ID

VAR-201808-1004

CVE

CVE-2018-5383

TITLE

Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange

DESCRIPTION

Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. Insufficient encryption processing (CWE-325) - CVE-2018-5383 Bluetooth Then, elliptic curve Diffie-Hellman key sharing (ECDH) It defines a device pairing mechanism based on technology. In this method, each pair to be paired prepares a key pair consisting of a private key and a public key. When pairing starts, each other's public key is exchanged, and each private key is generated using the private key of the other party and the public key of the other party. The parameters of the elliptic curve encryption to be used must be agreed in advance. Bluetooth The specification recommends that you verify that the public key you received from the other party is appropriate, but it was not required. "Invalid Curve Attack" Or "Invalid Point Attack" In an attack technique called, it is pointed out that searching for a secret key is much easier if a shared key is generated without confirming that the public key received from the other party is appropriate. It is. Some implementations process without verifying the public key received from the other party, Bluetooth If a public key crafted by a third party that exists within the communication distance of is injected, there is a possibility that the secret key is obtained with a high probability. As a result, there is a possibility that the communication contents will be obtained or altered. Secure Connections Pairing Mode and Simple Secure Paring Both modes are affected. Bluetooth SIG Let's make it necessary to verify the received public key. Bluetooth While updating the specifications of Bluetooth Qualification Program Added a test item in this case. Bluetooth SIG See the announcement. Bluetooth SIG Announcement https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-updateBluetooth Man-in-the-middle attack by third parties within the communication range (man-in-the-middle attack) If this is done, you may be able to obtain the private key used by the device. As a result, communication content between devices may be obtained or falsified. Bluetooth is a wireless technology standard that enables short-range data exchange between fixed and mobile devices and personal area networks in buildings. The following systems are affected: macOS prior to 10.13; macOS High Sierra prior to 11.4; iOS prior to 11.4; Android prior to Patch 2018-06-05. ========================================================================= Ubuntu Security Notice USN-4095-1 August 13, 2019 linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Details: Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-1054-kvm 4.4.0-1054.61 linux-image-4.4.0-1090-aws 4.4.0-1090.101 linux-image-4.4.0-1118-raspi2 4.4.0-1118.127 linux-image-4.4.0-1122-snapdragon 4.4.0-1122.128 linux-image-4.4.0-159-generic 4.4.0-159.187 linux-image-4.4.0-159-generic-lpae 4.4.0-159.187 linux-image-4.4.0-159-lowlatency 4.4.0-159.187 linux-image-4.4.0-159-powerpc-e500mc 4.4.0-159.187 linux-image-4.4.0-159-powerpc-smp 4.4.0-159.187 linux-image-4.4.0-159-powerpc64-emb 4.4.0-159.187 linux-image-4.4.0-159-powerpc64-smp 4.4.0-159.187 linux-image-aws 4.4.0.1090.94 linux-image-generic 4.4.0.159.167 linux-image-generic-lpae 4.4.0.159.167 linux-image-kvm 4.4.0.1054.54 linux-image-lowlatency 4.4.0.159.167 linux-image-powerpc-e500mc 4.4.0.159.167 linux-image-powerpc-smp 4.4.0.159.167 linux-image-powerpc64-emb 4.4.0.159.167 linux-image-powerpc64-smp 4.4.0.159.167 linux-image-raspi2 4.4.0.1118.118 linux-image-snapdragon 4.4.0.1122.114 linux-image-virtual 4.4.0.159.167 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/4095-1 CVE-2018-5383, CVE-2019-10126, CVE-2019-1125, CVE-2019-11599, CVE-2019-12614, CVE-2019-13272, CVE-2019-3846, CVE-2019-9503 Package Information: https://launchpad.net/ubuntu/+source/linux/4.4.0-159.187 https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1090.101 https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1054.61 https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1118.127 https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1122.128 . CVE-2018-4249: Kevin Backhouse of Semmle Ltd. CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. CVE-2018-4199: Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro's Zero Day Initiative WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Visiting a maliciously crafted website may leak sensitive data Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-9-17-1 iOS 12 iOS 12 is now available and addresses the following: Accounts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local app may be able to read a persistent account identifier Description: This issue was addressed with improved entitlements. CVE-2018-4322: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. Bluetooth Available for: iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2018-5383: Lior Neumann and Eli Biham Core Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4330: Apple CoreMedia Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An app may be able to learn information about the current camera view before being granted camera access Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2018-4356: an anonymous researcher IOMobileFrameBuffer Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4335: Brandon Azad iTunes Store Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store Description: An input validation issue was addressed with improved input validation. CVE-2018-4305: Jerry Decime Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An input validation issue existed in the kernel. This issue was addressed with improved input validation. CVE-2018-4363: Ian Beer of Google Project Zero Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted messages Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of message deletions. