Details of VAR-201912-0528

ID

VAR-201912-0528

CVE

CVE-2019-8723

TITLE

Xcode Input validation vulnerability in toolchain

Trust: 0.8

sources: JVNDB: JVNDB-2019-013358

DESCRIPTION

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. ld64 is one of the Apple toolchain linkers. There is a security vulnerability in the ld64 component in Apple Xcode versions prior to 11.0. The vulnerability is caused by the program not performing correct input validation. CVE-2019-8721: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8722: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8723: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8724: Pan ZhenPeng of Qihoo 360 Nirvan Team otool Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8738: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team CVE-2019-8739: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team Installation note: Xcode 11.0 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.0". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl2NDI4ACgkQBz4uGe3y 0M3yBg//WnHzKci0fwo78s/jomFP1EcSVj8FQ5T3ycwITMK01X5WDyZUHJw4rHJH l3NaJLFkjXXovzBl0aQzGHoRvOiYoMJeBCaZeix3dafLdA+6whZ8VREie4ncY31y EI0KoPxBxocLu0WaMUmEatDJsGqQWWFy0Q4LGGmDyOIXnrRqWJrLE7Qmm6IvOr1Q ViDpLeWzymHaAQiiXnpUR9nDvpCEA5irlbKzvmfA55FLzUYdh1RBJUjrsR+JcUJ0 IewyJD6FpFMzpOImQJ22oBArN++Fag6KjlmTDbmL1O2uCHbl1x71ZhOPBRhgWFkP X3nXTYFLGM22SWzOjBn8el05AAfOmkuISP9219HEXfbAYZliTQw37L2VlZ86nCn2 A3F258d8m1UAOh7NGvsDN4WUQ/QD4PQ0OUPSzQtztMXHZwoSiF92fw6epCkH10dV xb28tXuv4eI3aI2ncgf5fClOwsC6/IFeheTfimsL+6ccro2C1IiJvcMnBH7HBZ+9 k4Z414NOKlUsbhTX+8lcLKKzpN/WxppmyN01fIdwO2anu1IRXOI2D3TvRKFI+pkr u4u/ohjf8lmCgoDPyAa4YDmiYu9I5qMb/CmLwwhdYjX2NeUBSEPb3Ctga6jwP6RH /3kg2VAgACUG+nR08itzvCMwCzkILfiCSy6D9EkPed5aoPGIrP4= =9Hep -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2019-8723 // JVNDB: JVNDB-2019-013358 // VULHUB: VHN-160158 // PACKETSTORM: 154655

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	11.0	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	11.0 (macos mojave 10.14.4 or later )	Trust: 0.8

sources: JVNDB: JVNDB-2019-013358 // NVD: CVE-2019-8723

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-8723
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-8723
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201909-1288
value:	HIGH
Trust: 0.6
VULHUB:	VHN-160158
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-8723
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-160158
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-8723
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-8723
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-160158 // JVNDB: JVNDB-2019-013358 // CNNVD: CNNVD-201909-1288 // NVD: CVE-2019-8723

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-160158 // JVNDB: JVNDB-2019-013358 // NVD: CVE-2019-8723

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1288

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1288

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013358

PATCH

title:	HT210609	url:	https://support.apple.com/en-us/HT210609	Trust: 0.8
title:	HT210609	url:	https://support.apple.com/ja-jp/HT210609	Trust: 0.8
title:	Apple Xcode ld64 Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98675	Trust: 0.6

sources: JVNDB: JVNDB-2019-013358 // CNNVD: CNNVD-201909-1288

EXTERNAL IDS

db:	NVD	id:	CVE-2019-8723	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-013358	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-1288	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3647	Trust: 0.6
db:	VULHUB	id:	VHN-160158	Trust: 0.1
db:	PACKETSTORM	id:	154655	Trust: 0.1

sources: VULHUB: VHN-160158 // JVNDB: JVNDB-2019-013358 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1288 // NVD: CVE-2019-8723

REFERENCES

url:	https://support.apple.com/ht210609	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8723	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8723	Trust: 0.8
url:	https://support.apple.com/en-au/ht210609	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3647/	Trust: 0.6
url:	https://support.apple.com/en-us/ht210609	Trust: 0.6
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8724	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8738	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8721	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8739	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3855	Trust: 0.1

sources: VULHUB: VHN-160158 // JVNDB: JVNDB-2019-013358 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1288 // NVD: CVE-2019-8723

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 154655

SOURCES

db:	VULHUB	id:	VHN-160158
db:	JVNDB	id:	JVNDB-2019-013358
db:	PACKETSTORM	id:	154655
db:	CNNVD	id:	CNNVD-201909-1288
db:	NVD	id:	CVE-2019-8723

LAST UPDATE DATE

2024-08-14T12:18:35.016000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-160158	date:	2019-12-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-013358	date:	2019-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201909-1288	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2019-8723	date:	2019-12-22T16:16:43.020

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-160158	date:	2019-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-013358	date:	2019-12-27T00:00:00
db:	PACKETSTORM	id:	154655	date:	2019-09-29T10:11:11
db:	CNNVD	id:	CNNVD-201909-1288	date:	2019-09-27T00:00:00
db:	NVD	id:	CVE-2019-8723	date:	2019-12-18T18:15:36.943