793", "CVE-2020-9794"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2020-07-16T00:00:00", "published": "2020-05-27T00:00:00", "id": "OPENVAS:1361412562310817130", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310817130", "type": "openvas", "title": "Apple MacOSX Security Updates(HT211170) - 01", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.817130\");\n script_version(\"2020-07-16T11:59:37+0000\");\n script_cve_id(\"CVE-2020-9815\", \"CVE-2020-9788\", \"CVE-2020-9831\", \"CVE-2020-9852\",\n \"CVE-2020-9856\", \"CVE-2020-9855\", \"CVE-2020-3882\", \"CVE-2020-9793\",\n \"CVE-2020-9844\", \"CVE-2020-9804\", \"CVE-2020-9791\", \"CVE-2020-9792\",\n \"CVE-2020-9827\", \"CVE-2020-9794\", \"CVE-2020-9824\", \"CVE-2020-9825\",\n \"CVE-2020-9851\", \"CVE-2020-3878\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 11:59:37 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-27 12:16:54 +0530 (Wed, 27 May 2020)\");\n script_name(\"Apple MacOSX Security Updates(HT211170) - 01\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple out-of-bounds read errors.\n\n - Insufficient input sanitization.\n\n - An integer overflow.\n\n - Insufficient validation of symlinks.\n\n - A memory corruption issue.\n\n - A double free error.\n\n - A logic issue.\n\n - An error in sandbox restrictions.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, execute arbitrary javascript code, gain access to\n sensitive information, gain elevated privileges, conduct a DoS attck, modify\n restricted network settings and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.15.x through 10.15.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.15.5 or later.\n Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT211170\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"ssh_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.15\" || \"Mac OS X\" >!< osName)\n exit(0);\n\nif(osVer =~ \"^10\\.15\")\n{\n if(version_in_range(version:osVer, test_version:\"10.15\", test_version2:\"10.15.4\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.15.5\");\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:44:43", "bulletinFamily": "software", "cvelist": ["CVE-2020-9827", "CVE-2014-9512", "CVE-2020-9837", "CVE-2020-9791", "CVE-2020-9803", "CVE-2020-9852", "CVE-2020-9854", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9812", "CVE-2020-3878", "CVE-2020-9839", "CVE-2020-9795", "CVE-2020-9813", "CVE-2020-9821", "CVE-2020-9802", "CVE-2020-9809", "CVE-2020-9800", "CVE-2020-9842", "CVE-2020-9815", "CVE-2020-9790", "CVE-2020-9850", "CVE-2020-9829", "CVE-2020-9807", "CVE-2020-9808", "CVE-2020-9811", "CVE-2020-9843", "CVE-2020-9814", "CVE-2020-9816", "CVE-2020-9789", "CVE-2020-9797", "CVE-2020-9794", "CVE-2020-9994", "CVE-2019-20503"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## tvOS 13.4.5\n\nReleased May 26, 2020\n\n**Accounts**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt\n\n**AppleMobileFileIntegrity**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application could interact with system processes to access private information and perform privileged actions\n\nDescription: An entitlement parsing issue was addressed with improved parsing.\n\nCVE-2020-9842: Linus Henze (pinauten.de)\n\n**Audio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Audio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted text message may lead to application denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam\u2019s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-3878: Samuel Gro\u00df of Google Project Zero\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9789: Wenchao Li of VARAS@IIE\n\nCVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**IPSec**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9837: Thijs Alkemade of Computest\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to determine another application's memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2020-9797: an anonymous researcher\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9811: Tielei Wang of Pangu Lab\n\nCVE-2020-9812: derrek (@derrekr6)\n\n**Kerne**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-9813: Xinru Chi of Pangu Lab\n\nCVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9809: Benjamin Randazzo (@____benjamin)\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9994: Apple\n\nEntry added September 21, 2020\n\n**rsync**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2014-9512: gaojianfeng\n\nEntry added July 28, 2020\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2020-9854: Ilias Morad (A2nkF)\n\nEntry added July 28, 2020\n\n**SQLite**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may cause a denial of service or potentially disclose memory contents\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9794\n\n**System Preferences**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with improved state handling.