iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe Exploit
2019-04-03T00:00:00
ID 1337DAY-ID-32475 Type zdt Reporter Google Security Research Modified 2019-04-03T00:00:00
Description
Exploit for multiple platform in category dos / poc
iOS < 12.2 / #macOS < 10.14.4 #XNU - pidversion Increment During execve is Unsafe Exploit
Privileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:
1. The (unprivileged) client process sends an IPC message to a privileged service
2. The client process terminates and spawns a privileged process into its PID
3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process
This attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):
proc_t
forkproc(proc_t parent_proc)
{
static int nextpid = 0, pidwrap = 0, nextpidversion = 0;
...;
/* Repeat until nextpid is a currently unused PID. */
nextpid++;
...;
nprocs++;
child_proc->p_pid = nextpid;
child_proc->p_responsible_pid = nextpid;
child_proc->p_idversion = nextpidversion++;
...;
When using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):
/* Update the process' identity version and set the security token */
p->p_idversion++;
This is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented "ad-hoc", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:
1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)
2. The exploit performs 10000 execves to get (X, Y + 100000)
3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)
4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)
5. The exploit execves until it has (X, Y + 99999)
6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)
7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process
The attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:
1. compile the attached code: `make`
2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently "com.apple.private.AuthorizationServices") of a connected client
3. in a separate shell start the exploit: `./exploit`.
4. once the exploit prints "[+] All done. Spawning sudo now", press enter in the shell where the helper service is running. It should now print the value of the entitlement.
The gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip
# 0day.today [2019-04-04] #
{"id": "1337DAY-ID-32475", "bulletinFamily": "exploit", "title": "iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe Exploit", "description": "Exploit for multiple platform in category dos / poc", "published": "2019-04-03T00:00:00", "modified": "2019-04-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/32475", "reporter": "Google Security Research", "references": [], "cvelist": ["CVE-2019-8514"], "type": "zdt", "lastseen": "2019-04-04T23:41:12", "edition": 1, "viewCount": 17, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-04-04T23:41:12", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-8514"]}, {"type": "exploitdb", "idList": ["EDB-ID:46648"]}, {"type": "thn", "idList": ["THN:7E4DBFD0E034C7DF2A58395049033C66"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815009"]}, {"type": "nessus", "idList": ["MACOS_10_14_4.NASL"]}, {"type": "apple", "idList": ["APPLE:HT209602", "APPLE:HT209601", "APPLE:HT209599", "APPLE:HT209600"]}], "modified": "2019-04-04T23:41:12", "rev": 2}, "vulnersScore": 6.3}, "sourceHref": "https://0day.today/exploit/32475", "sourceData": "iOS < 12.2 / #macOS < 10.14.4 #XNU - pidversion Increment During execve is Unsafe Exploit\r\n\r\nPrivileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:\r\n\r\n1. The (unprivileged) client process sends an IPC message to a privileged service\r\n2. The client process terminates and spawns a privileged process into its PID\r\n3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process\r\n\r\nThis attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):\r\n\r\n proc_t\r\n forkproc(proc_t parent_proc)\r\n {\r\n static int nextpid = 0, pidwrap = 0, nextpidversion = 0;\r\n ...;\r\n\r\n /* Repeat until nextpid is a currently unused PID. */\r\n nextpid++;\r\n ...;\r\n\r\n nprocs++;\r\n child_proc->p_pid = nextpid;\r\n child_proc->p_responsible_pid = nextpid;\r\n child_proc->p_idversion = nextpidversion++;\r\n ...;\r\n\r\nWhen using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):\r\n\r\n /* Update the process' identity version and set the security token */\r\n p->p_idversion++;\r\n\r\nThis is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented \"ad-hoc\", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:\r\n\r\n1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)\r\n2. The exploit performs 10000 execves to get (X, Y + 100000)\r\n3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)\r\n4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)\r\n5. The exploit execves until it has (X, Y + 99999)\r\n6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)\r\n7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process\r\n\r\nThe attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:\r\n\r\n1. compile the attached code: `make`\r\n2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently \"com.apple.private.AuthorizationServices\") of a connected client\r\n3. in a separate shell start the exploit: `./exploit`.\r\n4. once the exploit prints \"[+] All done. Spawning sudo now\", press enter in the shell where the helper service is running. It should now print the value of the entitlement.\r\n\r\nThe gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip\n\n# 0day.today [2019-04-04] #"}
