CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-072

DATE(S) ISSUED:

05/27/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in iCloud for Windows, Safari, macOS, and Windows Migration Assistance. The most severe of these vulnerabilities could allow for arbitrary code execution.

  • Safari is a web browser available for macOS.
  • macOS is a desktop operating system for Macintosh computers
  • iCloud is a cloud storage service.
  • Windows Migration Assistance allows for migrating files from Windows to Mac.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Successful exploitation of these vulnerabilities could allow the attacker to execute remote code on the affected system.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • macOS prior to Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra
  • Windows Migration Assistant prior to 2.2.0.0
  • Safari prior to 13.1.1
  • iCloud for Windows prior to 11.2
  • iCloud for Windows prior to 7.19

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in iCloud for Windows, iTunes for Windows, iOS, iPadOS, Safari, watchOS, tvOS, macOS, and Xcode. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A dynamic library loading issue was addressed with improved path searching.(CVE-2020-9858)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9805, CVE-2020-9801, CVE-2020-9850, CVE-2020-9802)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9805, CVE-2020-9850, CVE-2020-9802)
  • A race condition was addressed with improved state handling.(CVE-2020-9839)
  • An issue existed in the handling of environment variables. This issue was addressed with improved validation.(CVE-2019-1486)
  • A denial of service issue was addressed with improved input validation.(CVE-2020-9827, CVE-2020-9826)
  • An integer overflow was addressed with improved input validation.(CVE-2020-9841, CVE-2020-9852)
  • An out-of-bounds read was addressed with improved input validation.(CVE-2020-9832, CVE-2020-3878, CVE-2020-9828, CVE-2020-9791)
  • A type confusion issue was addressed with improved memory handling.(CVE-2020-9800)
  • A memory corruption issue was addressed with improved state management.(CVE-2020-9808, CVE-2020-9821, CVE-2020-9830)
  • An information disclosure issue was addressed by removing the vulnerable code.(CVE-2020-9797)
  • An authorization issue was addressed with improved state management.(CVE-2019-20044)
  • A logic issue existed resulting in memory corruption. This was addressed with improved state management.(CVE-2020-9813, CVE-2020-9814)
  • A double free issue was addressed with improved memory management.(CVE-2020-9844)
  • An out-of-bounds read was addressed with improved bounds checking.(CVE-2020-9815, CVE-2020-9831, CVE-2020-979, CVE-2020-9837, CVE-2020-9847)
  • A memory corruption issue was addressed with improved validation.(CVE-2020-9803)
  • A permissions issue existed. This issue was addressed with improved permission validation.(CVE-2020-9817)
  • An out-of-bounds read was addressed with improved input validation.(CVE-2020-3878)
  • An access issue was addressed with improved memory management.(CVE-2019-20503)
  • An issue existed in the parsing of URLs. This issue was addressed with improved input validation.(CVE-2020-9857)
  • A memory corruption issue was addressed with improved input validation.(CVE-2020-9834, CVE-2020-979)
  • An access issue was addressed with improved access restrictions.(CVE-2020-9851)
  • This issue was addressed with improved checks.(CVE-2020-3882, CVE-2020-9856)
  • An information disclosure issue was addressed with improved state management.(CVE-2020-9811, CVE-2020-9809, CVE-2020-9812)
  • An access issue was addressed with additional sandbox restrictions.(CVE-2020-9825)
  • A use after free issue was addressed with improved memory management.(CVE-2020-9795)
  • This issue was addressed with a new entitlement.(CVE-2020-9771)
  • A memory initialization issue was addressed with improved memory handling.(CVE-2020-9833)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.(CVE-2020-9855)
  • An out-of-bounds write issue was addressed with improved bounds checking.(CVE-2020-9789, CVE-2020-9790)
  • An out-of-bounds write issue was addressed with improved bounds checking.(CVE-2020-9822, CVE-2020-9816, CVE-2020-9790, CVE-2020-9789)
  • An entitlement parsing issue was addressed with improved parsing.(CVE-2020-9842)
  • An input validation issue was addressed with improved input validation.(CVE-2020-9843)
  • A validation issue was addressed with improved input sanitization.(CVE-2020-9792, CVE-2020-9788)
  • An out-of-bounds read was addressed with improved bounds checking.(CVE-2020-979)
  • A memory corruption issue was addressed with improved state management.(CVE-2020-9806, CVE-2020-9807)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9824, CVE-2020-9804, CVE-2020-9772)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Successful exploitation of these vulnerabilities could allow the attacker to execute remote code on the affected system.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9789 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9822 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9824 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9826 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9831 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9832 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9852 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9858

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0

Pencil Blog post 06 Aug 2020
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0