Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-036
Date(s) Issued: 
Friday, March 30, 2018
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iCloud for Windows, Safari, macOS High Sierra, Sierra, and El Capitan, iTunes, Xcode, tvOS, watchOS and iOS. The most severe of these vulnerabilities could allow for arbitrary code execution.

  • iCloud is a cloud storage service.
  • Safari is a web browser available for OS X and Microsoft Windows.
  • macOS High Sierra is a desktop and server operating system for Macintosh computers.
  • macOS Sierra is a desktop and server operating system for Macintosh computers.
  • macOS El Capitan is a desktop and server operating system for Macintosh computers.
  • iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.
  • Xcode is an integrated development environment containing a suite of software development tools developed by Apple Inc.
  • tvOS is an operating system for the fourth-generation Apple TV digital media player.
  • watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.
  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

These updates also include patches to Apple systems for the Spectre and Meltdown vulnerabilities. There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • iCloud for Windows prior to Version 7.4
  • Safari Versions prior to 11.1
  • macOS High Sierra Versions prior to 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan
  • iTunes Versions prior to 12.7.4 for Windows
  • Xcode Versions prior to 9.3
  • tvOS Versions prior to 11.3
  • watchOS Versions prior to 4.3
  • iOS Versions prior to 11.3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in iCloud for Windows, Safari, macOS High Sierra, Sierra, and El Capitan, iTunes, Xcode, tvOS, watchOS and iOS. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A buffer overflow was addressed with improved size validation. (CVE-2018-4144)

  • A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters. (CVE-2018-4106)

  • A cookie management issue was addressed through improved state management. (CVE-2018-4110)

  • A cross-origin issue existed with the fetch API. This was addressed through improved input validation. (CVE-2018-4117)

  • A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. (CVE-2018-4133)

  • A denial of service issue was addressed through improved memory handling. (CVE-2018-4142)

  • A logic issue existed resulting in memory corruption. This was addressed with improved state management. (CVE-2018-4139)

  • Multiple logic issues were addressed with improved validation. (CVE-2018-4175, CVE-2018-4176)

  • A logic issue was addressed with improved restrictions. (CVE-2017-13890)

  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2018-4101, CVE-2018-4114, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4121, CVE-2018-4122, CVE-2018-4125,  CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4130, CVE-2018-4132, CVE-2018-4135, CVE-2018-4143, CVE-2018-4150, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165)

  • A memory corruption issue was addressed through improved input validation. (CVE-2018-4146)

  • An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks. (CVE-2018-4113)

  • Multiple inconsistent user interface issues were addressed with improved state management. (CVE-2018-4102, CVE-2018-4116, CVE-2018-4134, CVE-2018-4174)

  • An information disclosure issue existed in the handling of alarms and timers. This issue was addressed through improved access restrictions. (CVE-2018-4123)

  • Multiple injection issues were addressed through improved input validation. (CVE-2018-4105, CVE-2018-4108)

  • An integer overflow existed in curl. This issue was addressed through improved bounds checking. (CVE-2017-8816)

  • An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup. (CVE-2018-4115)

  • An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature. (CVE-2018-4111)

  • An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation. (CVE-2018-4107)

  • An out-of-bounds read was addressed through improved bounds checking. (CVE-2018-4136, CVE-2018-4160)

  • A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed through improved message validation. (CVE-2018-4140)

  • Multiple race conditions were addressed with additional validation. (CVE-2018-4151, CVE-2018-4152, CVE-2018-4154, CVE-2018-4155, CVE-2018-4156, CVE-2018-4157, CVE-2018-4158, CVE-2018-4166, CVE-2018-4167)

  • A state management issue existed when restoring from a backup. This issue was addressed through improved state checking during restore. (CVE-2018-4172)

  • A state management issue was addressed by disabling text input until the destination page loads. (CVE-2018-4149)

  • A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks. (CVE-2018-4112)

  • Multiple validation issues were addressed with improved input sanitization. (CVE-2018-4104, CVE-2018-4138)

  • By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management. (CVE-2018-4131)

  • Multiple issues were addressed by updating to version the current version of LLVM shipping with Xcode. (CVE-2018-4164)

  • Safari autofill did not require explicit user interaction before taking place. The issue was addressed through improved autofill heuristics. (CVE-2018-4137)

  • The File Widget was displaying cached data when in the locked state. This issue was addressed with improved state management. (CVE-2018-4168)

  • The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed. (CVE-2018-4170)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
References: 

Apple:

https://support.apple.com/en-us/HT208692

https://support.apple.com/en-us/HT208693

https://support.apple.com/en-us/HT208694

https://support.apple.com/en-us/HT208695

https://support.apple.com/en-us/HT208696

https://support.apple.com/en-us/HT208697

https://support.apple.com/en-us/HT208698

https://support.apple.com/en-us/HT208699

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13890

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4101

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4102

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4104

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4105

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4106

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4107

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4108

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4110

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4111

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4112

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4113

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4114

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4115

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4116

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4117

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4118

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4119

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4120

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4121

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4122

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4123

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4125

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4127

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4128

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4129

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4130

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4131

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4132

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4133

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4134

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4135

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4136

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4137

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4138

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4139

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4140

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4142

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4143

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4144

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4146

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4149

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4150

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4151

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4152

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4154

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4155

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4156

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4157

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4158

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4160

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4161

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4162

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4163

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4164

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4165

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4166

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4167

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4168

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4170

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4172

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4174

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4175

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4176