ID

VAR-201903-0447


CVE

CVE-2019-6223


TITLE

plural Apple Updates to product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-001214

DESCRIPTION

A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. The initiator of a Group FaceTime call may be able to cause the recipient to answer. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * group FaceTime Unintentional response to incoming calls * Privilege escalation * Arbitrary code execution * information leak * Sandbox avoidance. in the United States. Apple iOS is an operating system developed for mobile devices. FaceTime is one of those video calling software. The vulnerability stems from configuration errors in the network system or product during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-2-07-1 iOS 12.1.4 iOS 12.1.4 is now available and addresses the following: FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: The initiator of a Group FaceTime call may be able to cause the recipient to answer Description: A logic issue existed in the handling of Group FaceTime calls. CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX Foundation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel GroA of Google Project Zero IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-7287: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel GroA of Google Project Zero Live Photos in FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos Description: The issue was addressed with improved validation on the FaceTime server. CVE-2019-7288: Apple Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.1.4". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlxcZmkpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F9HRAA sYhaZOf89H/kgxsBJbnJWa4g3Gi+OVgw2cfLkLT8GlAa2tZW+9pvra8cYZZ2TlvV 20UNupWr5sJPru+OWMiEYGRvVBQI5UaIRyIR4IsRbDcbvKe4ml0WM5t96PA1y5wt vhV9CKFwJY40k9PAWbb87eHf1kf8W6yCNAmddskSVFtgPBmGmZX4+u5OTY1YjIyc ilOKOJAsgnn/E+OGZ8RiDcQljY3CruzdCBecczt0QkzuXuvoSlL9RujOBtjZ/uLd cDorb7v0I9PokAdYAksEmgXFL8PDsm5h4ELkS3/Cp4RF8krdybB/4RN3SosWNBpA 99jMxgA5Mc+yLdIwPM9WUd/iq51KkYx+MLXYWzJwplnqQAQYW9p0+wTGTmEB+2x5 wStyUhMGbh3u5u3HBSLx31q2lkbTZU6+/kcqe6aQX0NckJBXV/+yGylQNcKN6XDk vWb9pCOjfpv5WyqvJ7XgNoX5CQcLt6WzJ0onZoVrhJoEnm2T0TKC/Tv2OCs9eJzb SgjAmKmavEaebSUa2StV4JfoNVPt7ijZdu+theAoObVrrktiWGX04srqyFaLZd/w 57NvpxizrLDNUWLmuuELQ9m1zL+xCLbJp46y1EaojjkaFw4H/7+U9nuKtg6+8ay/ o2nlJlEaOnQzrL+jp7mLvW05upIw0Ii/fyKTCQmbKSg= =p+hh -----END PGP SIGNATURE----- . This build contains the security content described in this article

Trust: 2.79

sources: NVD: CVE-2019-6223 // JVNDB: JVNDB-2019-001214 // JVNDB: JVNDB-2019-002362 // VULHUB: VHN-157658 // VULMON: CVE-2019-6223 // PACKETSTORM: 151586 // PACKETSTORM: 151574 // PACKETSTORM: 151575

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.14.3

Trust: 1.0

vendor:applemodel:iphone osscope:ltversion:12.1.4

Trust: 1.0

vendor:applemodel:iosscope:ltversion:12.1.4 earlier

Trust: 0.8

vendor:applemodel:macos mojavescope:ltversion:10.14.3 build 18d109 earlier

Trust: 0.8

vendor:applemodel:shortcutsscope:ltversion:2.1.3 for ios earlier

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.14.3

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.1.4 (ipad air or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.1.4 (iphone 5s or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.1.4 (ipod touch first 6 generation )

Trust: 0.8

sources: JVNDB: JVNDB-2019-001214 // JVNDB: JVNDB-2019-002362 // NVD: CVE-2019-6223

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6223
value: HIGH

Trust: 1.0

NVD: CVE-2019-6223
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-568
value: HIGH

Trust: 0.6

VULHUB: VHN-157658
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-6223
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6223
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-157658
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6223
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-157658 // VULMON: CVE-2019-6223 // JVNDB: JVNDB-2019-002362 // CNNVD: CNNVD-201902-568 // NVD: CVE-2019-6223

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-200

Trust: 0.8

sources: JVNDB: JVNDB-2019-002362 // NVD: CVE-2019-6223

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-568

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201902-568

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001214

PATCH

title:About the security content of iOS 12.1.4url:https://support.apple.com/en-us/HT209520

Trust: 1.6

title:About the security content of macOS Mojave 10.14.3 Supplemental Updateurl:https://support.apple.com/en-us/HT209521

Trust: 1.6

title:About the security content of Shortcuts 2.1.3 for iOSurl:https://support.apple.com/en-us/HT209522

Trust: 0.8

title:Find out which macOS your Mac is usingurl:https://support.apple.com/en-us/HT201260