{"cve": [{"lastseen": "2020-12-09T21:41:57", "description": "A logic issue was addressed with improved state management. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. An application may be able to gain elevated privileges.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-18T18:15:00", "title": "CVE-2019-8514", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-8514"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2019-8514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8514", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "exploitdb": [{"lastseen": "2019-04-03T18:03:22", "description": "", "published": "2019-04-03T00:00:00", "type": "exploitdb", "title": "iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-8514"], "modified": "2019-04-03T00:00:00", "id": "EDB-ID:46648", "href": "https://www.exploit-db.com/exploits/46648", "sourceData": "Privileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:\r\n\r\n1. The (unprivileged) client process sends an IPC message to a privileged service\r\n2. The client process terminates and spawns a privileged process into its PID\r\n3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process\r\n\r\nThis attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):\r\n\r\n proc_t\r\n forkproc(proc_t parent_proc)\r\n {\r\n static int nextpid = 0, pidwrap = 0, nextpidversion = 0;\r\n ...;\r\n\r\n /* Repeat until nextpid is a currently unused PID. */\r\n nextpid++;\r\n ...;\r\n\r\n nprocs++;\r\n child_proc->p_pid = nextpid;\r\n child_proc->p_responsible_pid = nextpid;\r\n child_proc->p_idversion = nextpidversion++;\r\n ...;\r\n\r\nWhen using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):\r\n\r\n /* Update the process' identity version and set the security token */\r\n p->p_idversion++;\r\n\r\nThis is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented \"ad-hoc\", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:\r\n\r\n1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)\r\n2. The exploit performs 10000 execves to get (X, Y + 100000)\r\n3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)\r\n4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)\r\n5. The exploit execves until it has (X, Y + 99999)\r\n6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)\r\n7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process\r\n\r\nThe attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:\r\n\r\n1. compile the attached code: `make`\r\n2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently \"com.apple.private.AuthorizationServices\") of a connected client\r\n3. in a separate shell start the exploit: `./exploit`.\r\n4. once the exploit prints \"[+] All done. Spawning sudo now\", press enter in the shell where the helper service is running. It should now print the value of the entitlement.\r\n\r\nThe gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46648"}], "thn": [{"lastseen": "2019-03-26T09:26:45", "bulletinFamily": "info", "cvelist": ["CVE-2019-6222", "CVE-2019-8503", "CVE-2019-8514", "CVE-2019-8527", "CVE-2019-8553", "CVE-2019-8566"], "description": "[](<https://1.bp.blogspot.com/-ZqprYHzgFPU/XJnZJwjGb9I/AAAAAAAAzlw/KI0KRkH8uLQqLhGv-wbNoZkWh49GVl-uACLcBGAs/s728-e100/ios-update-iphone-security.png>)\n\nApple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. \n \nA majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple's operating system. \n \nAccording to the [advisory](<https://support.apple.com/en-in/HT209599>), just opening a maliciously crafted web content using any vulnerable WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks on the device. \n\n\n \nAmong the WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the \"microphone-in-use\" indicator being shown. \n \nA similar vulnerability (CVE-2019-8566) has been patched in Apple's ReplayKit API that could allow a malicious application to access the iOS device\u2019s microphone without alerting the user. \n \n\n\n> \"An API issue existed in the handling of microphone data. This issue was addressed with improved validation,\" Apple says in its advisory briefing the ReplayKit bug.\n\n \nApple has also patched a serious logical bug (CVE-2019-8503) in WebKit that could have allowed malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites or launch a wide-range of online attacks. \n \nBesides WebKit issues, the advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link. \n\n\n \nThe SMS vulnerability, identified as CVE-2019-8553, appears to affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation devices. \n \nApple has also patched a total of six vulnerabilities in iOS kernel, of which CVE-2019-8527 could allow a remote attacker to crash the system or corrupt kernel memory, CVE-2019-8514 could be used to elevate privileges, and rest allow malicious apps to read memory layout. \n \nThe technical details and proof-of-concept code for the newly patched flaws are yet unavailable. \n \nTo check for the update on your iPhone or iPad, go to Settings\u2192 General \u2192 Software Update and click the 'Download and Install' button. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-03-26T08:44:59", "published": "2019-03-26T08:44:00", "id": "THN:7E4DBFD0E034C7DF2A58395049033C66", "href": "https://thehackernews.com/2019/03/ios-update-iphone-security.html", "type": "thn", "title": "Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-03-05T16:57:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8549", "CVE-2019-8545", "CVE-2019-8533", "CVE-2019-8552", "CVE-2019-8519", "CVE-2019-8517", "CVE-2019-8546", "CVE-2019-7293", "CVE-2019-8565", "CVE-2019-6237", "CVE-2019-8542", "CVE-2019-8537", "CVE-2019-6239", "CVE-2019-8511", "CVE-2019-8516", "CVE-2019-8507", "CVE-2019-8502", "CVE-2019-8514", "CVE-2019-8550"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2020-03-04T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310815009", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815009", "type": "openvas", "title": "Apple MacOSX Security Updates(HT209600)-04", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815009\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2019-8502\", \"CVE-2019-8546\", \"CVE-2019-8545\", \"CVE-2019-8542\",\n \"CVE-2019-8549\", \"CVE-2019-6237\", \"CVE-2019-6239\", \"CVE-2019-7293\",\n \"CVE-2019-8565\", \"CVE-2019-8519\", \"CVE-2019-8533\", \"CVE-2019-8511\",\n \"CVE-2019-8514\", \"CVE-2019-8517\", \"CVE-2019-8516\", \"CVE-2019-8537\",\n \"CVE-2019-8550\", \"CVE-2019-8552\", \"CVE-2019-8507\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 15:43:30 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Apple MacOSX Security Updates(HT209600)-04\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An API issue existed in the handling of dictation requests.\n\n - An access issue related to sandbox restrictions.\n\n - A memory corruption issue related to improper state management.\n\n - A buffer overflow error improper bounds checking.\n\n - Multiple input validation issues existed in MIG generated code.\n\n - An out-of-bounds read related to improper bounds checking.\n\n - This issue related to improper handling of file metadata.