CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-088

DATE(S) ISSUED:

09/21/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, Xcode, and Safari, the most severe of which could allow for arbitrary code execution. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. Xcode is an integrated development environment containing a suite of software development tools developed by Apple Inc. Safari is a web browser available for OS X and Microsoft Windows.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 26 – UPDATED OVERVIEW:
Multiple vulnerabilities have been discovered in iCloud, macOS High Sierra, macOS Server, and iTunes, the most severe of which could allow for arbitrary code execution. iCloud is a cloud storage service. MacOS High Sierra is a desktop and server operating system for Macintosh computers. MacOS Server is an operating system add-on which provides additional server programs. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • watchOS Versions prior to 4
  • iOS Versions prior to 11
  • tvOS Versions prior to 11
  • Safari Versions prior to 11
  • Xcode Versions prior to 9
  • iCloud for Windows Versions prior to 7.0
  • macOS Server Versions prior to 5.4
  • macOS High Sierra Versions prior to 10.13
  • iTunes Versions prior to 12.7

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, Xcode, and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • An ssh:// URL scheme handling issue was addressed through improved input validation. (CVE-2017-1000117)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7076, CVE-2017-7134, CVE-2017-7135, CVE-2017-7136, CVE-2017-7137)
  • An input validation issue was addressed through improved input validation. (CVE-2017-9800)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-7085, CVE-2017-7106)
  • A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. (CVE-2017-7089)
  • A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS. (CVE-2017-7088)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7072)
  • A memory corruption issue was addressed with improved validation. (CVE-2017-7097)
  • A denial of service issue was addressed through improved validation. (CVE-2017-7118)
  • A permissions issue existed. This issue was addressed with improved permission validation. (CVE-2017-7133)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7103, CVE-2017-7105, CVE-2017-7108, CVE-2017-7110, CVE-2017-7112)
  • Multiple race conditions were addressed with improved validation. (CVE-2017-7115)
  • A validation issue was addressed with improved input sanitization. (CVE-2017-7116)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

**September 26 - UPDATED TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in iCloud, macOS High Sierra, and macOS Server, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A memory corruption issue was addressed through improved input validation. (CVE-2017-7081, CVE-2017-7127)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7077, CVE-2017-7087, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7111, CVE-2017-7114, CVE-2017-7117, CVE-2017-7120)
  • A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. (CVE-2017-7090)
  • Application Cache policy may be unexpectedly applied. (CVE-2017-7109)
  • An upgrade issue existed in the handling of firewall settings. This issue was addressed through improved handling of firewall settings during upgrades. (CVE-2017-7084)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7074)
  • The security state of the captive portal browser was not obvious. This issue was addressed with improved visibility of the captive portal browser security state. (CVE-2017-7143)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7083)
  • An out-of-bounds read was addressed by updating to Opus version 1.1.4. (CVE-2017-0381)
  • A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls. (CVE-2017-7138)
  • Multiple issues were addressed by updating to version 5.30. (CVE-2017-7121, CVE-2017-7122, CVE-2017-7123, CVE-2017-7124, CVE-2017-7125, CVE-2017-7126)
  • A validation issue existed in the handling of the KDC-REP service name. This issue was addressed through improved validation. (CVE-2017-11103)
  • A validation issue was addressed with improved input sanitization. (CVE-2017-7119)
  • A resource exhaustion issue in glob() was addressed through an improved algorithm. (CVE-2017-7086)
  • A memory consumption issue was addressed through improved memory handling. (CVE-2017-1000373)
  • Multiple issues were addressed by updating to version 2.2.1 (CVE-2016-9063, CVE-2017-9233)
  • Turning off "Load remote content in messages" did not apply to all mailboxes. This issue was addressed with improved setting propagation. (CVE-2017-7141)
  • An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted. (CVE-2017-7078)
  • Multiple issues were addressed by updating to version 4.2.8p10 (CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2016-9042)
  • A window management issue was addressed through improved state management. (CVE-2017-7082)
  • A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. (CVE-2017-7080)
  • Multiple issues were addressed by updating to version 3.19.3. (CVE-2017-10989, CVE-2017-7128, CVE-2017-7129, CVE-2017-7130)
  • Multiple issues were addressed by updating to version 1.2.11. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
  • Multiple issues existed in FreeRADIUS before 2.2.10. These were addressed by updating FreeRADIUS to version 2.2.10. (CVE-2017-10978, CVE-2017-10979
  • An application may be able to access iOS backups performed through iTunes. (CVE-2017-7079)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.**

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7072 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7076 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7085 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7088 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7097 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7103 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7105 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7106 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7108 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7110 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7112 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7115 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7116 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7118 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7133 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7134 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7135 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7136 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7137 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7074 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7078 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7080 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7082 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7083 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7084 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7086 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7114 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7119 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7121 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7122 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7123 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7124 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7125 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7126 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7127 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7128 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7129 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7130 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7138 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7141 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7143 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7079

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation CIS Benchmarks and Other Tools for Related Technology Arrow Apple iOS Arrow Apple OS Arrow Apple Safari