Trust: 0.8

title:HT209520url:https://support.apple.com/ja-jp/HT209520

Trust: 0.8

title:HT209521url:https://support.apple.com/ja-jp/HT209521

Trust: 0.8

title:Apple iOS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89369

Trust: 0.6

title:Known Exploited Vulnerabilities Detectorurl:https://github.com/Ostorlab/KEV

Trust: 0.1

sources: VULMON: CVE-2019-6223 // JVNDB: JVNDB-2019-001214 // JVNDB: JVNDB-2019-002362 // CNNVD: CNNVD-201902-568

EXTERNAL IDS

db:NVDid:CVE-2019-6223

Trust: 2.9

db:JVNid:JVNVU98819755

Trust: 1.6

db:PACKETSTORMid:151586

Trust: 0.8

db:JVNDBid:JVNDB-2019-001214

Trust: 0.8

db:JVNDBid:JVNDB-2019-002362

Trust: 0.8

db:CNNVDid:CNNVD-201902-568

Trust: 0.7

db:AUSCERTid:ESB-2019.0388

Trust: 0.6

db:PACKETSTORMid:151575

Trust: 0.2

db:PACKETSTORMid:151574

Trust: 0.2

db:VULHUBid:VHN-157658

Trust: 0.1

db:VULMONid:CVE-2019-6223

Trust: 0.1

sources: VULHUB: VHN-157658 // VULMON: CVE-2019-6223 // JVNDB: JVNDB-2019-001214 // JVNDB: JVNDB-2019-002362 // PACKETSTORM: 151586 // PACKETSTORM: 151574 // PACKETSTORM: 151575 // CNNVD: CNNVD-201902-568 // NVD: CVE-2019-6223

REFERENCES

url:https://support.apple.com/ht209520

Trust: 1.8

url:https://support.apple.com/ht209521

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2019-6223

Trust: 1.7

url:http://jvn.jp/vu/jvnvu98819755/

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6223

Trust: 0.8

url:http://jvn.jp/vu/jvnvu98819755/index.html

Trust: 0.8

url:https://www.auscert.org.au/bulletins/75246

Trust: 0.6

url:https://packetstormsecurity.com/files/151586/apple-security-advisory-2019-2-07-1.html

Trust: 0.6

url:https://support.apple.com/kb/ht201222

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-7286

Trust: 0.3

url:https://www.apple.com/support/security/pgp/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-7288

Trust: 0.3

url:https://www.apple.com/itunes/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-7287

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://seclists.org/fulldisclosure/2019/feb/23

Trust: 0.1

url:https://github.com/ostorlab/kev

Trust: 0.1

url:https://support.apple.com/downloads/

Trust: 0.1

sources: VULHUB: VHN-157658 // VULMON: CVE-2019-6223 // JVNDB: JVNDB-2019-001214 // JVNDB: JVNDB-2019-002362 // PACKETSTORM: 151586 // PACKETSTORM: 151574 // PACKETSTORM: 151575 // CNNVD: CNNVD-201902-568 // NVD: CVE-2019-6223

CREDITS

Daven Morris of Arlington,Grant Thompson of Catalina Foothills High School, TX

Trust: 0.6

sources: CNNVD: CNNVD-201902-568

SOURCES

db:VULHUBid:VHN-157658
db:VULMONid:CVE-2019-6223
db:JVNDBid:JVNDB-2019-001214
db:JVNDBid:JVNDB-2019-002362
db:PACKETSTORMid:151586
db:PACKETSTORMid:151574
db:PACKETSTORMid:151575
db:CNNVDid:CNNVD-201902-568
db:NVDid:CVE-2019-6223

LAST UPDATE DATE

2024-11-23T20:42:58.327000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-157658date:2020-08-24T00:00:00
db:VULMONid:CVE-2019-6223date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-001214date:2019-02-12T00:00:00
db:JVNDBid:JVNDB-2019-002362date:2019-04-08T00:00:00
db:CNNVDid:CNNVD-201902-568date:2020-08-25T00:00:00
db:NVDid:CVE-2019-6223date:2024-11-21T04:46:15.353

SOURCES RELEASE DATE

db:VULHUBid:VHN-157658date:2019-03-05T00:00:00
db:VULMONid:CVE-2019-6223date:2019-03-05T00:00:00
db:JVNDBid:JVNDB-2019-001214date:2019-02-12T00:00:00
db:JVNDBid:JVNDB-2019-002362date:2019-04-08T00:00:00
db:PACKETSTORMid:151586date:2019-02-08T04:22:22
db:PACKETSTORMid:151574date:2019-02-07T18:22:22
db:PACKETSTORMid:151575date:2019-02-07T17:32:22
db:CNNVDid:CNNVD-201902-568date:2019-02-08T00:00:00
db:NVDid:CVE-2019-6223date:2019-03-05T16:29:02.060