Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-109
Date(s) Issued: 
Wednesday, November 1, 2017
Subject: 
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in iCloud for Windows, iOS, iTunes for Windows, macOS High Sierra, Siera, El Capitan, Safari, tvOS  and watchOS, the most severe of which could allow for arbitrary code execution. iCloud is a cloud storage service. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple. macOS High Sierra, Sierra and El Capitan are desktop and server operating system for Macintosh computers. Safari is a web browser available for OS X and Microsoft Windows. tvOS is an operating system for the fourth-generation Apple TV digital media player. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • iCloud for Windows Versions prior to 7.1

  • iOS Versions prior to 11.1

  • iTunes for Windows Versions prior to 12.7.1

  • macOS High Sierra Versions prior to 10.13.1, Security Update 2017-001 Sierra, Security Update 2017-004 El Capitan

  • Safari Versions prior to 11.1

  • tvOS Versions prior to 11.1

  • watchOS Versions prior to 4.1

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in watchOS, iOS, tvOS, Xcode, and Safari. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • Multiple memory corruption issues were addressed with improved memory handling. (CVE-2017-7132, CVE-2017-13784, CVE-2017-13785, CVE-2017-13783, CVE-2017-13788, CVE-2017-13795, CVE-2017-13799, CVE-2017-13800, CVE-2017-13802, CVE-2017-13792, CVE-2017-13791, CVE-2017-13798, CVE-2017-13796, CVE-2017-13793, CVE-2017-13794, CVE-2017-13803, CVE-2017-13807, CVE-2017-13824, CVE-2017-13825, CVE-2017-13811, CVE-2017-13830, CVE-2017-13843, CVE-2017-13808, CVE-2017-13838, CVE-2017-13849)

  • A denial of service issue was addressed through improved memory handling. (CVE-2017-13849)

  • A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management. (CVE-2017-13844)

  • An issue existed with Siri permissions. This was addressed with improved permission. (CVE-2017-13805)

  • A path handling issue was addressed with improved validation. (CVE-2017-13804)

  • The characters in a secure text field were revealed during focus change events. This issue was addressed through improved state management. (CVE-2017-7113)

  • A protocol security issue was addressed by enabling TLS 1.1 and TLS 1.2. (CVE-2017-13832)

  • Multiple issues were addressed by updating to Apache version 2.4.27. (CVE-2016-0736, CVE-2016-2161, CVE-2016-5387, CVE-2016-8740, CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679, CVE-2017-9788, CVE-2017-9789)

  • An issue existed in the handling of DMA. This issue was addressed by limiting the time the FileVault decryption buffers are DMA mapped to the duration of the I/O operation. (CVE-2017-13786)

  • A validation issue was addressed with improved input sanitization. (CVE-2017-13809)

  • Multiple memory corruption issues were addressed with improved input validation. (CVE-2017-13820, CVE-2017-13834)

  • An out-of-bounds read was addressed with improved bounds checking. (CVE-2017-1000100, CVE-2017-1000101)

  • A validation issue existed which allowed local file access. This was addressed with input sanitization. (CVE-2017-13801)

  • Multiple issues were addressed by updating to file version 5.31. (CVE-2017-13815)

  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-13828)

  • A validation issue existed in the handling of the KDC-REP service name. This issue was addressed through improved validation. (CVE-2017-11103)

  • A cross-site scripting issue existed in HelpViewer. This issue was addressed by removing the affected file. (CVE-2017-13819)

  • An information disclosure issue existed in the processing of disk images. This issue was addressed through improved memory management. (CVE-2017-13831)

  • A permissions issue existed in kernel packet counters. This issue was addressed through improved permission validation. (CVE-2017-13810)

  • An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. (CVE-2017-13817)

  • A validation issue was addressed with improved input sanitization. (CVE-2017-13818, CVE-2017-13836, CVE-2017-13841, CVE-2017-13840, CVE-2017-13842, CVE-2017-13782)

  • A buffer overflow issue was addressed through improved memory handling. (CVE-2017-13813, CVE-2017-13816)

  • Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation. (CVE-2017-13812)

  • Multiple validation issues were addressed with improved input sanitization. (CVE-2016-4736, CVE-2017-13821, CVE-2017-13822, CVE-2017-13823)

  • Multiple issues were addressed by updating to PCRE version 8.40. (CVE-2017-13846)

