ID

VAR-202006-1646


CVE

CVE-2020-9859


TITLE

plural Apple Product memory consumption vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-006180

DESCRIPTION

A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5.1 and iPadOS 13.5.1, macOS Catalina 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6. An application may be able to execute arbitrary code with kernel privileges. Apple iOS, etc. are all products of Apple (Apple). Apple iOS is an operating system developed for mobile devices. Apple iPadOS is an operating system for iPad tablets. Apple macOS Catalina is a dedicated operating system developed for Mac computers. Kernel is one of the kernel components. Kernel components in several Apple products have security vulnerabilities. The following products and versions are affected: Apple macOS Catalina prior to 10.15.5; tvOS prior to 13.4.6; watchOS prior to 6.2.6; iOS prior to 13.5.1; iPadOS prior to 13.5.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-06-01-1 iOS 13.5.1 and iPadOS 13.5.1 iOS 13.5.1 and iPadOS 13.5.1 are now available and address the following: Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory consumption issue was addressed with improved memory handling. CVE-2020-9859: unc0ver Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 13.5.1 and iPadOS 13.5.1". -----BEGIN PGP SIGNATURE----- Version: BCPG v1.64 iQIcBAEDCAAGBQJe1SzuAAoJEAc+Lhnt8tDNfgUQALNdUFDUuhhF2Zj7jjnx1E1m TNmYZj4OdHcJE9aGKBF4HcUrt5oAYWuyTiBsWYh7tk0Tgfur2QqnoiOGkFW5BfNq NW68jk6JZJwvWp+XSogRLDFMdfUKbSa16JJU2OtQLuRZ7AJsmaU4VT9vXFwv/t22 mXCgb7Uo1I0Ya0z3uJGxluwCi3XNgdu//i9Gcfm5MW6Vu14uaQ3JzYoApskOXQDC aTT/9qW1zJTv18u/qIhQQBj4N1TDY/NUMY8ZJrBAJTXqrHkOuV9jNPkcSeM+68Br 9ExmGm1lBoaX+gIDOvVHb+Br70fsuecFBYN5C/W35R51puyV3mqY3WPV7pPVVA/P Yh8PynmjcmCwFS0Ly9MAHqG/48QdusPIus0G08vRXqWrLUDArHLb9out/UOk6F8q JNtKYI1N7slsRvpPi357mHJ8XIz9aUxGdab3v/oUahTFEMDTo174DsWUcMMoPRFp kcnePBv8dOzOO/YKA7mKmvd0ASA4TvSH6E3moqovzihs7ZR+eGEl1sXIG+E1oNWL tjfSlrVAoNdjBNb3O10JTnS9YepIDszPnY9boOFKKmoMp38E6qcVU9zI8QC1UDg/ stmqoq761w1naa+qQXEvWrvDTKwTFUS2IJMEtGa6CHjGKaZL46h4Y87V2Cb/ZXJM db4SzQ1YvI6gUVn20QzV =JYpD -----END PGP SIGNATURE----- . Alternatively, on your watch, select "My Watch > General > About"

Trust: 2.16

sources: NVD: CVE-2020-9859 // JVNDB: JVNDB-2020-006180 // VULHUB: VHN-187984 // VULMON: CVE-2020-9859 // PACKETSTORM: 157912 // PACKETSTORM: 157910 // PACKETSTORM: 157911 // PACKETSTORM: 157913

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:ltversion:13.5.1

Trust: 1.0

vendor:applemodel:watchosscope:ltversion:6.2.6

Trust: 1.0

vendor:applemodel:tvosscope:ltversion:13.4.6

Trust: 1.0

vendor:applemodel:ipadosscope:ltversion:13.5.1

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.15.5

Trust: 1.0

vendor:applemodel:ipadosscope:eqversion:13.5.1 未満 (ipad air 2 以降)

Trust: 0.8

vendor:applemodel:iosscope:eqversion:13.5.1 未満 (iphone 6s 以降)

Trust: 0.8

vendor:applemodel:ipadosscope:eqversion:13.5.1 未満 (ipad mini 4 以降)

Trust: 0.8

vendor:applemodel:iosscope:eqversion:13.5.1 未満 (ipod touch 第 7 世代)

Trust: 0.8

sources: JVNDB: JVNDB-2020-006180 // NVD: CVE-2020-9859

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9859
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-006180
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-058
value: HIGH

Trust: 0.6

VULHUB: VHN-187984
value: HIGH

Trust: 0.1

VULMON: CVE-2020-9859
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-9859
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006180
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187984
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9859
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006180
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187984 // VULMON: CVE-2020-9859 // JVNDB: JVNDB-2020-006180 // CNNVD: CNNVD-202006-058 // NVD: CVE-2020-9859

PROBLEMTYPE DATA

problemtype:CWE-415

Trust: 1.1

problemtype:CWE-400

Trust: 0.9

sources: VULHUB: VHN-187984 // JVNDB: JVNDB-2020-006180 // NVD: CVE-2020-9859

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202006-058

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202006-058

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006180

PATCH

title:HT211214url:https://support.apple.com/en-us/HT211214

Trust: 0.8

title:HT211214url:https://support.apple.com/ja-jp/HT211214

Trust: 0.8

title:Multiple Apple product Kernel Fixes for component resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=121036