\n\nCVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9805: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9802: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to a cross site scripting attack\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2020-9843: Ryan Pickren (ryanpickren.com)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2020-9803: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9806: Wen Xu of SSLab at Georgia Tech\n\nCVE-2020-9807: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative\n\n**WebRTC**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2019-20503: Natalie Silvanovich of Google Project Zero\n\n\n\n## Additional recognition\n\n**CoreText**\n\nWe would like to acknowledge Jiska Classen (@naehrdine) and Dennis Heinze (@ttdennis) of Secure Mobile Networking Lab for their assistance.\n\n**ImageIO**\n\nWe would like to acknowledge Lei Sun for their assistance.\n\n**IOHIDFamily**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n\n**IPSec**\n\nWe would like to acknowledge Thijs Alkemade of Computest for their assistance.\n\nEntry added August 10, 2020\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n\n**Safari**\n\nWe would like to acknowledge Luke Walker of Manchester Metropolitan University for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Aidan Dunlap of UT Austin for their assistance.\n", "edition": 7, "modified": "2020-09-21T04:33:14", "published": "2020-09-21T04:33:14", "id": "APPLE:HT211171", "href": "https://support.apple.com/kb/HT211171", "title": "About the security content of tvOS 13.4.5 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:01", "bulletinFamily": "software", "cvelist": ["CVE-2020-9827", "CVE-2014-9512", "CVE-2020-9791", "CVE-2020-9803", "CVE-2020-9819", "CVE-2020-9852", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9812", "CVE-2020-3878", "CVE-2020-9839", "CVE-2020-9795", "CVE-2020-9813", "CVE-2020-9821", "CVE-2020-9802", "CVE-2020-9809", "CVE-2020-9800", "CVE-2020-9842", "CVE-2020-9815", "CVE-2020-9790", "CVE-2020-9850", "CVE-2020-9829", "CVE-2020-9807", "CVE-2020-9808", "CVE-2020-9811", "CVE-2020-9843", "CVE-2020-9814", "CVE-2020-9816", "CVE-2020-9789", "CVE-2020-9797", "CVE-2020-9794", "CVE-2020-9994", "CVE-2019-20503", "CVE-2020-9818"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## watchOS 6.2.5\n\nReleased May 18, 2020\n\n**Accounts**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt\n\n**AppleMobileFileIntegrity**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application could interact with system processes to access private information and perform privileged actions\n\nDescription: An entitlement parsing issue was addressed with improved parsing.\n\nCVE-2020-9842: Linus Henze (pinauten.de)\n\n**Audio**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Audio**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**CoreText**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted text message may lead to application denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam\u2019s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com\n\n**FontParser**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-3878: Samuel Gro\u00df of Google Project Zero\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9789: Wenchao Li of VARAS@IIE\n\nCVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to determine another application's memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2020-9797: an anonymous researcher\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9811: Tielei Wang of Pangu Lab\n\nCVE-2020-9812: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-9813: Xinru Chi of Pangu Lab\n\nCVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9809: Benjamin Randazzo (@____benjamin)\n\n**libxpc**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9994: Apple\n\nEntry added September 21, 2020\n\n**Mail**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted mail message may lead to heap corruption\n\nDescription: A memory consumption issue was addressed with improved memory handling.\n\nCVE-2020-9819: ZecOps.com\n\n**Mail**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9818: ZecOps.com\n\n**rsync**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2014-9512: gaojianfeng\n\nEntry added July 28, 2020\n\n**SQLite**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may cause a denial of service or potentially disclose memory contents\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9794\n\n**System Preferences**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with improved state handling.\n\nCVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9805: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9802: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to a cross site scripting attack\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2020-9843: Ryan Pickren (ryanpickren.com)\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2020-9803: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9806: Wen Xu of SSLab at Georgia Tech\n\nCVE-2020-9807: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative\n\n**WebRTC**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2019-20503: Natalie Silvanovich of Google Project Zero\n\n\n\n## Additional recognition\n\n**CoreText**\n\nWe would like to acknowledge Jiska Classen (@naehrdine) and Dennis Heinze (@ttdennis) of Secure Mobile Networking Lab for their assistance.\n\n**ImageIO**\n\nWe would like to acknowledge Lei Sun for their assistance.\n\n**IOHIDFamily**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n\n**Safari**\n\nWe would like to acknowledge Luke Walker of Manchester Metropolitan University for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Aidan Dunlap of UT Austin for their assistance.\n", "edition": 6, "modified": "2020-09-21T04:34:00", "published": "2020-09-21T04:34:00", "id": "APPLE:HT211175", "href": "https://support.apple.com/kb/HT211175", "title": "About the security content of watchOS 6.2.5 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:35", "bulletinFamily": "software", "cvelist": ["CVE-2020-9827", "CVE-2014-9512", "CVE-2020-9792", "CVE-2020-9837", "CVE-2020-9791", "CVE-2020-9803", "CVE-2020-9844", "CVE-2020-9819", "CVE-2020-9852", "CVE-2020-9854", "CVE-2020-9805", "CVE-2020-9806", "CVE-2020-9826", "CVE-2020-9812", "CVE-2020-3878", "CVE-2020-6616", "CVE-2020-9839", "CVE-2020-9848", "CVE-2020-9795", "CVE-2020-9813", "CVE-2020-9821", "CVE-2020-9802", "CVE-2020-9809", "CVE-2020-9820", "CVE-2020-9800", "CVE-2020-9838", "CVE-2020-9842", "CVE-2020-9815", "CVE-2020-9790", "CVE-2020-9830", "CVE-2020-9825", "CVE-2020-9850", "CVE-2020-9829", "CVE-2020-9807", "CVE-2020-9808", "CVE-2020-9811", "CVE-2020-9843", "CVE-2020-9814", "CVE-2020-9816", "CVE-2020-9789", "CVE-2020-9835", "CVE-2020-9797", "CVE-2020-9794", "CVE-2020-9823", "CVE-2020-9994", "CVE-2019-20503", "CVE-2020-9818"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 13.5 and iPadOS 13.5\n\nReleased May 20, 2020\n\n**Accounts**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt\n\n**AirDrop**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9826: Dor Hadad of Palo Alto Networks\n\n**AppleMobileFileIntegrity**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application could interact with system processes to access private information and perform privileged actions\n\nDescription: An entitlement parsing issue was addressed with improved parsing.\n\nCVE-2020-9842: Linus Henze (pinauten.de)\n\n**Audio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Audio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.\n\nCVE-2020-6616: J\u00f6rn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9838: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab\n\n**CoreText**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted text message may lead to application denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam\u2019s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com\n\n**FaceTime**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A user\u2019s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing\n\nDescription: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.\n\nCVE-2020-9835: Olivier Levesque (@olilevesque)\n\n**File System**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to modify the file system\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9820: Thijs Alkemade of Computest\n\n**FontParser**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-3878: Samuel Gro\u00df of Google Project Zero\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9789: Wenchao Li of VARAS@IIE\n\nCVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**IPSec**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9837: Thijs Alkemade of Computest\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to determine another application's memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2020-9797: an anonymous researcher\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9811: Tielei Wang of Pangu Lab\n\nCVE-2020-9812: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-9813: Xinru Chi of Pangu Lab\n\nCVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9809: Benjamin Randazzo (@____benjamin)\n\n**libxpc**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9994: Apple\n\nEntry added September 21, 2020\n\n**Mail**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted mail message may lead to heap corruption\n\nDescription: A memory consumption issue was addressed with improved memory handling.