\n\n - A memory corruption issue related to improper memory handling.\n\n - A race condition was addressed with additional validation.\n\n - A lock handling issue related to improper lock handling.\n\n - A buffer overflow issue related to improper memory handling.\n\n - A logic issue was addressed with improved state management.\n\n - A validation issue was addressed with improved logic.\n\n - An access issue was addressed with improved memory management.\n\n - An issue existed in the pausing of FaceTime video.\n\n - A memory initialization issue was addressed with improved memory handling.\n\n - Multiple memory corruption issues related to improper input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers\n to view sensitive user information, elevate privileges, cause unexpected system\n termination and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.14.x through 10.14.3.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.14.4 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT209600\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.14\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"ssh_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName){\n exit(0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.14\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif(version_in_range(version:osVer, test_version:\"10.14\",test_version2:\"10.14.3\"))\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.14.4\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:20:41", "description": "The remote host is running a version of macOS / Mac OS X that is\n10.14.x prior to 10.14.4. It is, therefore, affected by multiple\nvulnerabilities, including:\n\n - Mounting a maliciously crafted NFS network share may lead to\n arbitrary code execution with system privileges. (CVE-2019-8508)\n\n - An application may be able to execute arbitrary code with kernel\n privileges. (CVE-2019-8529)\n\n - A malicious application may be able to execute arbitrary code\n with system privileges (CVE-2019-8549)", "edition": 20, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2019-03-27T00:00:00", "title": "macOS 10.14.x < 10.14.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8526", "CVE-2019-8549", "CVE-2019-8555", "CVE-2019-8504", "CVE-2019-8522", "CVE-2019-8521", "CVE-2019-8561", "CVE-2019-6207", "CVE-2019-8545", "CVE-2019-8533", "CVE-2019-8520", "CVE-2018-18313", "CVE-2019-8513", "CVE-2019-8552", "CVE-2019-8519", "CVE-2019-8517", "CVE-2018-18311", "CVE-2019-8546", "CVE-2018-12015", "CVE-2019-7293", "CVE-2019-8529", "CVE-2019-8565", "CVE-2019-6237", "CVE-2019-8540", "CVE-2019-8508", "CVE-2019-8542", "CVE-2019-8537", "CVE-2019-6239", "CVE-2019-8511", "CVE-2019-8516", "CVE-2019-8527", "CVE-2019-8507", "CVE-2019-8502", "CVE-2019-8530", "CVE-2019-8510", "CVE-2019-8514", "CVE-2019-8550"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOS_10_14_4.NASL", "href": "https://www.tenable.com/plugins/nessus/123128", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123128);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2020/01/31\");\n\n script_cve_id(\n \"CVE-2018-12015\",\n \"CVE-2018-18311\",\n \"CVE-2018-18313\",\n \"CVE-2019-6207\",\n \"CVE-2019-6237\",\n \"CVE-2019-6239\",\n \"CVE-2019-7293\",\n \"CVE-2019-8502\",\n \"CVE-2019-8504\",\n \"CVE-2019-8507\",\n \"CVE-2019-8508\",\n \"CVE-2019-8510\",\n \"CVE-2019-8511\",\n \"CVE-2019-8513\",\n \"CVE-2019-8514\",\n \"CVE-2019-8516\",\n \"CVE-2019-8517\",\n \"CVE-2019-8519\",\n \"CVE-2019-8520\",\n \"CVE-2019-8521\",\n \"CVE-2019-8522\",\n \"CVE-2019-8526\",\n \"CVE-2019-8527\",\n \"CVE-2019-8529\",\n \"CVE-2019-8530\",\n \"CVE-2019-8533\",\n \"CVE-2019-8537\",\n \"CVE-2019-8540\",\n \"CVE-2019-8542\",\n \"CVE-2019-8545\",\n \"CVE-2019-8546\",\n \"CVE-2019-8549\",\n \"CVE-2019-8550\",\n \"CVE-2019-8552\",\n \"CVE-2019-8555\",\n \"CVE-2019-8561\",\n \"CVE-2019-8565\"\n );\n script_bugtraq_id(104423, 106072, 106145);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-3-25-2\");\n\n script_name(english:\"macOS 10.14.x < 10.14.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is\n10.14.x prior to 10.14.4. It is, therefore, affected by multiple\nvulnerabilities, including:\n\n - Mounting a maliciously crafted NFS network share may lead to\n arbitrary code execution with system privileges. (CVE-2019-8508)\n\n - An application may be able to execute arbitrary code with kernel\n privileges. (CVE-2019-8529)\n\n - A malicious application may be able to execute arbitrary code\n with system privileges (CVE-2019-8549)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT209600\");\n # https://lists.apple.com/archives/security-announce/2019/Mar/msg00001.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71533e9d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.14.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Feedback Assistant Race Condition');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nfix = \"10.14.4\";\nminver = \"10.14\";\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\n\nif (ver_compare(ver:version, minver:minver, fix:fix, strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:43:52", "bulletinFamily": "software", "cvelist": ["CVE-2019-8518", "CVE-2019-8528", "CVE-2019-8549", "CVE-2019-6207", "CVE-2019-8563", "CVE-2019-8545", "CVE-2019-8506", "CVE-2019-8559", "CVE-2019-8538", "CVE-2019-8558", "CVE-2019-8552", "CVE-2019-8517", "CVE-2019-8547", "CVE-2019-8906", "CVE-2019-8639", "CVE-2019-8544", "CVE-2019-8546", "CVE-2019-8638", "CVE-2019-7293", "CVE-2019-8553", "CVE-2019-8540", "CVE-2019-8542", "CVE-2019-8511", "CVE-2019-8536", "CVE-2019-8516", "CVE-2019-8527", "CVE-2019-8532", "CVE-2019-8525", "CVE-2019-8541", "CVE-2019-7292", "CVE-2019-8502", "CVE-2019-8531", "CVE-2019-5608", "CVE-2019-8548", "CVE-2019-8618", "CVE-2019-7286", "CVE-2019-8510", "CVE-2019-8514"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## watchOS 5.2\n\nReleased March 27, 2019\n\n**Accounts**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2019-8538: Trevor Spiniolas (@TrevorSpiniolas)\n\nEntry added April 3, 2019\n\n**CFString**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-8516: SWIPS Team of Frifee Inc.