Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-072
Date(s) Issued: 
Thursday, May 28, 2020
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iCloud for Windows, Safari, macOS, and Windows Migration Assistance. The most severe of these vulnerabilities could allow for arbitrary code execution.

 

  • Safari is a web browser available for macOS.
  • macOS is a desktop operating system for Macintosh computers
  • iCloud is a cloud storage service.
  • Windows Migration Assistance allows for migrating files from Windows to Mac.

 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Successful exploitation of these vulnerabilities could allow the attacker to execute remote code on the affected system. 

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • macOS prior to Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra
  • Windows Migration Assistant prior to 2.2.0.0
  • Safari prior to 13.1.1
  • iCloud for Windows prior to 11.2
  • iCloud for Windows prior to 7.19
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in iCloud for Windows, iTunes for Windows, iOS, iPadOS, Safari, watchOS, tvOS, macOS, and Xcode. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

 

  • A dynamic library loading issue was addressed with improved path searching.(CVE-2020-9858)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9805, CVE-2020-9801, CVE-2020-9850, CVE-2020-9802)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9805, CVE-2020-9850, CVE-2020-9802)
  • A race condition was addressed with improved state handling.(CVE-2020-9839)
  • An issue existed in the handling of environment variables. This issue was addressed with improved validation.(CVE-2019-1486)
  • A denial of service issue was addressed with improved input validation.(CVE-2020-9827, CVE-2020-9826)
  • An integer overflow was addressed with improved input validation.(CVE-2020-9841, CVE-2020-9852)
  • An out-of-bounds read was addressed with improved input validation.(CVE-2020-9832, CVE-2020-3878, CVE-2020-9828, CVE-2020-9791)
  • A type confusion issue was addressed with improved memory handling.(CVE-2020-9800)
  • A memory corruption issue was addressed with improved state management.(CVE-2020-9808, CVE-2020-9821, CVE-2020-9830)
  • An information disclosure issue was addressed by removing the vulnerable code.(CVE-2020-9797)
  • An authorization issue was addressed with improved state management.(CVE-2019-20044)
  • A logic issue existed resulting in memory corruption. This was addressed with improved state management.(CVE-2020-9813, CVE-2020-9814)
  • A double free issue was addressed with improved memory management.(CVE-2020-9844)
  • An out-of-bounds read was addressed with improved bounds checking.(CVE-2020-9815, CVE-2020-9831, CVE-2020-979, CVE-2020-9837, CVE-2020-9847)
  • A memory corruption issue was addressed with improved validation.(CVE-2020-9803)
  • A permissions issue existed. This issue was addressed with improved permission validation.(CVE-2020-9817)
  • An out-of-bounds read was addressed with improved input validation.(CVE-2020-3878)
  • An access issue was addressed with improved memory management.(CVE-2019-20503)
  • An issue existed in the parsing of URLs. This issue was addressed with improved input validation.(CVE-2020-9857)
  • A memory corruption issue was addressed with improved input validation.(CVE-2020-9834, CVE-2020-979)
  • An access issue was addressed with improved access restrictions.(CVE-2020-9851)
  • This issue was addressed with improved checks.(CVE-2020-3882, CVE-2020-9856)
  • An information disclosure issue was addressed with improved state management.(CVE-2020-9811, CVE-2020-9809, CVE-2020-9812)
  • An access issue was addressed with additional sandbox restrictions.(CVE-2020-9825)
  • A use after free issue was addressed with improved memory management.(CVE-2020-9795)
  • This issue was addressed with a new entitlement.(CVE-2020-9771)
  • A memory initialization issue was addressed with improved memory handling.(CVE-2020-9833)
  • A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.(CVE-2020-9855)
  • An out-of-bounds write issue was addressed with improved bounds checking.(CVE-2020-9789, CVE-2020-9790)
  • An out-of-bounds write issue was addressed with improved bounds checking.(CVE-2020-9822, CVE-2020-9816, CVE-2020-9790, CVE-2020-9789)
  • An entitlement parsing issue was addressed with improved parsing.(CVE-2020-9842)
  • An input validation issue was addressed with improved input validation.(CVE-2020-9843)
  • A validation issue was addressed with improved input sanitization.(CVE-2020-9792, CVE-2020-9788)
  • An out-of-bounds read was addressed with improved bounds checking.(CVE-2020-979)
  • A memory corruption issue was addressed with improved state management.(CVE-2020-9806, CVE-2020-9807)
  • A logic issue was addressed with improved restrictions.(CVE-2020-9824, CVE-2020-9804, CVE-2020-9772)

 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Successful exploitation of these vulnerabilities could allow the attacker to execute remote code on the affected system.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to vulnerable.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
References: 

Apple:

https://support.apple.com/en-us/HT211170

https://support.apple.com/en-us/HT211177

https://support.apple.com/en-us/HT211179

https://support.apple.com/en-us/HT211181

https://support.apple.com/en-us/HT211186

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14868

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20044

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3878

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3882

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9771

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9772

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9788

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9789

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9790

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9791

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9792

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9793

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9794

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9795

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9797

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9800

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9801

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9804

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9808

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9809

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9811

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9812

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9813

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9814

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9815

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9816

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9817

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9821

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9822

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9824

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9825                                                                                                                                                                                

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9826

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9827

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9828

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9830

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9831

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9832

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9833

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9834

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9837

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9839

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9841

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9842

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9844

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9847

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9851

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9852

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9855

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9856

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9857

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9858