Details of VAR-201912-0566

ID

VAR-201912-0566

CVE

CVE-2019-8755

TITLE

plural Apple Updates to product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-012754

DESCRIPTION

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15. A malicious application may be able to determine kernel memory layout. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * information leak * Falsification of information * Arbitrary code execution * Service operation interruption (DoS) * Privilege escalation * Authentication bypass. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within AppleIntelCFLGraphicsFramebuffer.kext. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. IOGraphics is one of the input and output graphics components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15 macOS Catalina 10.15 addresses the following: AMD Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8748: Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team apache_mod_php Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in PHP Description: Multiple issues were addressed by updating to PHP version 7.3.8. CVE-2019-11041 CVE-2019-11042 Audio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Entry added October 29, 2019 Books Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven Entry added October 29, 2019 CFNetwork Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: This issue was addressed with improved checks. CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland Entry added October 29, 2019 CoreAudio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted movie may result in the disclosure of process memory Description: A memory corruption issue was addressed with improved validation. CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative CoreCrypto Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a large input may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2019-8741: Nicky Mouha of NIST Entry added October 29, 2019 CoreMedia Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8825: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Crash Reporter Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: The "Share Mac Analytics" setting may not be disabled when a user deselects the switch to share analytics Description: A race condition existed when reading and writing user preferences. CVE-2019-8757: William Cerniuk of Core Development, LLC CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An input validation issue was addressed with improved input validation. CVE-2019-8736: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) Entry added October 29, 2019 CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory consumption issue was addressed with improved memory handling. CVE-2019-8767: Stephen Zeisberg Entry added October 29, 2019 CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2019-8737: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) Entry added October 29, 2019 File Quarantine Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to elevate privileges Description: This issue was addressed by removing the vulnerable code. CVE-2019-8509: CodeColorist of Ant-Financial LightYear Labs Entry added October 29, 2019 Foundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8746: Natalie Silvanovich and Samuel Groß of Google Project Zero Entry added October 29, 2019 Graphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a malicious shader may result in unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-12152: Piotr Bania of Cisco Talos CVE-2018-12153: Piotr Bania of Cisco Talos CVE-2018-12154: Piotr Bania of Cisco Talos Entry added October 29, 2019 Intel Graphics Driver Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8758: Lilang Wu and Moony Li of Trend Micro IOGraphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved restrictions. CVE-2019-8755: Lilang Wu and Moony Li of Trend Micro IOGraphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8759: another of 360 Nirvan Team Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local app may be able to read a persistent account identifier Description: A validation issue was addressed with improved logic. CVE-2019-8809: Apple Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2019-8709: derrek (@derrekr6) [confirmed]derrek (@derrekr6) CVE-2019-8781: Linus Henze (pinauten.de) Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8717: Jann Horn of Google Project Zero Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to determine kernel memory layout Description: A memory corruption issue existed in the handling of IPv6 packets. CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team Entry added October 29, 2019 libxml2 Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in libxml2 Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8749: found by OSS-Fuzz CVE-2019-8756: found by OSS-Fuzz Entry added October 29, 2019 libxslt Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in