\n\n**configd**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\n**Contacts**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2019-8511: an anonymous researcher\n\n**CoreCrypto**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**file**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8906: Francisco Alonso\n\nEntry updated April 15, 2019\n\n**Foundation**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Gro\u00df of Google Project Zero\n\n**GeoServices**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Clicking a malicious SMS link may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2019-8553: an anonymous researcher\n\n**iAP**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**IOHIDFamily**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to alter network traffic data\n\nDescription: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.\n\nCVE-2019-5608: Apple\n\nEntry added August 6, 2019\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-8547: derrek (@derrekr6)\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8525: Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\nEntry added April 3, 2019\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8514: Samuel Gro\u00df of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\n\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\n**Kernel**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-7293: Ned Williamson of Google\n\n**MediaLibrary**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to access restricted files\n\nDescription: A permissions issue was addressed by removing vulnerable code and adding additional checks.\n\nCVE-2019-8532: Angel Ramirez, Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\nEntry added May 30, 2019\n\n**Messages**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2019-8546: ChiYuan Chang\n\n**Passcode**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A partially entered passcode may not clear when the device goes to sleep\n\nDescription: An issue existed where partially entered passcodes may not clear when the device went to sleep. This issue was addressed by clearing the passcode when a locked device sleeps.\n\nCVE-2019-8548: Tobias Sachs\n\n**Power Management**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.\n\nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)\n\n**Privacy**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious app may be able to track users between installs\n\nDescription: A privacy issue existed in motion sensor calibration. This issue was addressed with improved motion sensor processing.\n\nCVE-2019-8541: Stan (Jiexin) Zhang and Alastair R. Beresford of the University of Cambridge, Ian Sheret of Polymath Insight Limited\n\n**Sandbox**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2019-8618: Brandon Azad\n\nEntry added May 30, 2019\n\n**Security**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\nEntry added May 15, 2019\n\n**Siri**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: A malicious application may be able to initiate a Dictation request without user authorization\n\nDescription: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.\n\nCVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Caraba\u0219 of University POLITEHNICA of Bucharest, and R\u0103zvan Deaconescu of University POLITEHNICA of Bucharest\n\n**TrueTypeScaler**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-8536: Apple\n\nCVE-2019-8544: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2019-8506: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2019-8518: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8558: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8559: Apple\n\nCVE-2019-8563: Apple\n\nCVE-2019-8638: found by OSS-Fuzz\n\nCVE-2019-8639: found by OSS-Fuzz\n\nEntry updated May 30, 2019\n\n**WebKit**\n\nAvailable for: Apple Watch Series 1 and later\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team\n\n\n\n## Additional recognition\n\n**Accounts**\n\nWe would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt for their assistance.\n\nEntry added May 30, 2019\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero, Brandon Azad, Raz Mashat (@RazMashat) of Ilan Ramon High School for their assistance.\n\nEntry updated May 30, 2019\n", "edition": 2, "modified": "2019-08-07T04:48:16", "published": "2019-08-07T04:48:16", "id": "APPLE:HT209602", "href": "https://support.apple.com/kb/HT209602", "title": "About the security content of watchOS 5.2 - Apple Support", "type": "apple", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:57", "bulletinFamily": "software", "cvelist": ["CVE-2019-8518", "CVE-2019-8528", "CVE-2019-8503", "CVE-2019-8549", "CVE-2019-8523", "CVE-2019-6207", "CVE-2019-8563", "CVE-2019-8545", "CVE-2019-8506", "CVE-2019-8559", "CVE-2019-8558", "CVE-2019-8552", "CVE-2019-8515", "CVE-2019-8517", "CVE-2019-8547", "CVE-2019-8906", "CVE-2019-8639", "CVE-2019-8562", "CVE-2019-8551", "CVE-2019-8544", "CVE-2019-8638", "CVE-2019-7293", "CVE-2019-8553", "CVE-2019-6201", "CVE-2019-8556", "CVE-2019-8540", "CVE-2019-8542", "CVE-2019-6203", "CVE-2019-7285", "CVE-2019-8535", "CVE-2019-8536", "CVE-2019-8516", "CVE-2019-8527", "CVE-2019-8532", "CVE-2019-8525", "CVE-2019-7292", "CVE-2019-8502", "CVE-2019-8524", "CVE-2019-8531", "CVE-2019-8530", "CVE-2019-5608", "CVE-2019-8618", "CVE-2019-7286", "CVE-2019-8510", "CVE-2019-8514"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## tvOS 12.2\n\nReleased March 25, 2019\n\n**802.1X**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An attacker in a privileged network position may be able to intercept network traffic\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-6203: Dominic White of SensePost (@singe)\n\nEntry added April 15, 2019\n\n**CFString**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-8516: SWIPS Team of Frifee Inc.\n\n**configd**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\n**CoreCrypto**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**file**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8906: Francisco Alonso\n\nEntry updated April 15, 2019\n\n**Foundation**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Gro\u00df of Google Project Zero\n\n**GeoServices**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Clicking a malicious SMS link may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2019-8553: an anonymous researcher\n\n**iAP**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**IOHIDFamily**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A remote attacker may be able to alter network traffic data\n\nDescription: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.