  • Multiple issues were addressed by updating to Postfix version 3.2.2. (CVE-2017-13826)

  • Multiple issues were addressed by updating to tcpdump version 4.9.2. (CVE-2017-11108, CVE-2017-11541, CVE-2017-11542, CVE-2017-11543, CVE-2017-12893, CVE-2017-12894, CVE-2017-12895, CVE-2017-12896, CVE-2017-12897, CVE-2017-12898, CVE-2017-12899, CVE-2017-12900, CVE-2017-12901, CVE-2017-12902, CVE-2017-12985, CVE-2017-12986, CVE-2017-12987, CVE-2017-12988, CVE-2017-12989, CVE-2017-12990, CVE-2017-12991, CVE-2017-12992, CVE-2017-12993, CVE-2017-12994, CVE-2017-12995, CVE-2017-12996, CVE-2017-12997, CVE-2017-12998, CVE-2017-12999, CVE-2017-13000, CVE-2017-13001, CVE-2017-13002, CVE-2017-13003, CVE-2017-13004, CVE-2017-13005, CVE-2017-13006, CVE-2017-13007, CVE-2017-13008, CVE-2017-13009, CVE-2017-13010, CVE-2017-13011, CVE-2017-13012, CVE-2017-13013, CVE-2017-13014, CVE-2017-13022, CVE-2017-13023, CVE-2017-13024, CVE-2017-13025, CVE-2017-13026, CVE-2017-13027, CVE-2017-13028, CVE-2017-13029, CVE-2017-13030, CVE-2017-13031, CVE-2017-13032, CVE-2017-13033, CVE-2017-13034, CVE-2017-13035, CVE-2017-13036, CVE-2017-13037, CVE-2017-13038, CVE-2017-13039, CVE-2017-13040, CVE-2017-13041, CVE-2017-13042, CVE-2017-13043, CVE-2017-13044, CVE-2017-13045, CVE-2017-13046, CVE-2017-13047, CVE-2017-13048, CVE-2017-13049, CVE-2017-13050, CVE-2017-13051, CVE-2017-13052, CVE-2017-13053, CVE-2017-13054, CVE-2017-13055, CVE-2017-13687, CVE-2017-13688, CVE-2017-13689, CVE-2017-13690, CVE-2017-13725, CVE-2017-13015, CVE-2017-13016, CVE-2017-13017, CVE-2017-13018, CVE-2017-13019, CVE-2017-13020, CVE-2017-13021)

  • A logic issue existed in the handling of state transitions. This was addressed with improved state management. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080)

  • An inconsistent user interface issue was addressed with improved state management. (CVE-2017-13790, CVE-2017-13789)

  • A denial of service issue was addressed through improved memory handling. (CVE-2017-13799)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Apple to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Apple:

https://support.apple.com/en-us/HT208219

https://support.apple.com/en-us/HT208220

https://support.apple.com/en-us/HT208221

https://support.apple.com/en-us/HT208222

https://support.apple.com/en-us/HT208223

https://support.apple.com/en-us/HT208224

https://support.apple.com/en-us/HT208225

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4736

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7113

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7132

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12893

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-12894

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-12895

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-12896

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-12897

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12898

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12899

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12900

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12901

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12902

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12985

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12986

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12987

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12988

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12989

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12990

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12991

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12992

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12993

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12994

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12995

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12996

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12997

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12998

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12999

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13000

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13001

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13002

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13003

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13004

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13005

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13006

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13007

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13008

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13009

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13010

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13011

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13012

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13013

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13014

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13015

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-13016

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13017

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13019

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13020

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13023

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13024

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13025

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13026

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13027

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13028

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13029

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13030

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13031

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13032

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13033

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13034

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13035

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13036

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13037

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13038

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13039

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13040

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13041

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13042

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13043

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13044

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13045

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13048

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13050

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13051

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13052

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13053

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13054

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13055

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13687

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13688

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13689

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13690

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13725

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13785

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13786

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13791

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13792

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13793

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13794

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13803

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13804

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13805

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13807

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13808

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13809

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13810

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13811

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13812

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13813

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13815

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13817

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13818

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13819

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13820

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13821

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13822

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13823

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13824

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13825

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13826

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13828

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13830

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13831

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13832

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13834

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13836 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13838

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13840

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13841

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13842

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13843

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13844

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13846

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13849

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101