Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS ADVISORY NUMBER: 
2020-013

DATE(S) ISSUED: 
Wednesday, January 29, 2020

SUBJECT: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Xcode, watchOS, Safari, iTunes for Windows, iOS, iPadOS, macOS, and tvOS. The most severe of these vulnerabilities could allow for arbitrary code execution. tvOS is an operating system for the fourth-generation Apple TV digital media player.  watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.  Safari is a web browser available for OS X.  iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.  iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.  macOS is a desktop operating system for Macintosh computers. 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED: 

  • iOS prior to 13.3.1
  • iPadOS prior to 13.3.1
  • Safari prior to 13.0.5
  • iTunes for Windows prior to 12.10.4
  • macOS Catalina prior to 10.15.3, Security Update 2020-001 Mojave, and Security Update 2020-001 High Sierra
  • tvOS prior to 13.3.1
  • watchOS prior to 6.1.2

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Business:
Large and medium business entities: High
Small business entities: High

Home Users: Low

DESCRIPTION: 
Multiple vulnerabilities have been discovered in Safari, iTunes for Windows, iOS, iPadOS, macOS, and tvOS. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

  • An out-of-bounds read was addressed with improved input validation (CVE-2020-3877)
  • Multiple issues were addressed by updating to PHP version 7.3.11 (CVE-2019-11043)
  • Searching for and opening a file from an attacker controlled NFS mount may bypass Gatekeeper was addressed with additional checks by Gatekeeper on files mounted through a network share. (CVE-2020-3866)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3848, CVE-2020-3849, CVE-2020-3850)
  • An out-of-bounds read was addressed with improved input validation. (CVE-2020-3847)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. (CVE-2020-3835)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3827)
  • An out-of-bounds read was addressed with improved input validation (CVE-2020-3826, CVE-2020-3870, CVE-2020-3878)
  • A memory corruption issue was addressed with improved memory handling (CVE-2020-3845)
  • An off by one issue existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking. (CVE-2020-3840)
  • A validation issue was addressed with improved input sanitization. (CVE-2020-3875)
  • A memory initialization issue was addressed with improved memory handling. (CVE-2020-3872)
  • A type confusion issue was addressed with improved memory handling. (CVE-2020-3853)
  • An access issue was addressed with improved memory management. (CVE-2020-3836)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3842, CVE-2020-3871)
  • A buffer overflow was addressed with improved size validation. (CVE-2020-3846)
  • An out-of-bounds read was addressed with improved bounds checking. (CVE-2020-3829)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. (CVE-2020-3830)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3854)
  • A buffer overflow issue was addressed with improved memory handling. (CVE-2019-18634)
  • An access issue was addressed with improved access restrictions. (CVE-2020-3855)
  • A validation issue was addressed with improved input sanitization. (CVE-2020-3839)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3843)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3857)
  • An issue existed in the handling of the local user's self-view. The issue was corrected with improved logic. (CVE-2020-3869)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3837)
  • A race condition was addressed with improved locking. (CVE-2020-3831)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3860)
  • A memory corruption issue was addressed with improved input validation. (CVE-2020-3856)
  • This issue was addressed with improved setting propagation. (CVE-2020-3873)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2020-3859)
  • This issue was addressed with improved checks. (CVE-2020-3844)
  • A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. (CVE-2020-3828)
  • A local user may unknowingly send a password unencrypted over the network. The issue was addressed with improved UI handling. (CVE-2020-3841)
  • An issued existed in the naming of screenshots. The issue was corrected with improved naming. (CVE-2020-3874)
  • An application may be able to execute arbitrary code with system privileges (CVE-2020-3838)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2020-3833)
  • A memory corruption issue was addressed with improved memory handling. (CVE-2020-3857)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2020-3868)

ACTIONS: 
After appropriate testing, immediately apply the patches provided by Apple to vulnerable systems.  n all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.  Remind users not to download, accept, or execute files from un-trusted or unknown sources.
Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

Apply the Principle of Least Privilege to all systems and services.

REFERENCES: 

Apple:
https://support.apple.com/en-us/HT210918
https://support.apple.com/en-us/HT210919
https://support.apple.com/en-us/HT210920
https://support.apple.com/en-us/HT210921
https://support.apple.com/en-us/HT210922
https://support.apple.com/en-us/HT210923

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3827
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3828
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3831
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3859
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3860
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3877