\n\nCVE-2019-5608: Apple\n\nEntry added August 6, 2019\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-8547: derrek (@derrekr6)\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8525: Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\nEntry added April 3, 2019\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8514: Samuel Gro\u00df of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-7293: Ned Williamson of Google\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\n\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\n**MediaLibrary**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to access restricted files\n\nDescription: A permissions issue was addressed by removing vulnerable code and adding additional checks.\n\nCVE-2019-8532: Angel Ramirez, Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\nEntry added May 30, 2019\n\n**Power Management**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.\n\nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)\n\n**Sandbox**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2019-8618: Brandon Azad\n\nEntry added May 30, 2019\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\nEntry added May 15, 2019\n\n**Siri**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to initiate a Dictation request without user authorization\n\nDescription: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.\n\nCVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Caraba\u0219 of University POLITEHNICA of Bucharest, and R\u0103zvan Deaconescu of University POLITEHNICA of Bucharest\n\n**TrueTypeScaler**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8551: Ryan Pickren (ryanpickren.com)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2019-6201: dwfault working with ADLab of Venustech\n\nCVE-2019-8518: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8523: Apple\n\nCVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative\n\nCVE-2019-8558: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8559: Apple\n\nCVE-2019-8563: Apple\n\nCVE-2019-8638: found by OSS-Fuzz\n\nCVE-2019-8639: found by OSS-Fuzz\n\nEntry updated May 30, 2019\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed with improved input validation.\n\nCVE-2019-8515: James Lee (@Windowsrcer)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-8536: Apple\n\nCVE-2019-8544: an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-7285: dwfault working at ADLab of Venustech\n\nCVE-2019-8556: Apple\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2019-8506: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious website may be able to execute scripts in the context of another website\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8503: Linus S\u00e4rud of Detectify\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team\n\n**XPC**\n\nAvailable for: Apple TV 4K and Apple TV HD _previously Apple TV (4th generation)_\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\n\n\n## Additional recognition\n\n**Accounts**\n\nWe would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt for their assistance.\n\nEntry added May 30, 2019\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad of Google Project Zero, Brandon Azad, Raz Mashat (@RazMashat) of Ilan Ramon High School for their assistance.\n\nEntry updated May 30, 2019\n\n**Safari**\n\nWe would like to acknowledge Ryan Pickren (ryanpickren.com), Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance.\n\nEntry updated May 30, 2019\n\n**WebKit**\n\nWe would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance.\n", "edition": 2, "modified": "2019-08-07T04:50:47", "published": "2019-08-07T04:50:47", "id": "APPLE:HT209601", "href": "https://support.apple.com/kb/HT209601", "title": "About the security content of tvOS 12.2 - Apple Support", "type": "apple", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:54", "bulletinFamily": "software", "cvelist": ["CVE-2019-8526", "CVE-2019-8528", "CVE-2019-8549", "CVE-2019-8534", "CVE-2019-8555", "CVE-2019-8504", "CVE-2019-8522", "CVE-2019-8521", "CVE-2019-8645", "CVE-2018-4448", "CVE-2019-8561", "CVE-2018-4433", "CVE-2019-6207", "CVE-2019-8545", "CVE-2019-8777", "CVE-2019-8533", "CVE-2019-8520", "CVE-2018-18313", "CVE-2019-8513", "CVE-2019-8538", "CVE-2019-8552", "CVE-2019-8612", "CVE-2019-8519", "CVE-2019-8517", "CVE-2019-8547", "CVE-2019-8906", "CVE-2019-6238", "CVE-2018-18311", "CVE-2019-8642", "CVE-2019-8546", "CVE-2018-12015", "CVE-2019-7293", "CVE-2019-8529", "CVE-2019-8565", "CVE-2019-8540", "CVE-2019-8508", "CVE-2019-8542", "CVE-2019-6203", "CVE-2019-8537", "CVE-2019-6239", "CVE-2019-8511", "CVE-2019-8579", "CVE-2019-8516", "CVE-2019-8527", "CVE-2019-8525", "CVE-2019-8567", "CVE-2019-8564", "CVE-2019-8507", "CVE-2019-8502", "CVE-2019-8531", "CVE-2019-8530", "CVE-2019-5608", "CVE-2019-8618", "CVE-2019-8510", "CVE-2019-8514", "CVE-2019-8550", "CVE-2019-8569"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra\n\nReleased March 25, 2019\n\n**802.1X**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An attacker in a privileged network position may be able to intercept network traffic\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-6203: Dominic White of SensePost (@singe)\n\nEntry added April 15, 2019\n\n**802.1X**\n\nAvailable for: macOS High Sierra 10.13.6\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\nEntry added May 15, 2019\n\n**Accounts**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2019-8538: Trevor Spiniolas (@TrevorSpiniolas)\n\nEntry added April 3, 2019\n\n**APFS**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2019-8534: Mac working with Trend Micro's Zero Day Initiative\n\nEntry added April 15, 2019\n\n**AppleGraphicsControl**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team\n\n**Bom**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved handling of file metadata.\n\nCVE-2019-6239: Ian Moorhouse and Michael Trimm\n\n**CFString**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-8516: SWIPS Team of Frifee Inc.