\n\nCVE-2020-9819: ZecOps.com\n\n**Mail**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9818: ZecOps.com\n\n**Messages**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Users removed from an iMessage conversation may still be able to alter state\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-9823: Suryansh Mansharamani, student of Community Middle School, Plainsboro, New Jersey\n\n**Notifications**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2020-9848: Nima\n\n**rsync**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2014-9512: gaojianfeng\n\nEntry added July 28, 2020\n\n**Sandbox**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may be able to bypass Privacy preferences\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)\n\n**Security**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2020-9854: Ilias Morad (A2nkF)\n\nEntry added July 28, 2020\n\n**SQLite**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A malicious application may cause a denial of service or potentially disclose memory contents\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9794\n\n**System Preferences**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with improved state handling.\n\nCVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**USB Audio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A USB device may be able to cause a denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9792: Andy Davis of NCC Group\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9805: an anonymous researcher\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9802: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to a cross site scripting attack\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2020-9843: Ryan Pickren (ryanpickren.com)\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2020-9803: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9806: Wen Xu of SSLab at Georgia Tech\n\nCVE-2020-9807: Wen Xu of SSLab at Georgia Tech\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative\n\n**WebRTC**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2019-20503: Natalie Silvanovich of Google Project Zero\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A double free issue was addressed with improved memory management.\n\nCVE-2020-9844: Ian Beer of Google Project Zero\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9830: Tielei Wang of Pangu Lab\n\nEntry added August 10, 2020\n\n\n\n## Additional recognition\n\n**Bluetooth**\n\nWe would like to acknowledge Maximilian von Tschirschnitz (@maxinfosec1) of Technical University Munich and Ludwig Peuckert of Technical University Munich for their assistance.\n\n**CoreText**\n\nWe would like to acknowledge Jiska Classen (@naehrdine) and Dennis Heinze (@ttdennis) of Secure Mobile Networking Lab for their assistance.\n\n**Device Analytics**\n\nWe would like to acknowledge Mohamed Ghannam (@_simo36) for their assistance.\n\n**ImageIO**\n\nWe would like to acknowledge Lei Sun for their assistance.\n\n**IOHIDFamily**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n\n**IPSec**\n\nWe would like to acknowledge Thijs Alkemade of Computest for their assistance.\n\nEntry added August 10, 2020\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero for their assistance.\n\n**Safari**\n\nWe would like to acknowledge Jeffball of GRIMM and Luke Walker of Manchester Metropolitan University for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Aidan Dunlap of UT Austin for their assistance.\n", "edition": 8, "modified": "2020-09-21T04:30:51", "published": "2020-09-21T04:30:51", "id": "APPLE:HT211168", "href": "https://support.apple.com/kb/HT211168", "title": "About the security content of iOS 13.5 and iPadOS 13.5 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:20", "bulletinFamily": "software", "cvelist": ["CVE-2020-9822", "CVE-2020-9827", "CVE-2020-9817", "CVE-2014-9512", "CVE-2020-9857", "CVE-2020-9771", "CVE-2020-9792", "CVE-2020-9772", "CVE-2020-9779", "CVE-2020-9828", "CVE-2020-9856", "CVE-2020-9837", "CVE-2020-9791", "CVE-2020-9824", "CVE-2020-9844", "CVE-2020-9832", "CVE-2020-9852", "CVE-2020-9854", "CVE-2020-9834", "CVE-2019-14868", "CVE-2020-3882", "CVE-2020-9826", "CVE-2020-9812", "CVE-2020-3878", "CVE-2020-9839", "CVE-2020-9804", "CVE-2020-9795", "CVE-2020-9831", "CVE-2020-9813", "CVE-2020-9821", "CVE-2020-9788", "CVE-2020-9809", "CVE-2020-9842", "CVE-2020-9796", "CVE-2020-9815", "CVE-2020-9790", "CVE-2020-9855", "CVE-2020-9830", "CVE-2020-9841", "CVE-2020-9833", "CVE-2020-9825", "CVE-2020-9810", "CVE-2020-9808", "CVE-2020-9851", "CVE-2020-9811", "CVE-2020-9793", "CVE-2019-20044", "CVE-2020-9814", "CVE-2020-9816", "CVE-2020-9789", "CVE-2020-9797", "CVE-2020-9847", "CVE-2020-9794", "CVE-2020-9994"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra\n\nReleased May 26, 2020\n\n**Accounts**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt\n\n**Accounts**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9772: Allison Husain of UC Berkeley\n\n**AirDrop**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved input validation.