libxslt Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8750: found by OSS-Fuzz Entry added October 29, 2019 mDNSResponder Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications Description: This issue was resolved by replacing device names with a random identifier. CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt Entry added October 29, 2019 Menus Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8826: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Notes Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to view a user's locked notes Description: The contents of locked notes sometimes appeared in search results. CVE-2019-8730: Jamie Blumberg (@jamie_blumberg) of Virginia Polytechnic Institute and State University PDFKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker may be able to exfiltrate the contents of an encrypted PDF Description: An issue existed in the handling of links in encrypted PDFs. CVE-2019-8772: Jens Müller of Ruhr University Bochum, Fabian Ising of FH Münster University of Applied Sciences, Vladislav Mladenov of Ruhr University Bochum, Christian Mainka of Ruhr University Bochum, Sebastian Schinzel of FH Münster University of Applied Sciences, and Jörg Schwenk of Ruhr University Bochum PluginKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to check for the existence of arbitrary files Description: A logic issue was addressed with improved restrictions. CVE-2019-8708: an anonymous researcher Entry added October 29, 2019 PluginKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8715: an anonymous researcher Entry added October 29, 2019 SharedFileList Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to access recent documents Description: The issue was addressed with improved permissions logic. CVE-2019-8770: Stanislav Zinukhov of Parallels International GmbH sips Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8701: Simon Huang(@HuangShaomang), Rong Fan(@fanrong1992) and pjf of IceSword Lab of Qihoo 360 UIFoundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Parsing a maliciously crafted text file may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2019-8761: Renee Trisberg of SpectX Entry added October 29, 2019 UIFoundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative WebKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A user may be unable to delete browsing history items Description: "Clear History and Website Data" did not clear the history. CVE-2019-8768: Hugo S. Diaz (coldpointblue) WebKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Visiting a maliciously crafted website may reveal browsing history Description: An issue existed in the drawing of web page elements. CVE-2019-8769: Piérre Reimertz (@reimertz) Additional recognition AppleRTC We would like to acknowledge Vitaly Cheptsov for their assistance. Audio We would like to acknowledge riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative for their assistance. boringssl We would like to acknowledge Nimrod Aviram of Tel Aviv University, Robert Merget of Ruhr University Bochum, Juraj Somorovsky of Ruhr University Bochum and Thijs Alkemade (@xnyhps) of Computest for their assistance. Finder We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance. Gatekeeper We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance. Identity Service We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. mDNSResponder We would like to acknowledge Gregor Lang of e.solutions GmbH for their assistance. python We would like to acknowledge an anonymous researcher for their assistance. Safari Data Importing We would like to acknowledge Kent Zoya for their assistance. Simple certificate enrollment protocol (SCEP) We would like to acknowledge an anonymous researcher for their assistance. Telephony We would like to acknowledge Phil Stokes from SentinelOne for their assistance. VPN We would like to acknowledge Royce Gawron of Second Son Consulting, Inc. for their assistance. Installation note: macOS Catalina 10.15 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24s4QACgkQBz4uGe3y 0M0s3w//QZG0JsE1BjWJ3mwKoSn/I1V0SLryV9UxJeibPfhyF6VJEYk63jZxZ5ki 48vM7iKE3nAHamNFOMtUvyzEdO6VGNZ1uiuSu9nkyziEERapHJSLcEh83p2JhWV/ SEsBB3bsT4l3V9ZYxk/9DX6ynCTzKLZTynw6Yo2PMYiMpavD5sfZ6v8U53qdZ+LX SNuw+vRTsvu3YlFkUStTdQ64sT72yGII0c8iFpSb2AWv7IgbypB5lW4/MRQjrzoc 9yMhvMgXcgAlzoH5GpGE2EflbekcQxudxDh1t0o7f8OASRPTljNjL4oiKXBMhiAM iUgDn7duE9LqupfSWK5WOUkF+XRV0qTaLCTDWaCzVa5YsApvSVPhbmoFqKXSQG8T U6SxQviqzJ06sD1jqm2sZ/LnD5xMEXhQvNx89oJrTRsCU/o0fy4tRhHp52aJoF7E Wvr1kTlo6SGm6NjkmZVoKj6962/0XUYSOt8gR+L/sF7N6URUG+1Ko2jx8zhYHMEO ju+Hw0TFHd+8mP29oOEIsIpuRpCp9jjgEJDdu7mGqJ1Py2Gs0uGeHEZd6DJhKggA IvdJu4Q9usjWaxQ9H3m2I/xEqw78sMEEFgCYfLTC0gf2ChaiGZuhKipcF04c81kM bOGmjuyJrajD/2rY9EHrqtCm5b2079YAIxUAmTOkT0uP2WmlZoM= =bhin -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2019-8755 // JVNDB: JVNDB-2019-012754 // ZDI: ZDI-19-934 // VULHUB: VHN-160190 // PACKETSTORM: 155066 // PACKETSTORM: 154768