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU) Notes Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover a user's deleted notes Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of notes deletions. CVE-2018-4352: an anonymous researcher Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to discover websites a user has visited Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of application snapshots. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to delete browsing history items Description: Clearing a history item may not clear visits with redirect chains. The issue was addressed with improved data deletion. CVE-2018-4329: Hugo S. Diaz (coldpointblue) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to exfiltrate autofilled data in Safari Description: A logic issue was addressed with improved state management. CVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority SafariViewController Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4362: Jun Kokatsu (@shhnjk) Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. CVE-2016-1777: Pepi Zawodsky Status Bar Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to determine the last used app from the lock screen Description: A logic issue was addressed with improved restrictions. CVE-2018-4325: Brian Adeloye Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend Micro's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAluf5GIACgkQeC9tht7T K3G2mg//QBqaVSeHLeqL489OJmSvBtudWIDY1GhHJ5Xc8ox3ILDNLVZeBU+DIpqr Fb/slmBKhNM69CPf2fGC/Af2h3ZbUYVoANoyWfH+A/PYzFV726w5WHaq4QZndauO urHsrE/lH8CvDFS6lzp0OdGV5hVIGQ3hoYiF0lYmIdzCDQYwvFp+pn2I3b37Io8K 5/cjRiYp+uq2NAKLm6hx8yq0NtYAQyQTsk6ZAsGlilmydLJDGnaeJE80wk7EBd8f rkdtqzs5B5ohHVYLcoGgMUrE7qyLpqwXjkfIJO8bkk1IqlbMwjmhOJVRPaHWtj5Y 8Ouc2ebMfpFimk9+ODBUYMCsQJgQw8P6pW3gfSpiheIOPc65KzoaAdg+nOfmPwJK LR9CDMJauwYHf1I2RrMzDBflV1HIPurYciHBZKn6IH4f3KNIu5PGNTnHFgln6MxT D11WXuxNfvc2B1hRIRHXD2OB1+rh5Q+tkb+AEauHzIFWgl7otx6EZhiu7W8Mxa22 k6s/Fo1UZI1GbnNjU9ugEumxH8w0WQNQZOOH3FI07aA7F2FVcTVXL4uaIoHzZR0N ZmC/RvsQNGmw8L+DRWedEHda/rieAgMHkJxrjF0Day9PqY50YL7F+7qaw2J6Tmpo r5jDothh/1TQbkE5G8oOaT3Y3iOtDcMqh0T7jRxIP7awQMKce9M= =1Ld6 -----END PGP SIGNATURE----- . CVE-2018-4361: found by Google OSS-Fuzz Entry added September 24, 2018 Additional recognition Assets We would like to acknowledge Brandon Azad for their assistance. Core Data We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. Sandbox Profiles We would like to acknowledge Tencent Keen Security Lab working with Trend Micro's Zero Day Initiative for their assistance. SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance. WebKit We would like to acknowledge Cary Hartline, Hanming Zhang from 360 Vuclan team, and Zach Malone of CA Technologies for their assistance. CVE-2018-5383: Lior Neumann and Eli Biham The updates below are available for these Mac models: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013, Mid 2010, and Mid 2012 models with recommended Metal-capable graphics processor, including MSI Gaming Radeon RX 560 and Sapphire Radeon PULSE RX 580) App Store Impact: A malicious application may be able to determine the Apple ID of the owner of the computer Description: A permissions issue existed in the handling of the Apple ID. CVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc. Application Firewall Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A configuration issue was addressed with additional restrictions. CVE-2018-4353: Abhinav Bansal of Zscaler, Inc. Mail We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron Software Systems, and Zbyszek A>>A3Akiewski for their assistance. Security We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip KlubiAka (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance. CVE-2018-4285: Mohamed Ghannam (@_simo36) Bluetooth Available for: MacBook Pro (15-inch, 2018), and MacBook Pro (13-inch, 2018, Four Thunderbolt 3 Ports) Other Mac models were addressed with macOS High Sierra 10.13.5. CVE-2018-4283: @panicaII working with Trend Micro's Zero Day Initiative Kernel Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.5 Impact: Systems using IntelA(r) Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel Description: Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value. CVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com) Perl Available for: macOS High Sierra 10.13.5 Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. Help Viewer We would like to acknowledge Wojciech ReguAa (@_r3ggi) of SecuRing for their assistance

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote or local

TYPE

data forgery

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ubuntu,Red Hat

SOURCES

LAST UPDATE DATE

2024-11-23T21:02:25.858000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE