Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-109
Date(s) Issued: 
Wednesday, October 31, 2018
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iTunes, iCloud for Windows, Safari, macOS High Sierra, Sierra, and El Capitan, watchOS, tvOS, and iOS. The most severe of these vulnerabilities could allow for arbitrary code execution: 

  • Safari is a web browser available for OS X.

  • iCloud is a cloud storage service.

  • iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

  • watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.

  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.

  • tvOS is an operating system for the fourth-generation Apple TV digital media player.

  • Mojave is a desktop and server operating system for Macintosh computers.

  • High Sierra is a desktop and server operating system for Macintosh computers.

  • Sierra is a desktop and server operating system for Macintosh computers. 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, delete data, and create new accounts with full user rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Safari versions prior to 12.0.1

  • iCloud for Windows prior to Version 7.8

  • iTunes versions prior to 12.9.1

  • watchOS versions prior to 5.1

  • iOS versions prior to 12.1

  • tvOS versions prior to 12.1

  • macOS Mojave versions prior to 10.14.1

  • macOS Sierra versions prior to 10.12.6, Security Update 2018-005

  • macOS High Sierra versions prior to 10.13.6, Security Update 2018-001

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Safari, iCloud, iTunes, watchOS, iOS, tvOS, Mojave, High Sierra, and Sierra. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:  

  • A buffer overflow was addressed with improved size validation. (CVE-2018-4424)

  • A configuration issue was addressed with additional restrictions. (CVE-2018-4342)

  • A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. (CVE-2018-4377)

  • Denial of service issues were addressed with improved validation. (CVE-2018-4304, CVE-2018-4368, CVE-2018-4406)

  • A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management. (CVE-2018-4387)

  • A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device. (CVE-2018-4388)

  • Logic issues were addressed with improved state management. (CVE-2018-4369, CVE-2018-4385)

  • Logic issues were addressed with improved validation. (CVE-2018-4374, CVE-2018-4423)

  • Memory corruption issues were addressed with improved input validation A memory corruption issues were addressed with improved input validation. (CVE-2018-4350, CVE-2018-4366, CVE-2018-4367, CVE-2018-4384, CVE-2018-4394, CVE-2018-4408, CVE-2018-4410, CVE-2018-4411, CVE-2018-4412)

  • Memory corruption issues were addressed with improved memory handling. (CVE-2018-4126, CVE-2018-4326, CVE-2018-4331, CVE-2018-4334, CVE-2018-4340, CVE-2018-4341, CVE-2018-4354, CVE-2018-4393, CVE-2018-4401, CVE-2018-4402, CVE-2018-4415, CVE-2018-4419, CVE-2018-4422, CVE-2018-4425, CVE-2018-4426, CVE-2018-4427, CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416)

  • Memory corruption issues were addressed with improved validation. (CVE-2018-4378, CVE-2018-4407)

  • A memory corruption issue was addressed by removing the vulnerable code. (CVE-2018-4420)

  • A memory corruption issue was addressed with improved input validation. (CVE-2018-4350, CVE-2018-4408)

  • A memory corruption vulnerability was addressed with improved locking. (CVE-2018-4242)

  • A memory initialization issue was addressed with improved memory handling. (CVE-2018-4413)

  • An access issue existed with privileged API calls. This issue was addressed with additional restrictions. (CVE-2018-4399)

  • An access issue was addressed with additional sandbox restrictions. (CVE-2018-4310)

  • Inconsistent user interface issues were addressed with improved state management. (CVE-2018-4389, CVE-2018-4390, CVE-2018-4391)

  • An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry. (CVE-2018-3646)

  • An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel. (CVE-2018-3640)

  • An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel. (CVE-2018-3639)

  • An injection issue was addressed with improved validation. (CVE-2018-4153)

  • An input validation issue was addressed with improved input validation. (CVE-2018-4295)

  • An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes. (CVE-2018-4398)

  • An out-of-bounds read was addressed with improved bounds checking. (CVE-2018-4203, CVE-2018-4308, CVE-2018-4365)

  • An out-of-bounds read was addressed with improved input validation. (CVE-2018-4371)

  • A resource exhaustion issue was addressed with improved input validation. (CVE-2018-4409)

  • A validation issue existed which allowed local file access. This was addressed with input sanitization. (CVE-2018-4346)

  • Validation issues were addressed with improved input sanitization. (CVE-2018-4396, CVE-2018-4417, CVE-2018-4418)

  • Validation issues were addressed with improved logic. (CVE-2018-4348, CVE-2018-4400)

  • Multiple issues in Perl were addressed with improved memory handling. (CVE-2017-12613, CVE-2017-12618, CVE-2018-6797)

  • Multiple issues in Ruby were addressed in this update. (CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064, CVE-2017-17405, CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780)

  • This issue was addressed by removing additional entitlements. (CVE-2018-4403)

  • This issue was addressed with improved checks. (CVE-2018-4395) 

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Apple:
https://support.apple.com/en-us/HT209192
https://support.apple.com/en-us/HT209193
https://support.apple.com/en-us/HT209194
https://support.apple.com/en-us/HT209195
https://support.apple.com/en-us/HT209196
https://support.apple.com/en-us/HT209197
https://support.apple.com/en-us/HT209198

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4350
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780