CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-029

DATE(S) ISSUED:

03/29/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, macOS Server, iCloud for Windows and Safari which could allow for arbitrary code execution. watchOS is the mobile operating system of the Apple Watch and is based on the iOS operating system. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. macOS is Apple's desktop and server operating system for Macintosh computers. macOS Server is a separately sold operating system add-on which provides additional server programs along with management and administration tools for macOS. iCloud is a cloud storage and cloud computing service from Apple. Apple Safari is a web browser available for OS X and Microsoft Windows.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • WatchOS Versions prior to 3.2
  • iOS Versions prior to 10.3
  • tvOS Versions prior to 10.2
  • macOS Versions prior to 10.12.4
  • macOS Versions prior to 10.11.6
  • macOS Versions prior to 10.10.5
  • macOS Server Versions prior to 5.3
  • Safari Versions prior to 10.1
  • iCloud for Windows Versions prior to 6.2

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, macOS, macOS Server, iCloud for Windows and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. (CVE-2017-2379)
  • A buffer overflow issue was addressed through improved memory handling. (CVE-2017-2482, CVE-2017-2483)
  • Multiple buffer overflow vulnerabilties that were addressed through improved bounds checking. (CVE-2016-9586, CVE-2017-2451, CVE-2017-2458)
  • A crafted request may cause a global cache to grow indefinitely, leading to a denial-of-service. This was addressed by not caching unknown MIME types. (CVE-2016-0751)
  • A double free issue was addressed through improved memory management. (CVE-2017-2425)
  • A keychain handling issue was addressed through improved keychain item management. (CVE-2017-2385). A logic issue existed in frame handling. This issue was addressed through improved state management. (CVE-2017-2475)
  • A logic issue existed in the handling of frame objects. This issue was addressed with improved state management. (CVE-2017-2445)Â A logic issue existed in the handling of strict mode functions. This issue was addressed with improved state management. (CVE-2017-2446)
  • A memory corruption issue existed in QuickTime. This issue was addressed through improved memory handling. (CVE-2017-2413)
  • A memory corruption issue existed in the handling of .mov files. This issue was addressed through improved memory management. (CVE-2017-2431)
  • A memory corruption issue existed in the handling of zip archives. This issue was addressed through improved input validation. (CVE-2016-5636)
  • A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation. (CVE-2017-2485)
  • Multiple memory corruption issues were addressed through improved input validation. (CVE-2017-2430, CVE-2017-2377, CVE-2017-2398, CVE-2017-2401, CVE-2017-2405, CVE-2017-2416, CVE-2017-2432, CVE-2017-2433, CVE-2017-2435, CVE-2017-2436, CVE-2017-2437, CVE-2017-2443, CVE-2017-2462, CVE-2017-2467, CVE-2017-2473)
  • Multiple memory corruption issue that were addressed through improved memory handling. (CVE-2017-2392, CVE-2017-2408, CVE-2017-2420, CVE-2017-2422, CVE-2017-2427, CVE-2017-2447, CVE-2017-5029, CVE-2017-2463)
  • A null pointer dereference was addressed through improved input validation. (CVE-2017-2388). A permission issue existed in the handling of the Send Link feature of iCloud Sharing. This issue was addressed through improved permission controls. (CVE-2017-2429)
  • A prompt management issue was addressed by removing iCloud authentication prompts from the lock screen. (CVE-2017-2397)
  • A prototype access issue was addressed through improved exception handling. (CVE-2017-2386)
  • A race condition was addressed through improved locking. (CVE-2017-2478)
  • Multiple race conditions that were addressed through improved memory handling. (CVE-2017-2421, CVE-2017-2456)
  • A resource exhaustion issue was addressed through improved input validation. (CVE-2017-2461)
  • A spoofing and denial-of-service issue existed in the handling of HTTP authentication. This issue was addressed through making HTTP authentication sheets non-modal. (CVE-2017-2389)
  • A spoofing issue existed in the handling of FaceTime prompts. This issue was addressed through improved input validation. (CVE-2017-2453)
  • A state issue existed in the handling of Home Control. This issue was addressed through improved validation. (CVE-2017-2434)
  • A state management issue was addressed by disabling text input until the destination page loads. (CVE-2017-2376)
  • A timing side channel allowed an attacker to recover keys. This issue was addressed by introducing constant time computation. (CVE-2016-7056)
  • A type confusion issue was addressed through improved memory handling. (CVE-2017-2415). Multiple use after free issues that were addressed through improved memory management. (CVE-2017-2438, CVE-2017-2441, CVE-2017-2449, CVE-2017-2471, CVE-2017-2472)
  • A validation issue existed in bookmark creation. This issue was addressed through improved input validation. (CVE-2017-2378)
  • A validation issue existed in the handling of page loading. This issue was addressed through improved logic. (CVE-2017-2367)
  • A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks. (CVE-2017-2390)
  • A validation issue existed in the handling of system installation. This issue was addressed through improved handling and validation during the installation process. (CVE-2017-6974)
