Sign-up

ID

VAR-201912-0572


CVE

CVE-2019-8635


TITLE

plural Apple Updates to product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-003317

DESCRIPTION

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.5. An application may be able to execute arbitrary code with system privileges. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Insufficient access restrictions * Privilege escalation * Service operation interruption (DoS) * Sandbox avoidance * Information falsification * information leak * Arbitrary code execution. The issue results from the lack of validating the existence of an object prior to performing operations on the object. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the discard_StretchTex2Tex method of the AMDRadeonX4000_AMDSIGLContext class. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges to the level of the kernel. Apple macOS Mojave is a set of dedicated operating systems developed by Apple for Mac computers. AMD is one of the components used in AMD products. A resource management error vulnerability exists in AMD components in Apple macOS Mojave versions prior to 10.14.5

Trust: 3.06

sources: NVD: CVE-2019-8635 // JVNDB: JVNDB-2019-003317 // ZDI: ZDI-19-543 // ZDI: ZDI-19-539 // VULHUB: VHN-160070 // VULMON: CVE-2019-8635

AFFECTED PRODUCTS

vendor:applemodel:macosscope: - version: -

Trust: 1.4

vendor:applemodel:mac os xscope:ltversion:10.14.5

Trust: 1.0

vendor:applemodel:tv softwarescope:ltversion:7.3 earlier

Trust: 0.8

vendor:applemodel:iosscope:ltversion:12.3 earlier

Trust: 0.8

vendor:applemodel:macos high sierrascope:eqversion:(security update 2019-003 not applied )

Trust: 0.8

vendor:applemodel:macos mojavescope:ltversion:10.14.5 earlier

Trust: 0.8

vendor:applemodel:macos sierrascope:eqversion:(security update 2019-003 not applied )

Trust: 0.8

vendor:applemodel:safariscope:ltversion:12.1.1 earlier

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:7.3 earlier

Trust: 0.8

vendor:applemodel:watchosscope:ltversion:5.2.1 earlier

Trust: 0.8

sources: ZDI: ZDI-19-543 // ZDI: ZDI-19-539 // JVNDB: JVNDB-2019-003317 // NVD: CVE-2019-8635

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2019-8635
value: CRITICAL

Trust: 1.4

nvd@nist.gov: CVE-2019-8635
value: HIGH

Trust: 1.0

CNNVD: CNNVD-201905-476
value: HIGH

Trust: 0.6

VULHUB: VHN-160070
value: HIGH

Trust: 0.1

VULMON: CVE-2019-8635
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-8635
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-160070
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ZDI: CVE-2019-8635
baseSeverity: CRITICAL
baseScore: 7.0
vectorString: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2019-8635
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: ZDI: ZDI-19-543 // ZDI: ZDI-19-539 // VULHUB: VHN-160070 // VULMON: CVE-2019-8635 // CNNVD: CNNVD-201905-476 // NVD: CVE-2019-8635

PROBLEMTYPE DATA

problemtype:CWE-415

Trust: 1.1

problemtype:CWE-787

Trust: 1.0

sources: VULHUB: VHN-160070 // NVD: CVE-2019-8635

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201905-476

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201905-476

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003317

PATCH
title:About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierraurl:https://support.apple.com/en-us/HT210119
Trust: 2.2
title:About the security content of iOS 12.3url:https://support.apple.com/en-us/HT210118
Trust: 0.8
title:About the security content of Safari 12.1.1url:https://support.apple.com/en-us/HT210123
Trust: 0.8
title:About the security content of Apple TV Software 7.3url:https://support.apple.com/en-us/HT210121
Trust: 0.8
title:About the security content of tvOS 12.3url:https://support.apple.com/en-us/HT210120
Trust: 0.8
title:About the security content of watchOS 5.2.1url:https://support.apple.com/en-us/HT210122
Trust: 0.8
title:Apple macOS Mojave AMD Fix for component buffer error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92632
Trust: 0.6
title:macOS-iOS-system-securityurl:https://github.com/houjingyi233/macOS-iOS-system-security 
Trust: 0.1
title:sec-daily-2019url:https://github.com/alphaSeclab/sec-daily-2019 
Trust: 0.1
sources:
            
            
            ZDI: ZDI-19-543 // 
            
            
            
            ZDI: ZDI-19-539 // 
            
            
            
            VULMON: CVE-2019-8635 // 
            
            
            