\n\nCVE-2020-9826: Dor Hadad of Palo Alto Networks\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4\n\nImpact: A malicious application could interact with system processes to access private information and perform privileged actions\n\nDescription: An entitlement parsing issue was addressed with improved parsing.\n\nCVE-2020-9842: Linus Henze (pinauten.de)\n\n**AppleUSBNetworking**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: Inserting a USB device that sends invalid messages may cause a kernel panic\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9804: Andy Davis of NCC Group\n\n**Audio**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Audio**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: Processing a maliciously crafted audio file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative\n\n**Bluetooth**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9831: Yu Wang of Didi Research America\n\n**Bluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9779: Yu Wang of Didi Research America\n\nEntry added September 21, 2020\n\n**Calendar**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: Importing a maliciously crafted calendar invitation may exfiltrate user information\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-3882: Andy Grant of NCC Group\n\n**CoreBluetooth**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6\n\nImpact: A remote attacker may be able to leak sensitive user information\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab\n\n**CVMS**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-9856: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**DiskArbitration**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to break out of its sandbox\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud (bugcloud.360.cn)\n\n**Find My**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2020-9855: Zhongcheng Li(CK01) of Topsec Alpha Team\n\n**FontParser**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-3878: Samuel Gro\u00df of Google Project Zero\n\n**ImageIO**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9789: Wenchao Li of VARAS@IIE\n\nCVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2020-9822: ABC Research s.r.o\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with improved state handling.\n\nCVE-2020-9796: ABC Research s.r.o.\n\nEntry added July 28, 2020\n\n**IPSec**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9837: Thijs Alkemade of Computest\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to determine another application's memory layout\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2020-9797: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9811: Tielei Wang of Pangu Lab\n\nCVE-2020-9812: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-9813: Xinru Chi of Pangu Lab\n\nCVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue was addressed with improved state management.\n\nCVE-2020-9809: Benjamin Randazzo (@____benjamin)\n\n**ksh**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A local user may be able to execute arbitrary shell commands\n\nDescription: An issue existed in the handling of environment variables. This issue was addressed with improved validation.\n\nCVE-2019-14868\n\n**libxpc**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: A path handling issue was addressed with improved validation.\n\nCVE-2020-9994: Apple\n\nEntry added September 21, 2020\n\n**NSURL**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: A malicious website may be able to exfiltrate autofilled data in Safari\n\nDescription: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.\n\nCVE-2020-9857: Dlive of Tencent Security Xuanwu Lab\n\n**PackageKit**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A permissions issue existed. This issue was addressed with improved permission validation.\n\nCVE-2020-9817: Andy Grant of NCC Group\n\n**PackageKit**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to modify protected parts of the file system\n\nDescription: An access issue was addressed with improved access restrictions.\n\nCVE-2020-9851: an anonymous researcher, Linus Henze (pinauten.de)\n\nEntry updated July 15, 2020\n\n**Python**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9793\n\n**rsync**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2014-9512: gaojianfeng\n\nEntry added July 28, 2020\n\n**Sandbox**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to bypass Privacy preferences\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)\n\n**Sandbox**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: A user may gain access to protected parts of the file system\n\nDescription: This issue was addressed with a new entitlement.