ID

VAR-202010-0146

CVE

CVE-2019-8838

TITLE

plural Apple Product Corruption Vulnerability

DESCRIPTION

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.3 and iPadOS 13.3, watchOS 6.1.1, macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra, tvOS 13.3. An application may be able to execute arbitrary code with kernel privileges. Kernel components in several Apple products have security vulnerabilities. The following products and versions are affected: Apple macOS Catalina before 10.15.2; iOS before 13.3; iPadOS before 13.3; watchOS before 6.1.1; tvOS before 13.3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-12-10-1 iOS 13.3 and iPadOS 13.3 iOS 13.3 and iPadOS 13.3 is now available and addresses the following: CallKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Calls made using Siri may be initiated using the wrong cellular plan on devices with two active plans Description: An API issue existed in the handling of outgoing phone calls initiated with Siri. CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL CFNetwork Proxies Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to gain elevated privileges Description: This issue was addressed with improved checks. CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team FaceTime Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing malicious video via FaceTime may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8830: Natalie Silvanovich of Google Project Zero IOSurfaceAccelerator Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: An information disclosure issue was addressed by removing the vulnerable code. CVE-2019-8841: Corellium IOUSBDeviceFamily Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8836: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2019-8833: Ian Beer of Google Project Zero Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8828: Cim Stordal of Cognite CVE-2019-8838: Dr Silvio Cesare of InfoSect libexpat Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information Description: This issue was addressed by updating to expat version 2.2.8. CVE-2019-15903: Joonun Jang Photos Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Live Photo audio and video data may be shared via iCloud links even if Live Photo is disabled in the Share Sheet carousel Description: The issue was addressed with improved validation when an iCloud Link is created. CVE-2019-8857: Tor Bruce Security Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8832: Insu Yun of SSLab at Georgia Tech WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8835: Anonymous working with Trend Micro's Zero Day Initiative, Mike Zhang of Pangu Team CVE-2019-8844: William Bowling (@wcbowling) WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8846: Marcin Towalski of Cisco Talos Additional recognition Accounts We would like to acknowledge Kishan Bagaria (KishanBagaria.com <http://kishanbagaria.com/>) and Tom Snelling of Loughborough University for their assistance. Core Data We would like to acknowledge Natalie Silvanovich of Google Project Zero for their assistance. Settings We would like to acknowledge an anonymous researcher for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ <https://www.apple.com/itunes/> iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 13.3 and iPadOS 13.3". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 <https://support.apple.com/kb/HT201222> This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ <https://www.apple.com/support/security/pgp/> -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl3wFpoACgkQBz4uGe3y 0M18fQ//WhVI4LKBRFvq8A5p7T8wwMklItFubvFzcxAec3ZHIYAXTTLpvZWNKCrc wvqlPkNBs1onvaq6LPddeL9uMWgBB0iiks6HX5oRrHuvutiRGC1n8VzJCgW8BWwI 7CNFNBXl4iBflupZlCnSdbwbDkJSyNN+DvouxzfXMqbpdnjV1NVNtlM/WrdFnVgU vqAnxY7FEFrwgyU/zAbfyo5S4qJ2fRC9MPiO3Tiq+abVEcprQ4wSmKJUtgvgudOX witjbU8I9eKz2H5jq555gkq4yZVHjg7vDhj1Ln1Zm2bO2PM5A6dsXsSCwzIYaqvF /wbrOuVbw1f1F4mD8Oq7IFHXsoWysUnOPEApeKE7L0XvH7CmCDccd7k9txOIRWRt 2rj+8YqGvo1fXKnIULVgtltbnxMKhZJO6ISZnTQ+3CnNfWEgXx+dNVDBB1HIGooJ JkpldVmjNXBts/DV0FEZXbYLVWCk90D0sSeMTE64v9U6v690JVGoXHynhYhui4IX gSbbcvwslD8MLHyK1E29t7X3XdIGVuzcq+OJ7oFn7T1lX14UflvKRNkEDDfc4Tsj lllrvrU084mWQaryldWIGzDNDT7O4RDsTCKzEPYSqXm3mxP13jZj1sDv1f1/2FdQ GmjCFIvlnYZeHB2mbStt3T9LXe7tuaF1TIYnG103h/SQEmwfiOk= =m//a -----END PGP SIGNATURE----- . Alternatively, on your watch, select "My Watch > General > About"

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

buffer error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Apple

SOURCES

LAST UPDATE DATE

2024-08-14T12:22:33.174000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE