CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-012

DATE(S) ISSUED:

01/28/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Xcode, watchOS, Safari, iTunes for Windows, iOS, iPadOS, macOS, and tvOS. The most severe of these vulnerabilities could allow for arbitrary code execution.

  • tvOS is an operating system for the fourth-generation Apple TV digital media player.
  • watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.
  • Safari is a web browser available for OS X.
  • iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
  • macOS is a desktop operating system for Macintosh computers

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • iOS prior to 13.3.1
  • iPadOS prior to 13.3.1
  • Safari prior to 13.0.5
  • iTunes for Windows prior to 12.10.4
  • macOS Catalina prior to 10.15.3, Security Update 2020-001 Mojave, and Security Update 2020-001 High Sierra
  • tvOS prior to 13.3.1
  • watchOS prior to 6.1.2

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Safari, iTunes for Windows, iOS, iPadOS, macOS, and tvOS. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • An out-of-bounds read was addressed with improved input validation (CVE-2020-3877)
  • Multiple issues were addressed by updating to PHP version 7.3.11 (CVE-2019-11043)
  • Searching for and opening a file from an attacker controlled NFS mount may bypass Gatekeeper was addressed with additional checks by Gatekeeper on files mounted through a network share. (CVE-2020-3866)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3848, CVE-2020-3849, CVE-2020-3850)
  • An out-of-bounds read was addressed with improved input validation. (CVE-2020-3847)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. (CVE-2020-3835)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3827)
  • An out-of-bounds read was addressed with improved input validation (CVE-2020-3826, CVE-2020-3870, CVE-2020-3878)
  • A memory corruption issue was addressed with improved memory handling (CVE-2020-3845)
  • An off by one issue existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking. (CVE-2020-3840)
  • A validation issue was addressed with improved input sanitization. (CVE-2020-3875)
  • A memory initialization issue was addressed with improved memory handling. (CVE-2020-3872)
  • A type confusion issue was addressed with improved memory handling. (CVE-2020-3853)
  • An access issue was addressed with improved memory management. (CVE-2020-3836)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3842, CVE-2020-3871)
  • A buffer overflow was addressed with improved size validation. (CVE-2020-3846)
  • An out-of-bounds read was addressed with improved bounds checking. (CVE-2020-3829)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. (CVE-2020-3830)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3854)
  • A buffer overflow issue was addressed with improved memory handling. (CVE-2019-18634)
  • An access issue was addressed with improved access restrictions. (CVE-2020-3855)
  • A validation issue was addressed with improved input sanitization. (CVE-2020-3839)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3843)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3857)
  • An issue existed in the handling of the local user's self-view. The issue was corrected with improved logic. (CVE-2020-3869)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3837)
  • A race condition was addressed with improved locking. (CVE-2020-3831)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3860)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3856)
  • This issue was addressed with improved setting propagation. (CVE-2020-3873)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2020-3859)
  • This issue was addressed with improved checks. (CVE-2020-3844)
  • A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. (CVE-2020-3828)
  • A local user may unknowingly send a password unencrypted over the network. The issue was addressed with improved UI handling. (CVE-2020-3841)
  • An issued existed in the naming of screenshots. The issue was corrected with improved naming. (CVE-2020-3874)
  • An application may be able to execute arbitrary code with system privileges (CVE-2020-3838)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2020-3833)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3857)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2020-3868)

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3826 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3831 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3843 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3859 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3860 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3877

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0