\n\nCVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**Security**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A file may be incorrectly rendered to execute JavaScript\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9788: Wojciech Regu\u0142a of SecuRing (wojciechregula.blog)\n\nEntry updated July 15, 2020\n\n**Security**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2020-9854: Ilias Morad (A2nkF)\n\nEntry added July 28, 2020\n\n**SIP**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A non-privileged user may be able to modify restricted network settings\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9824: @jamestraynor, Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry updated June 10, 2020\n\n**Software Update**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A person with physical access to a Mac may be able to bypass Login Window\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2020-9810: Francis @francisschmaltz\n\nEntry added July 15, 2020\n\n**SQLite**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A malicious application may cause a denial of service or potentially disclose memory contents\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-9794\n\n**System Preferences**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with improved state handling.\n\nCVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro\u2019s Zero Day Initiative\n\n**USB Audio**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A USB device may be able to cause a denial of service\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2020-9792: Andy Davis of NCC Group\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina 10.15.4\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A double free issue was addressed with improved memory management.\n\nCVE-2020-9844: Ian Beer of Google Project Zero\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2020-9830: Tielei Wang of Pangu Lab\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2020-9834: Yu Wang of Didi Research America\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2020-9833: Yu Wang of Didi Research America\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2020-9832: Yu Wang of Didi Research America\n\n**WindowServer**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2020-9841: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\n**zsh**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2019-20044: Sam Foxman\n\n\n\n## Additional recognition\n\n**CoreBluetooth**\n\nWe would like to acknowledge Maximilian von Tschirschnitz (@maxinfosec1) of Technical University Munich and Ludwig Peuckert of Technical University Munich for their assistance.\n\n**CoreText**\n\nWe would like to acknowledge Jiska Classen (@naehrdine) and Dennis Heinze (@ttdennis) of Secure Mobile Networking Lab for their assistance.\n\n**Endpoint Security**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**ImageIO**\n\n****We would like to acknowledge Lei Sun for their assistance.\n\n**IOHIDFamily**\n\nWe would like to acknowledge Andy Davis of NCC Group for their assistance.\n\n**IPSec**\n\nWe would like to acknowledge Thijs Alkemade of Computest for their assistance.\n\n**Login Window**\n\nWe would like to acknowledge Jon Morby and an anonymous researcher for their assistance.\n\n**Sandbox**\n\nWe would like to acknowledge Jason L Lang of Optum for their assistance.\n\n**Spotlight**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.\n", "edition": 7, "modified": "2020-09-21T04:32:17", "published": "2020-09-21T04:32:17", "id": "APPLE:HT211170", "href": "https://support.apple.com/kb/HT211170", "title": "About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-10-03T15:12:05", "description": "The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.5, 10.13.x prior to 10.13.6\nSecurity Update 2020-003, 10.14.x prior to 10.14.6 Security Update 2020-003. It is, therefore, affected by multiple\nvulnerabilities:\n\n - In ksh version 20120801, a flaw was found in the way it\n evaluates certain environment variables. An attacker\n could use this flaw to override or bypass environment\n restrictions to execute shell commands. Services and\n applications that allow remote unauthenticated attackers\n to provide one of those environment variables could\n allow them to exploit this issue remotely.