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lt	version:	10.15	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	for windows 10.9 earlier	Trust: 0.8
vendor:	apple	model:	icloud	scope:	lt	version:	for windows 7.16 (includes aas 8.2) earlier	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12.4.4 earlier	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	13.3 earlier	Trust: 0.8
vendor:	apple	model:	ipados	scope:	lt	version:	13.3 earlier	Trust: 0.8
vendor:	apple	model:	itunes	scope:	lt	version:	12.10.3 for windows earlier	Trust: 0.8
vendor:	apple	model:	macos catalina	scope:	lt	version:	10.15.2 earlier	Trust: 0.8
vendor:	apple	model:	macos high sierra	scope:	eq	version:	10.13.6 (security update 2019-007 not applied )	Trust: 0.8
vendor:	apple	model:	macos mojave	scope:	eq	version:	10.14.6 (security update 2019-002 not applied )	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	13.0.4 earlier	Trust: 0.8
vendor:	apple	model:	tvos	scope:	lt	version:	13.3 earlier	Trust: 0.8
vendor:	apple	model:	watchos	scope:	lt	version:	5.3.4 earlier	Trust: 0.8
vendor:	apple	model:	watchos	scope:	lt	version:	6.1.1 earlier	Trust: 0.8
vendor:	apple	model:	xcode	scope:	lt	version:	11.3 earlier	Trust: 0.8
vendor:	apple	model:	macos	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-19-934 // JVNDB: JVNDB-2019-012754 // NVD: CVE-2019-8755

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-8755
value:	HIGH
Trust: 1.0
ZDI:	CVE-2019-8755
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201910-316
value:	HIGH
Trust: 0.6
VULHUB:	VHN-160190
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-8755
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-160190
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-8755
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2019-8755
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.1
impactScore:	6.0
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-19-934 // VULHUB: VHN-160190 // CNNVD: CNNVD-201910-316 // NVD: CVE-2019-8755

PROBLEMTYPE DATA

problemtype:

CWE-476

Trust: 1.1

sources: VULHUB: VHN-160190 // NVD: CVE-2019-8755

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201910-316

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-316

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012754

PATCH

title:	About the security content of Safari 13.0.4	url:	https://support.apple.com/en-us/HT210792	Trust: 0.8
title:	About the security content of Xcode 11.3	url:	https://support.apple.com/en-us/HT210796	Trust: 0.8
title:	Mac に搭載されている macOS を調べる	url:	https://support.apple.com/ja-jp/HT201260	Trust: 0.8
title:	About the security content of iOS 13.3 and iPadOS 13.3	url:	https://support.apple.com/en-us/HT210785	Trust: 0.8
title:	About the security content of iCloud for Windows 10.9	url:	https://support.apple.com/en-us/HT210794	Trust: 0.8
title:	About the security content of iOS 12.4.4	url:	https://support.apple.com/en-us/HT210787	Trust: 0.8
title:	About the security content of iCloud for Windows 7.16 (includes AAS 8.2)	url:	https://support.apple.com/en-us/HT210795	Trust: 0.8
title:	About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra	url:	https://support.apple.com/en-us/HT210788	Trust: 0.8
title:	About the security content of iTunes 12.10.3 for Windows	url:	https://support.apple.com/en-us/HT210793	Trust: 0.8
title:	About the security content of watchOS 6.1.1	url:	https://support.apple.com/en-us/HT210789	Trust: 0.8
title:	About the security content of tvOS 13.3	url:	https://support.apple.com/en-us/HT210790	Trust: 0.8
title:	About the security content of watchOS 5.3.4	url:	https://support.apple.com/en-us/HT210791	Trust: 0.8
title:	Apple has issued an update to correct this vulnerability.	url:	https://support.apple.com/en-us/HT210634	Trust: 0.7
title:	Apple macOS Catalina IOGraphics Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99020	Trust: 0.6

