Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-091 (UPDATED)
Date(s) Issued: 
Thursday, September 21, 2017
Date Updated: 
Tuesday, September 26, 2017
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, Xcode, and Safari, the most severe of which could allow for arbitrary code execution. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. tvOS is an operating system for the fourth-generation Apple TV digital media player. Xcode is an integrated development environment containing a suite of software development tools developed by Apple Inc. Safari is a web browser available for OS X and Microsoft Windows.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 26, 2017 - UPDATED OVERVIEW:

Multiple vulnerabilities have been discovered in iCloud, macOS High Sierra, macOS Server, and iTunes, the most severe of which could allow for arbitrary code execution. iCloud is a cloud storage service. MacOS High Sierra is a desktop and server operating system for Macintosh computers. MacOS Server is an operating system add-on which provides additional server programs. iTunes for Windows is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • watchOS Versions prior to 4

  • iOS Versions prior to 11

  • tvOS Versions prior to 11

  • Safari Versions prior to 11

  • Xcode Versions prior to 9

September 26, 2017 - UPDATED SYSTEMS AFFECTED:

  • iCloud for Windows Versions prior to 7.0

  • macOS Server Versions prior to 5.4

  • macOS High Sierra Versions prior to 10.13

  • iTunes Versions prior to 12.7

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, Xcode, and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • An ssh:// URL scheme handling issue was addressed through improved input validation. (CVE-2017-1000117)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7076, CVE-2017-7134, CVE-2017-7135, CVE-2017-7136, CVE-2017-7137)
  • An input validation issue was addressed through improved input validation. (CVE-2017-9800)
  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-7085, CVE-2017-7106)
  • A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. (CVE-2017-7089)
  • A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS. (CVE-2017-7088)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7072)
  • A memory corruption issue was addressed with improved validation. (CVE-2017-7097)
  • A denial of service issue was addressed through improved validation. (CVE-2017-7118)
  • A permissions issue existed. This issue was addressed with improved permission validation. (CVE-2017-7133)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7103, CVE-2017-7105, CVE-2017-7108, CVE-2017-7110, CVE-2017-7112)
  • Multiple race conditions were addressed with improved validation. (CVE-2017-7115)
  • A validation issue was addressed with improved input sanitization. (CVE-2017-7116)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 26, 2017 - UPDATED DESCRIPTION:

Multiple vulnerabilities have been discovered in iCloud, macOS High Sierra, and macOS Server, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A memory corruption issue was addressed through improved input validation. (CVE-2017-7081, CVE-2017-7127)
  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7077, CVE-2017-7087, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7111, CVE-2017-7114, CVE-2017-7117, CVE-2017-7120)
  • A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. (CVE-2017-7090)
  • Application Cache policy may be unexpectedly applied. (CVE-2017-7109)
  • An upgrade issue existed in the handling of firewall settings. This issue was addressed through improved handling of firewall settings during upgrades. (CVE-2017-7084)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7074)
  • The security state of the captive portal browser was not obvious. This issue was addressed with improved visibility of the captive portal browser security state. (CVE-2017-7143)
  • Multiple denial of service issues were addressed through improved memory handling. (CVE-2017-7083)
  • An out-of-bounds read was addressed by updating to Opus version 1.1.4. (CVE-2017-0381)
  • A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls. (CVE-2017-7138)
  • Multiple issues were addressed by updating to version 5.30. (CVE-2017-7121, CVE-2017-7122, CVE-2017-7123, CVE-2017-7124, CVE-2017-7125, CVE-2017-7126)
  • A validation issue existed in the handling of the KDC-REP service name. This issue was addressed through improved validation. (CVE-2017-11103)
  • A validation issue was addressed with improved input sanitization. (CVE-2017-7119)
  • A resource exhaustion issue in glob() was addressed through an improved algorithm. (CVE-2017-7086)
  • A memory consumption issue was addressed through improved memory handling. (CVE-2017-1000373)
  • Multiple issues were addressed by updating to version 2.2.1. (CVE-2016-9063, CVE-2017-9233)
  • Turning off "Load remote content in messages" did not apply to all mailboxes. This issue was addressed with improved setting propagation. (CVE-2017-7141)
  • An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted. (CVE-2017-7078)
  • Multiple issues were addressed by updating to version 4.2.8p10. (CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2016-9042)
  • A window management issue was addressed through improved state management. (CVE-2017-7082)
  • A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. (CVE-2017-7080)
  • Multiple issues were addressed by updating to version 3.19.3. (CVE-2017-10989, CVE-2017-7128, CVE-2017-7129, CVE-2017-7130)
  • Multiple issues were addressed by updating to version 1.2.11. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
  • Multiple issues existed in FreeRADIUS before 2.2.10. These were addressed by updating FreeRADIUS to version 2.2.10. (CVE-2017-10978, CVE-2017-10979
  • An application may be able to access iOS backups performed through iTunes. (CVE-2017-7079)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Apple:

https://support.apple.com/en-us/HT208103

https://support.apple.com/en-us/HT208112

https://support.apple.com/en-us/HT208113

https://support.apple.com/en-us/HT208115

https://support.apple.com/en-us/HT208116

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7072

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7076

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7085

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7097

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7103

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7106

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7110

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7112

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7115

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7116

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7118

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7133

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7134

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7135

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7136

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7137

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800

 
 

September 26, 2017 – UPDATED REFERENCES

APPLE:

https://support.apple.com/en-us/HT208102

https://support.apple.com/en-us/HT208142

https://support.apple.com/en-us/HT208144

https://support.apple.com/en-us/HT208140

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451    

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458   

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7074  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7077  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7078  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7080  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7082  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7083  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7084  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7086  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7114  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7119  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7121  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7122  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7123  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7124  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7125  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7126  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7127  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7128  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7129  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7130  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7138  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7141  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7143  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7079