\n (CVE-2019-14868)\n\n - In Zsh before 5.8, attackers able to execute commands\n can regain privileges dropped by the --no-PRIVILEGED\n option. Zsh fails to overwrite the saved uid, so the\n original privileges can be restored by executing\n MODULE_PATH=/dir/with/module zmodload with a module that\n calls setuid(). (CVE-2019-20044)\n\n - An out-of-bounds read was addressed with improved input\n validation. This issue is fixed in iOS 13.3.1 and iPadOS\n 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS\n 6.1.2. Processing a maliciously crafted image may lead\n to arbitrary code execution. (CVE-2020-3878)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-05-28T00:00:00", "title": "macOS 10.15.x < 10.15.5 / 10.14.x < 10.14.6 Security Update 2020-003 / 10.13.x < 10.13.6 Security Update 2020-003", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-9822", "CVE-2020-9827", "CVE-2020-9817", "CVE-2020-9857", "CVE-2020-9771", "CVE-2020-9792", "CVE-2020-9772", "CVE-2020-9828", "CVE-2020-9856", "CVE-2020-9837", "CVE-2020-9791", "CVE-2020-9824", "CVE-2020-9844", "CVE-2020-9832", "CVE-2020-9852", "CVE-2020-9834", "CVE-2019-14868", "CVE-2020-3882", "CVE-2020-9826", "CVE-2020-9812", "CVE-2020-3878", "CVE-2020-9839", "CVE-2020-9804", "CVE-2020-9795", "CVE-2020-9831", "CVE-2020-9813", "CVE-2020-9821", "CVE-2020-9788", "CVE-2020-9809", "CVE-2020-9842", "CVE-2020-9815", "CVE-2020-9790", "CVE-2020-9855", "CVE-2020-9830", "CVE-2020-9841", "CVE-2020-9833", "CVE-2020-9825", "CVE-2020-9808", "CVE-2020-9851", "CVE-2020-9811", "CVE-2020-9793", "CVE-2019-20044", "CVE-2020-9814", "CVE-2020-9816", "CVE-2020-9789", "CVE-2020-9797", "CVE-2020-9847", "CVE-2020-9794"], "modified": "2020-05-28T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOS_HT211170.NASL", "href": "https://www.tenable.com/plugins/nessus/136930", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136930);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/02\");\n\n script_cve_id(\n \"CVE-2019-14868\",\n \"CVE-2019-20044\",\n \"CVE-2020-3878\",\n \"CVE-2020-3882\",\n \"CVE-2020-9771\",\n \"CVE-2020-9772\",\n \"CVE-2020-9788\",\n \"CVE-2020-9789\",\n \"CVE-2020-9790\",\n \"CVE-2020-9791\",\n \"CVE-2020-9792\",\n \"CVE-2020-9793\",\n \"CVE-2020-9794\",\n \"CVE-2020-9795\",\n \"CVE-2020-9797\",\n \"CVE-2020-9804\",\n \"CVE-2020-9808\",\n \"CVE-2020-9809\",\n \"CVE-2020-9811\",\n \"CVE-2020-9812\",\n \"CVE-2020-9813\",\n \"CVE-2020-9814\",\n \"CVE-2020-9815\",\n \"CVE-2020-9816\",\n \"CVE-2020-9817\",\n \"CVE-2020-9821\",\n \"CVE-2020-9822\",\n \"CVE-2020-9824\",\n \"CVE-2020-9825\",\n \"CVE-2020-9826\",\n \"CVE-2020-9827\",\n \"CVE-2020-9828\",\n \"CVE-2020-9830\",\n \"CVE-2020-9831\",\n \"CVE-2020-9832\",\n \"CVE-2020-9833\",\n \"CVE-2020-9834\",\n \"CVE-2020-9837\",\n \"CVE-2020-9839\",\n \"CVE-2020-9841\",\n \"CVE-2020-9842\",\n \"CVE-2020-9844\",\n \"CVE-2020-9847\",\n \"CVE-2020-9851\",\n \"CVE-2020-9852\",\n \"CVE-2020-9855\",\n \"CVE-2020-9856\",\n \"CVE-2020-9857\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT211170\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2020-05-18\");\n script_xref(name:\"IAVA\", value:\"2020-A-0227-S\");\n\n script_name(english:\"macOS 10.15.x < 10.15.5 / 10.14.x < 10.14.6 Security Update 2020-003 / 10.13.x < 10.13.6 Security Update 2020-003\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.5, 10.13.x prior to 10.13.6\nSecurity Update 2020-003, 10.14.x prior to 10.14.6 Security Update 2020-003. It is, therefore, affected by multiple\nvulnerabilities:\n\n - In ksh version 20120801, a flaw was found in the way it\n evaluates certain environment variables. An attacker\n could use this flaw to override or bypass environment\n restrictions to execute shell commands. Services and\n applications that allow remote unauthenticated attackers\n to provide one of those environment variables could\n allow them to exploit this issue remotely.\n (CVE-2019-14868)\n\n - In Zsh before 5.8, attackers able to execute commands\n can regain privileges dropped by the --no-PRIVILEGED\n option. Zsh fails to overwrite the saved uid, so the\n original privileges can be restored by executing\n MODULE_PATH=/dir/with/module zmodload with a module that\n calls setuid(). (CVE-2019-20044)\n\n - An out-of-bounds read was addressed with improved input\n validation. This issue is fixed in iOS 13.3.1 and iPadOS\n 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS\n 6.1.2. Processing a maliciously crafted image may lead\n to arbitrary code execution. (CVE-2020-3878)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT211170\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.15.5 / 10.14.x < 10.14.6 Security Update 2020-003 / 10.13.x < 10.13.6 Security Update 2020-003 or\nlater\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9852\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari in Operator Side Effect Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('lists.inc');\ninclude('vcf_extras_apple.inc'); \n\napp_info = vcf::apple::macos::get_app_info();\n\nconstraints = [\n { 'max_version' : '10.15.4', 'min_version' : '10.15', 'fixed_build' : '19F96', 'fixed_display' : 'macOS Catalina 10.15.5' },\n { 'max_version' : '10.13.6', 'min_version' : '10.13', 'fixed_build' : '17G13033', 'fixed_display' : '10.13.6 Security Update 2020-003' },\n { 'max_version' : '10.14.6', 'min_version' : '10.14', 'fixed_build' : '18G5033', 'fixed_display' : '10.14.6 Security Update 2020-003' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