            JVNDB: JVNDB-2019-003317 // 
            
            
            
            CNNVD: CNNVD-201905-476

EXTERNAL IDS
db:NVDid:CVE-2019-8635
Trust: 4.0
db:ZDIid:ZDI-19-543
Trust: 1.3
db:ZDIid:ZDI-19-539
Trust: 1.3
db:JVNid:JVNVU93988385
Trust: 0.8
db:JVNDBid:JVNDB-2019-003317
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-8345
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-8547
Trust: 0.7
db:CNNVDid:CNNVD-201905-476
Trust: 0.7
db:AUSCERTid:ESB-2019.1695
Trust: 0.6
db:VULHUBid:VHN-160070
Trust: 0.1
db:VULMONid:CVE-2019-8635
Trust: 0.1
sources:
            
            
            ZDI: ZDI-19-543 // 
            
            
            
            ZDI: ZDI-19-539 // 
            
            
            
            VULHUB: VHN-160070 // 
            
            
            
            VULMON: CVE-2019-8635 // 
            
            
            
            JVNDB: JVNDB-2019-003317 // 
            
            
            
            CNNVD: CNNVD-201905-476 // 
            
            
            
            NVD: CVE-2019-8635

REFERENCES
url:https://support.apple.com/en-us/ht210119
Trust: 2.0
url:https://support.apple.com/ht210119
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8635
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8634
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8576
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8604
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8637
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8635
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8585
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8606
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8622
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8589
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8616
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8613
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8590
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8617
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8620
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8611
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8591
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8626
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8610
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8560
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8593
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8629
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8609
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8568
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8599
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8630
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8574
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-8603
Trust: 0.8
url:https://jvn.jp/vu/jvnvu93988385/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8622
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8590
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8617
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8613
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8591
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8620
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8560
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8611
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8593
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8626
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8568
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8610
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8599
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8629
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8574
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8609
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8603
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8630
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8576
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8604
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8634
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8585
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8606
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8637
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8589
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-8616
Trust: 0.8
url:https://support.apple.com/en-au/ht210119
Trust: 0.6
url:https://www.zerodayinitiative.com/advisories/zdi-19-539/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80826
Trust: 0.6
url:https://www.zerodayinitiative.com/advisories/zdi-19-543/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/787.html
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/415.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/houjingyi233/macos-ios-system-security
Trust: 0.1
sources:
            
            
            ZDI: ZDI-19-543 // 
            
            
            
            ZDI: ZDI-19-539 // 
            
            
            
            VULHUB: VHN-160070 // 
            
            
            
            VULMON: CVE-2019-8635 // 
            
            
            
            JVNDB: JVNDB-2019-003317 // 
            
            
            
            CNNVD: CNNVD-201905-476 // 
            
            
            
            NVD: CVE-2019-8635

CREDITS
Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team
Trust: 1.4
sources:
            
            
            ZDI: ZDI-19-543 // 
            
            
            
            ZDI: ZDI-19-539

SOURCES
db:ZDIid:ZDI-19-543
db:ZDIid:ZDI-19-539
db:VULHUBid:VHN-160070
db:VULMONid:CVE-2019-8635
db:JVNDBid:JVNDB-2019-003317
db:CNNVDid:CNNVD-201905-476
db:NVDid:CVE-2019-8635

LAST UPDATE DATE
2024-11-23T21:28:49.943000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-19-543date:2019-06-07T00:00:00
db:ZDIid:ZDI-19-539date:2019-05-30T00:00:00
db:VULHUBid:VHN-160070date:2019-12-20T00:00:00
db:VULMONid:CVE-2019-8635date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2019-003317date:2020-01-07T00:00:00
db:CNNVDid:CNNVD-201905-476date:2021-10-29T00:00:00
db:NVDid:CVE-2019-8635date:2024-11-21T04:50:12.667

SOURCES RELEASE DATE
db:ZDIid:ZDI-19-543date:2019-06-07T00:00:00
db:ZDIid:ZDI-19-539date:2019-05-30T00:00:00
db:VULHUBid:VHN-160070date:2019-12-18T00:00:00
db:VULMONid:CVE-2019-8635date:2019-12-18T00:00:00
db:JVNDBid:JVNDB-2019-003317date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201905-476date:2019-05-14T00:00:00
db:NVDid:CVE-2019-8635date:2019-12-18T18:15:30.707