  • An access issue existed in Content Security Policy. This issue was addressed through improved access restrictions. (CVE-2017-2419)
  • An access issue existed in sudo. This issue was addressed through improved permissions checking. (CVE-2017-2381)
  • An access issue was addressed through improved permissions checking. (CVE-2017-2382)
  • An inconsistent user interface issue was addressed through improved state management. (CVE-2017-2486)
  • An infinite recursion was addressed through improved state management. (CVE-2017-2417An information disclosure issue existed in the processing of OpenGL shaders. This issue was addressed through improved memory management. (CVE-2017-2424)
  • An information leak existed in the handling of file URLs. This issue was addressed through improved URL handling. (CVE-2017-2426)Â An information leakage issue was addressed through improved state management. (CVE-2017-2418)
  • An input validation issue existed in the handling of Exchange email addresses. This issue was addressed through improved input validation. (CVE-2017-2414)
  • An input validation issue existed in the kernel. This issue was addressed through improved input validation. (CVE-2017-2410)
  • An insufficient locking issue was addressed with improved state management. (CVE-2017-2452)
  • An integer overflow was addressed through improved input validation. (CVE-2017-2440)
  • An issue existed in clearing Safari cache information from SafariViewController. This issue was addressed by improving cache state handling. (CVE-2017-2400)
  • An issue existed in iOS allowing for calls without prompting. This issue was addressed by prompting a user to confirm call initiation. (CVE-2017-2484)
  • An issue existed in profile uninstallation. This issue was addressed through improved cleanup. (CVE-2017-2402)
  • An issue existed in SQLite deletion. This issue was addressed through improved SQLite cleanup. (CVE-2017-2384)An issue existed in the handling of DMA. This issue was addressed by enabling VT-d in EFI. (CVE-2016-7585)
  • An issue existed when checking the tel URL before initiating calls. This issue was addressed with the addition of a confirmation prompt. (CVE-2017-2404)
  • An off-by-one issue was addressed through improved bounds checking. (CVE-2017-2474)
  • An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in AKCmds to version 4.0.7. (CVE-2016-3619, CVE-2016-9533, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9538, CVE-2016-9539, CVE-2016-9540)
  • Multiple out-of-bounds read issues that were addressed through improved input validation. (CVE-2017-2409, CVE-2017-2439, CVE-2017-2450)
  • An uncontrolled format string issue was addressed through improved input validation. (CVE-2017-2403)
  • An uncontrolled resource consumption issue was addressed through improved regex processing. (CVE-2016-9643)
  • An validation issue existed with cryptographic API calls. This issue was addressed through improved parameter validation. (CVE-2017-2423)
  • Multiple issues existed in Apache before 2.4.25. These were addressed by updating LibreSSL to version 2.4.25. (CVE-2016-0736, CVE-2016-2161, CVE-2016-5387, CVE-2016-8740, CVE-2016-8743)
  • Multiple issues existed in nghttp2 before 1.17.0. These were addressed by updating LibreSSL to version 1.17.0. (CVE-2017-2428)
  • Multiple issues existed in OpenSSH before version 7.4. These were addressed by updating OpenSSH to version 7.4. (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012)
  • Multiple issues existed in PHP before 5.6.30. These were addressed by updating PHP to version 5.6.30. (CVE-2016-1015, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-9935)
  • Multiple issues existed in tcpdump before 4.9.0. These were addressed by updating tcpdump to version 4.9.0. (CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486)
  • Multiple memory corruption issues were addressed through improved input validation. (CVE-2017-2394, CVE-2017-2396, CVE-2016-9642, CVE-2017-2406, CVE-2017-2407, CVE-2017-2444, CVE-2017-2487)
  • Multiple memory corruption issues that were addressed through improved memory handling. (CVE-2017-2395, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2476, CVE-2017-2481)Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic. (CVE-2017-2364, CVE-2017-2442)
  • Multiple validation issues were addressed through improved input sanitization. (CVE-2017-2393)
  • Requests to iTunes sandbox web services were sent in cleartext. This was addressed by enabling HTTPS. (CVE-2017-2412)
  • Support for the 3DES cryptographic algorithm was added to the SCEP client and DES was deprecated. (CVE-2017-2380)
  • The pasteboard was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the pasteboard with a key protected by the hardware UID and the user's passcode. (CVE-2017-2399)
  • A remote attacker may be able to cause a denial of service against the HTTP server via partial HTTP requests. This issue was addressed by adding mod_reqtimeout. (CVE-2007-6750)
  • Under certain circumstances, Secure Transport failed to validate the authenticity of OTR packets. This issue was addressed by restoring missing validation steps. (CVE-2017-2448)
  • A client certificate was sent in plaintext. This issue was addressed through improved certificate handling. (CVE-2017-2383)
  • A validation issue existed in element handling. This issue was addressed through improved validation (CVE-2017-2479, CVE-2017-2480)
  • Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories