Lucene search

K
kasperskyKaspersky LabKLA11791
HistoryMay 21, 2020 - 12:00 a.m.

KLA11791 Multiple vulnerabilities in Apple iTunes

2020-05-2100:00:00
Kaspersky Lab
threats.kaspersky.com
38
apple itunes
webkit
sqlite
imageio
arbitrary code execution
obtaining sensitive information
denial of service
cross-site scripting
cve-2020-9805
cve-2020-9802
cve-2020-9800
cve-2020-9794
cve-2020-9807
cve-2020-9789
cve-2020-9806
cve-2020-9790
cve-2020-3878
cve-2020-9843
cve-2020-9803
cve-2020-9850

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.593

Percentile

97.8%

Multiple vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, perform cross-site scripting attack, obtain sensitive information, cause denial of service.

Below is a complete list of vulnerabilities:

  1. A logic vulnerability in WebKit can be exploited via special crafted webpage to execute arbitrary code.
  2. A logic vulnerability in WebKit can be exploited via special crafted webpage to perform cross-site scripting attacks.
  3. A type confusion vulnerability in WebKit can be exploited via special crafted webpage to execute arbitrary code.
  4. An out-of-bounds read vulnerability in SQLite can be exploited to potentially cause denial of service or obtain sensitive information.
  5. A memory corruption vulnerability in WebKit can be exploited via special crafted webpage to execute arbitrary code.
  6. An out-of-bounds write vulnerability in ImageIO can be exploited via special crafted image to execute arbitrary code.
  7. An out-of-bounds read vulnerability in ImageIO can be exploited via special crafted image to execute arbitrary code.
  8. An input validation vulnerability in WebKit can be expoloited via special crafted webpage to perform cross-site scripting attacks.
  9. A memory corruption vulnerability in WebKit can be exploited via special crafted webpage to execute arbitrary code.
  10. A logic vulnerability in WebKit can be exploited remotely to execute arbitrary code.

Original advisories

About the security content of iTunes 12.10.7 for Windows

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Apple-iTunes

CVE list

CVE-2020-9805 high

CVE-2020-9802 high

CVE-2020-9800 high

CVE-2020-9794 high

CVE-2020-9807 high

CVE-2020-9789 critical

CVE-2020-9806 high

CVE-2020-9790 critical

CVE-2020-3878 high

CVE-2020-9843 high

CVE-2020-9803 high

CVE-2020-9850 critical

Solution

Update to the latest version

Download iTunes

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • XSS/CSS

Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.

Affected Products

  • Apple iTunes earlier than 12.10.7

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.593

Percentile

97.8%