Details of VAR-201912-0529

ID

VAR-201912-0529

CVE

CVE-2019-8724

TITLE

Xcode Input validation vulnerability in toolchain

Trust: 0.8

sources: JVNDB: JVNDB-2019-013359

DESCRIPTION

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. ld64 is one of the Apple toolchain linkers. There is a security vulnerability in the ld64 component in Apple Xcode versions prior to 11.0. The vulnerability is caused by the program not performing correct input validation. CVE-2019-8721: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8722: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8723: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8724: Pan ZhenPeng of Qihoo 360 Nirvan Team otool Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8738: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team CVE-2019-8739: Pan ZhenPeng (@Peterpan0927) of Qihoo 360 Nirvan Team Installation note: Xcode 11.0 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.0". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl2NDI4ACgkQBz4uGe3y 0M3yBg//WnHzKci0fwo78s/jomFP1EcSVj8FQ5T3ycwITMK01X5WDyZUHJw4rHJH l3NaJLFkjXXovzBl0aQzGHoRvOiYoMJeBCaZeix3dafLdA+6whZ8VREie4ncY31y EI0KoPxBxocLu0WaMUmEatDJsGqQWWFy0Q4LGGmDyOIXnrRqWJrLE7Qmm6IvOr1Q ViDpLeWzymHaAQiiXnpUR9nDvpCEA5irlbKzvmfA55FLzUYdh1RBJUjrsR+JcUJ0 IewyJD6FpFMzpOImQJ22oBArN++Fag6KjlmTDbmL1O2uCHbl1x71ZhOPBRhgWFkP X3nXTYFLGM22SWzOjBn8el05AAfOmkuISP9219HEXfbAYZliTQw37L2VlZ86nCn2 A3F258d8m1UAOh7NGvsDN4WUQ/QD4PQ0OUPSzQtztMXHZwoSiF92fw6epCkH10dV xb28tXuv4eI3aI2ncgf5fClOwsC6/IFeheTfimsL+6ccro2C1IiJvcMnBH7HBZ+9 k4Z414NOKlUsbhTX+8lcLKKzpN/WxppmyN01fIdwO2anu1IRXOI2D3TvRKFI+pkr u4u/ohjf8lmCgoDPyAa4YDmiYu9I5qMb/CmLwwhdYjX2NeUBSEPb3Ctga6jwP6RH /3kg2VAgACUG+nR08itzvCMwCzkILfiCSy6D9EkPed5aoPGIrP4= =9Hep -----END PGP SIGNATURE-----

Trust: 1.8

sources: NVD: CVE-2019-8724 // JVNDB: JVNDB-2019-013359 // VULHUB: VHN-160159 // PACKETSTORM: 154655

AFFECTED PRODUCTS

vendor:	apple	model:	xcode	scope:	lt	version:	11.0	Trust: 1.0
vendor:	apple	model:	xcode	scope:	lt	version:	11.0 (macos mojave 10.14.4 or later )	Trust: 0.8

sources: JVNDB: JVNDB-2019-013359 // NVD: CVE-2019-8724

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-8724
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-8724
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201909-1289
value:	HIGH
Trust: 0.6
VULHUB:	VHN-160159
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-8724
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-160159
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-8724
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-8724
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-160159 // JVNDB: JVNDB-2019-013359 // CNNVD: CNNVD-201909-1289 // NVD: CVE-2019-8724

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-160159 // JVNDB: JVNDB-2019-013359 // NVD: CVE-2019-8724

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1289

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1289

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013359

PATCH

title:	HT210609	url:	https://support.apple.com/en-us/HT210609	Trust: 0.8
title:	HT210609	url:	https://support.apple.com/ja-jp/HT210609	Trust: 0.8
title:	Apple Xcode ld64 Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98676	Trust: 0.6

sources: JVNDB: JVNDB-2019-013359 // CNNVD: CNNVD-201909-1289

EXTERNAL IDS

db:	NVD	id:	CVE-2019-8724	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-013359	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-1289	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3647	Trust: 0.6
db:	VULHUB	id:	VHN-160159	Trust: 0.1
db:	PACKETSTORM	id:	154655	Trust: 0.1

sources: VULHUB: VHN-160159 // JVNDB: JVNDB-2019-013359 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1289 // NVD: CVE-2019-8724

REFERENCES

url:	https://support.apple.com/ht210609	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8724	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8724	Trust: 0.8
url:	https://support.apple.com/en-au/ht210609	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3647/	Trust: 0.6
url:	https://support.apple.com/en-us/ht210609	Trust: 0.6
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8738	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://developer.apple.com/xcode/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8721	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8739	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3855	Trust: 0.1

sources: VULHUB: VHN-160159 // JVNDB: JVNDB-2019-013359 // PACKETSTORM: 154655 // CNNVD: CNNVD-201909-1289 // NVD: CVE-2019-8724

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 154655

SOURCES

db:	VULHUB	id:	VHN-160159
db:	JVNDB	id:	JVNDB-2019-013359
db:	PACKETSTORM	id:	154655
db:	CNNVD	id:	CNNVD-201909-1289
db:	NVD	id:	CVE-2019-8724

LAST UPDATE DATE

2024-08-14T12:40:19.578000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-160159	date:	2019-12-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-013359	date:	2019-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201909-1289	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2019-8724	date:	2019-12-22T16:08:22.780

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-160159	date:	2019-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-013359	date:	2019-12-27T00:00:00
db:	PACKETSTORM	id:	154655	date:	2019-09-29T10:11:11
db:	CNNVD	id:	CNNVD-201909-1289	date:	2019-09-27T00:00:00
db:	NVD	id:	CVE-2019-8724	date:	2019-12-18T18:15:37.037