\n\n**configd**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\n**Contacts**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2019-8511: an anonymous researcher\n\n**CoreCrypto**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**DiskArbitration**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8522: Colin Meginnis (@falc420)\n\n**FaceTime**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A user\u2019s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing\n\nDescription: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.\n\nCVE-2019-8550: Lauren Guzniczak of Keystone Academy\n\n**FaceTime**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A local attacker may be able to view contacts from the lock screen\n\nDescription: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.\n\nCVE-2019-8777: Abdullah H. AlJaber (@aljaber) of AJ.SA\n\nEntry added October 8, 2019\n\n**Feedback Assistant**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs\n\n**Feedback Assistant**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs\n\n**file**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8906: Francisco Alonso\n\nEntry updated April 15, 2019\n\n**Graphics Drivers**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative, Lilang Wu and Moony Li of Trend Micro\n\nEntry updated August 1, 2019\n\n**iAP**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**IOGraphics**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A Mac may not lock when disconnecting from an external monitor\n\nDescription: A lock handling issue was addressed with improved lock handling.\n\nCVE-2019-8533: an anonymous researcher, James Eagan of T\u00e9l\u00e9com ParisTech, R. Scott Kemp of MIT, and Romke van Dijk of Z-CERT\n\n**IOHIDFamily**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\n**IOKit**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8504: an anonymous researcher\n\n**IOKit SCSI**\n\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Research working with Trend Micro's Zero Day Initiative\n\nEntry updated April 15, 2019\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2018-4448: Brandon Azad\n\nEntry added September 17, 2019\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A remote attacker may be able to alter network traffic data\n\nDescription: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.\n\nCVE-2019-5608: Apple\n\nEntry added August 6, 2019\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.3, macOS High Sierra 10.13.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\nEntry added April 3, 2019, updated August 1, 2019\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\n\nImpact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8508: Dr. Silvio Cesare of InfoSect\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8514: Samuel Gro\u00df of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-7293: Ned Williamson of Google\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\n\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-8547: derrek (@derrekr6)\n\nEntry added August 1, 2019\n\n**Kernel**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8525: Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added August 1, 2019\n\n**libmalloc**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: A malicious application may be able to modify protected parts of the file system\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2018-4433: Vitaly Cheptsov\n\nEntry added August 1, 2019, updated September 17, 2019\n\n**Mail**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2019-8642: Maya Sigal of Freie Universit\u00e4t Berlin and Volker Roth of Freie Universit\u00e4t Berlin\n\nEntry added August 1, 2019\n\n**Mail**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2019-8645: Maya Sigal of Freie Universit\u00e4t Berlin and Volker Roth of Freie Universit\u00e4t Berlin\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2019-8546: ChiYuan Chang\n\n**Modem CCL**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: An input validation issue was addressed with improved memory handling.\n\nCVE-2019-8579: an anonymous researcher\n\nEntry added April 15, 2019\n\n**Notes**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A local user may be able to view a user\u2019s locked notes\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2019-8537: Greg Walker (gregwalker.us)\n\n**PackageKit**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8561: Jaron Bradley of Crowdstrike\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: Multiple issues in Perl\n\nDescription: Multiple issues in Perl were addressed in this update.\n\nCVE-2018-12015: Jakub Wilk\n\nCVE-2018-18311: Jayakrishna Menon\n\nCVE-2018-18313: Eiichi Tsukata\n\n**Power Management**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.\n\nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)\n\n**QuartzCore**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing malicious data may lead to unexpected application termination\n\nDescription: Multiple memory corruption issues were addressed with improved input validation.\n\nCVE-2019-8507: Kai Lu of Fortinet's FortiGuard Labs\n\n**Sandbox**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2019-8618: Brandon Azad\n\nEntry added August 1, 2019\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-8526: Linus Henze (pinauten.de)\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)\n\n**Security**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\n**Security**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\nEntry added May 15, 2019\n\n**Siri**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to initiate a Dictation request without user authorization\n\nDescription: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.