Trust: 0.6

title:Known Exploited Vulnerabilities Detectorurl:https://github.com/Ostorlab/KEV

Trust: 0.1

title: - url:https://www.theregister.co.uk/2020/06/08/security_roundup_june_5/

Trust: 0.1

title: - url:https://threatpost.com/apple-jailbreak-zero-day-patch/156201/

Trust: 0.1

sources: VULMON: CVE-2020-9859 // JVNDB: JVNDB-2020-006180 // CNNVD: CNNVD-202006-058

EXTERNAL IDS

db:NVDid:CVE-2020-9859

Trust: 3.0

db:PACKETSTORMid:157913

Trust: 0.8

db:JVNid:JVNVU98960050

Trust: 0.8

db:JVNDBid:JVNDB-2020-006180

Trust: 0.8

db:CNNVDid:CNNVD-202006-058

Trust: 0.7

db:NSFOCUSid:48521

Trust: 0.6

db:AUSCERTid:ESB-2020.1913

Trust: 0.6

db:AUSCERTid:ESB-2020.1909

Trust: 0.6

db:PACKETSTORMid:157910

Trust: 0.2

db:PACKETSTORMid:157912

Trust: 0.2

db:PACKETSTORMid:157911

Trust: 0.2

db:CNVDid:CNVD-2020-33215

Trust: 0.1

db:VULHUBid:VHN-187984

Trust: 0.1

db:VULMONid:CVE-2020-9859

Trust: 0.1

sources: VULHUB: VHN-187984 // VULMON: CVE-2020-9859 // JVNDB: JVNDB-2020-006180 // PACKETSTORM: 157912 // PACKETSTORM: 157910 // PACKETSTORM: 157911 // PACKETSTORM: 157913 // CNNVD: CNNVD-202006-058 // NVD: CVE-2020-9859

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2020-9859

Trust: 1.8

url:https://support.apple.com/ht211214

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9859

Trust: 0.8

url:https://jvn.jp/vu/jvnvu98960050/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1909/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1913/

Trust: 0.6

url:https://support.apple.com/en-us/ht211214

Trust: 0.6

url:http://www.nsfocus.net/vulndb/48521

Trust: 0.6

url:https://support.apple.com/en-us/ht211215

Trust: 0.6

url:https://support.apple.com/kb/ht211215

Trust: 0.6

url:https://packetstormsecurity.com/files/157913/apple-security-advisory-2020-06-01-4.html

Trust: 0.6

url:https://www.apple.com/itunes/

Trust: 0.1

url:https://support.apple.com/downloads/

Trust: 0.1

url:https://support.apple.com/kb/ht204641

Trust: 0.1

sources: VULHUB: VHN-187984 // JVNDB: JVNDB-2020-006180 // PACKETSTORM: 157912 // PACKETSTORM: 157910 // PACKETSTORM: 157911 // PACKETSTORM: 157913 // CNNVD: CNNVD-202006-058 // NVD: CVE-2020-9859

CREDITS

Apple

Trust: 1.0

sources: PACKETSTORM: 157912 // PACKETSTORM: 157910 // PACKETSTORM: 157911 // PACKETSTORM: 157913 // CNNVD: CNNVD-202006-058

SOURCES

db:VULHUBid:VHN-187984
db:VULMONid:CVE-2020-9859
db:JVNDBid:JVNDB-2020-006180
db:PACKETSTORMid:157912
db:PACKETSTORMid:157910
db:PACKETSTORMid:157911
db:PACKETSTORMid:157913
db:CNNVDid:CNNVD-202006-058
db:NVDid:CVE-2020-9859

LAST UPDATE DATE

2024-08-14T14:18:54.369000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-187984date:2023-01-09T00:00:00
db:VULMONid:CVE-2020-9859date:2023-01-09T00:00:00
db:JVNDBid:JVNDB-2020-006180date:2020-07-02T00:00:00
db:CNNVDid:CNNVD-202006-058date:2022-07-14T00:00:00
db:NVDid:CVE-2020-9859date:2023-01-09T16:41:59.350

SOURCES RELEASE DATE

db:VULHUBid:VHN-187984date:2020-06-05T00:00:00
db:VULMONid:CVE-2020-9859date:2020-06-05T00:00:00
db:JVNDBid:JVNDB-2020-006180date:2020-07-02T00:00:00
db:PACKETSTORMid:157912date:2020-06-02T22:25:22
db:PACKETSTORMid:157910date:2020-06-02T22:22:22
db:PACKETSTORMid:157911date:2020-06-02T22:23:23
db:PACKETSTORMid:157913date:2020-06-03T15:52:22
db:CNNVDid:CNNVD-202006-058date:2020-06-01T00:00:00
db:NVDid:CVE-2020-9859date:2020-06-05T15:15:11.097