sources: ZDI: ZDI-19-934 // JVNDB: JVNDB-2019-012754 // CNNVD: CNNVD-201910-316

EXTERNAL IDS

db:	NVD	id:	CVE-2019-8755	Trust: 3.4
db:	ZDI	id:	ZDI-19-934	Trust: 1.3
db:	JVN	id:	JVNVU99404393	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-012754	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-8828	Trust: 0.7
db:	CNNVD	id:	CNNVD-201910-316	Trust: 0.7
db:	PACKETSTORM	id:	155066	Trust: 0.7
db:	PACKETSTORM	id:	154768	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3758	Trust: 0.6
db:	VULHUB	id:	VHN-160190	Trust: 0.1

sources: ZDI: ZDI-19-934 // VULHUB: VHN-160190 // JVNDB: JVNDB-2019-012754 // PACKETSTORM: 155066 // PACKETSTORM: 154768 // CNNVD: CNNVD-201910-316 // NVD: CVE-2019-8755

REFERENCES

url:	https://support.apple.com/ht210634	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8755	Trust: 1.6
url:	https://support.apple.com/en-us/ht210634	Trust: 1.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8758	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8730	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8701	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8745	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8705	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8748	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8717	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8757	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8768	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8769	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8770	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8772	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8781	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8701	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8745	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8770	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8705	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8748	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8772	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8707	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8755	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8781	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8717	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8757	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8719	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8758	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8726	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8763	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8730	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8768	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8625	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8733	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8769	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99404393/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8719	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8726	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8763	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8733	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8625	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8707	Trust: 0.8
url:	https://support.apple.com/en-il/ht210634	Trust: 0.6
url:	https://packetstormsecurity.com/files/155066/apple-security-advisory-2019-10-29-10.html	Trust: 0.6
url:	https://www.zerodayinitiative.com/advisories/zdi-19-934/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3758/	Trust: 0.6
url:	https://packetstormsecurity.com/files/154768/apple-security-advisory-2019-10-07-1.html	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11042	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11041	Trust: 0.2
url:	https://support.apple.com/kb/ht201222	Trust: 0.2
url:	https://support.apple.com/downloads/	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8753	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8706	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8744	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8736	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8750	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8746	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8708	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8509	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8756	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12153	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8737	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8749	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12154	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8709	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8741	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8715	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12152	Trust: 0.1

sources: ZDI: ZDI-19-934 // VULHUB: VHN-160190 // JVNDB: JVNDB-2019-012754 // PACKETSTORM: 155066 // PACKETSTORM: 154768 // CNNVD: CNNVD-201910-316 // NVD: CVE-2019-8755

CREDITS

Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team

Trust: 0.7

sources: ZDI: ZDI-19-934

SOURCES

db:	ZDI	id:	ZDI-19-934
db:	VULHUB	id:	VHN-160190
db:	JVNDB	id:	JVNDB-2019-012754
db:	PACKETSTORM	id:	155066
db:	PACKETSTORM	id:	154768
db:	CNNVD	id:	CNNVD-201910-316
db:	NVD	id:	CVE-2019-8755

LAST UPDATE DATE

2024-08-14T13:10:03.130000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-934	date:	2019-10-31T00:00:00
db:	VULHUB	id:	VHN-160190	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-012754	date:	2020-01-07T00:00:00
db:	CNNVD	id:	CNNVD-201910-316	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2019-8755	date:	2019-12-23T15:12:34.417

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-19-934	date:	2019-10-31T00:00:00
db:	VULHUB	id:	VHN-160190	date:	2019-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-012754	date:	2019-12-12T00:00:00
db:	PACKETSTORM	id:	155066	date:	2019-11-01T17:10:40
db:	PACKETSTORM	id:	154768	date:	2019-10-08T19:59:26
db:	CNNVD	id:	CNNVD-201910-316	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2019-8755	date:	2019-12-18T18:15:39.020