\n\nCVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Caraba\u0219 of University POLITEHNICA of Bucharest, and R\u0103zvan Deaconescu of University POLITEHNICA of Bucharest\n\n**Time Machine**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: A local user may be able to execute arbitrary shell commands\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs\n\n**Touch Bar Support**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-8569: Viktor Oreshkin (@stek29)\n\nEntry added August 1, 2019\n\n**TrueTypeScaler**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative\n\n**Wi-Fi**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3\n\nImpact: An attacker in a privileged network position can modify driver state\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8564: Hugues Anguelkov during an internship at Quarkslab\n\nEntry added April 15, 2019\n\n**Wi-Fi**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6\n\nImpact: An attacker in a privileged network position can modify driver state\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8612: Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt\n\nEntry added August 1, 2019\n\n**Wi-Fi**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: A device may be passively tracked by its Wi-Fi MAC address\n\nDescription: A user privacy issue was addressed by removing the broadcast MAC address.\n\nCVE-2019-8567: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt\n\nEntry added August 1, 2019\n\n**xar**\n\nAvailable for: macOS Mojave 10.14.3\n\nImpact: Processing a maliciously crafted package may lead to arbitrary code execution\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2019-6238: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\nEntry added April 15, 2019\n\n**XPC**\n\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\n\n\n## Additional recognition\n\n**Accounts**\n\nWe would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt for their assistance.\n\n**Books**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) for their assistance.\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad, Brandon Azad of Google Project Zero, Daniel Roethlisberger of Swisscom CSIRT, Raz Mashat (@RazMashat) of Ilan Ramon High School for their assistance.\n\nEntry updated September 17, 2019\n\n**Mail**\n\nWe would like to acknowledge Craig Young of Tripwire VERT and Hanno B\u00f6ck for their assistance.\n\n**Time Machine**\n\nWe would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.\n", "edition": 3, "modified": "2020-07-27T08:22:02", "published": "2020-07-27T08:22:02", "id": "APPLE:HT209600", "href": "https://support.apple.com/kb/HT209600", "title": "About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra - Apple Support", "type": "apple", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:43", "bulletinFamily": "software", "cvelist": ["CVE-2019-8518", "CVE-2019-8528", "CVE-2019-8503", "CVE-2019-8549", "CVE-2019-8504", "CVE-2019-8521", "CVE-2019-8523", "CVE-2019-6207", "CVE-2019-8563", "CVE-2019-8545", "CVE-2019-8506", "CVE-2019-8559", "CVE-2019-7284", "CVE-2019-8538", "CVE-2019-8558", "CVE-2019-8552", "CVE-2019-8515", "CVE-2019-8517", "CVE-2019-8547", "CVE-2019-8554", "CVE-2019-8906", "CVE-2019-8639", "CVE-2019-8562", "CVE-2019-6204", "CVE-2019-8551", "CVE-2019-8566", "CVE-2019-8544", "CVE-2019-8546", "CVE-2019-8505", "CVE-2019-8638", "CVE-2019-7293", "CVE-2019-8553", "CVE-2019-6201", "CVE-2019-8556", "CVE-2019-8529", "CVE-2019-8565", "CVE-2019-8540", "CVE-2019-8542", "CVE-2019-6203", "CVE-2019-8511", "CVE-2019-7285", "CVE-2019-8535", "CVE-2019-8536", "CVE-2019-8516", "CVE-2019-8527", "CVE-2019-8532", "CVE-2019-8525", "CVE-2019-8567", "CVE-2019-8541", "CVE-2019-7292", "CVE-2019-8502", "CVE-2019-8524", "CVE-2019-6222", "CVE-2019-8531", "CVE-2019-8530", "CVE-2019-5608", "CVE-2019-8618", "CVE-2019-8510", "CVE-2019-8512", "CVE-2019-8514", "CVE-2019-8550"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 12.2\n\nReleased March 25, 2019\n\n**802.1X**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to intercept network traffic\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-6203: Dominic White of SensePost (@singe)\n\nEntry added April 15, 2019\n\n**Accounts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2019-8538: Trevor Spiniolas (@TrevorSpiniolas)\n\nEntry added April 3, 2019\n\n**CFString**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-8516: SWIPS Team of Frifee Inc.\n\n**configd**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\n**Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2019-8511: an anonymous researcher\n\n**CoreCrypto**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**Exchange ActiveSync**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A user may authorize an enterprise administrator to remotely wipe their device without appropriate disclosure\n\nDescription: This issue was addressed with improved transparency.\n\nCVE-2019-8512: an anonymous researcher, Dennis Munsie of Amazon.com\n\nEntry updated April 3, 2019\n\n**FaceTime**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A user\u2019s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing\n\nDescription: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.\n\nCVE-2019-8550: Lauren Guzniczak of Keystone Academy\n\n**Feedback Assistant**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs\n\n**Feedback Assistant**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs\n\n**file**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8906: Francisco Alonso\n\nEntry updated April 15, 2019\n\n**GeoServices**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Clicking a malicious SMS link may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2019-8553: an anonymous researcher\n\n**iAP**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2019-8542: an anonymous researcher\n\n**IOHIDFamily**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8504: an anonymous researcher\n\n**IOKit SCSI**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Research working with Trend Micro's Zero Day Initiative\n\nEntry updated April 15, 2019\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A remote attacker may be able to alter network traffic data\n\nDescription: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.\n\nCVE-2019-5608: Apple\n\nEntry added August 6, 2019\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-8547: derrek (@derrekr6)\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8525: Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added May 30, 2019\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\nEntry added April 3, 2019\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2019-8514: Samuel Gro\u00df of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-7293: Ned Williamson of Google\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\n\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-7284: Damian Poddebniak of M\u00fcnster University of Applied Sciences\n\n**MediaLibrary**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to access restricted files\n\nDescription: A permissions issue was addressed by removing vulnerable code and adding additional checks.\n\nCVE-2019-8532: Angel Ramirez, Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.\n\nEntry added May 30, 2019\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2019-8546: ChiYuan Chang\n\n**Power Management**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.\n\nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)\n\n**Privacy**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious app may be able to track users between installs\n\nDescription: A privacy issue existed in motion sensor calibration. This issue was addressed with improved motion sensor processing.\n\nCVE-2019-8541: Stan (Jiexin) Zhang and Alastair R. Beresford of the University of Cambridge and Ian Sheret of Polymath Insight Limited\n\n**ReplayKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to access the microphone without indication to the user\n\nDescription: An API issue existed in the handling of microphone data. This issue was addressed with improved validation.\n\nCVE-2019-8566: an anonymous researcher\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A website may be able to access sensor information without user consent\n\nDescription: A permissions issue existed in the handling of motion and orientation data. This issue was addressed with improved restrictions.\n\nCVE-2019-8554: an anonymous researcher\n\n**Safari Reader**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-6204: Ryan Pickren (ryanpickren.com)\n\nCVE-2019-8505: Ryan Pickren (ryanpickren.com)\n\n**Sandbox**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2019-8618: Brandon Azad\n\nEntry added May 30, 2019\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An untrusted radius server certificate may be trusted\n\nDescription: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.\n\nCVE-2019-8531: an anonymous researcher, QA team of SecureW2\n\nEntry added May 15, 2019\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to initiate a Dictation request without user authorization\n\nDescription: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.\n\nCVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Caraba\u0219 of University POLITEHNICA of Bucharest, and R\u0103zvan Deaconescu of University POLITEHNICA of Bucharest\n\n**TrueTypeScaler**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8551: Ryan Pickren (ryanpickren.com)\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2019-6201: dwfault working with ADLab of Venustech\n\nCVE-2019-8518: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8523: Apple\n\nCVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative\n\nCVE-2019-8558: Samuel Gro\u00df of Google Project Zero\n\nCVE-2019-8559: Apple\n\nCVE-2019-8563: Apple\n\nCVE-2019-8638: found by OSS-Fuzz\n\nCVE-2019-8639: found by OSS-Fuzz\n\nEntry updated May 30, 2019\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A website may be able to access the microphone without the microphone use indicator being shown\n\nDescription: A consistency issue was addressed with improved state handling.\n\nCVE-2019-6222: Denis Markov of Resonance Software\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed with improved input validation.\n\nCVE-2019-8515: James Lee (@Windowsrcer)\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2019-8536: Apple\n\nCVE-2019-8544: an anonymous researcher\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2019-7285: dwfault working at ADLab of Venustech\n\nCVE-2019-8556: Apple\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2019-8506: Samuel Gro\u00df of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to execute scripts in the context of another website\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2019-8503: Linus S\u00e4rud of Detectify\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team\n\n**Wi-Fi**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A device may be passively tracked by its Wi-Fi MAC address\n\nDescription: A user privacy issue was addressed by removing the broadcast MAC address.\n\nCVE-2019-8567: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt\n\n**XPC**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\n\n\n## Additional recognition\n\n**Accounts**\n\nWe would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universit\u00e4t Darmstadt for their assistance.\n\nEntry added May 30, 2019\n\n**Books**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) for their assistance.\n\n**Calendar**\n\nWe would like to acknowledge an anonymous researcher, Peter Hempsall of 104days.com, and Sascha Mogler of mogler.com for their assistance.\n\n**Kernel**\n\nWe would like to acknowledge Brandon Azad, Raz Mashat (@RazMashat) of Ilan Ramon High School, Brandon Azad of Google Project Zero for their assistance.\n\nEntry updated May 30, 2019\n\n**Quick Look**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) for their assistance.\n\n**Safari**\n\nWe would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com), Ryan Pickren (ryanpickren.com) for their assistance.\n\nEntry updated May 30, 2019\n\n**Screen Recording**\n\nWe would like to acknowledge Brandon Moore (@Brandonsecurity) for their assistance.\n\nEntry added November 6, 2019\n\n**Screen Time**\n\nWe would like to acknowledge Brandon Moore (@Brandonsecurity) for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Andrey Kovalev of Yandex Security Team, David House of Kaiser Permanente, Radha Patnayakuni of Salesforce for their assistance.\n\nEntry updated October 8, 2019\n", "edition": 3, "modified": "2020-07-27T08:18:09", "published": "2020-07-27T08:18:09", "id": "APPLE:HT209599", "href": "https://support.apple.com/kb/HT209599", "title": "About the security content of iOS 12.2 - Apple Support", "type": "apple", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}]}