-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2409
                                 tvOS 15.5
                                17 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tvOS 15.5
Publisher:         Apple
Operating System:  Apple iOS
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-26771 CVE-2022-26768 CVE-2022-26766
                   CVE-2022-26765 CVE-2022-26764 CVE-2022-26763
                   CVE-2022-26757 CVE-2022-26745 CVE-2022-26740
                   CVE-2022-26739 CVE-2022-26738 CVE-2022-26737
                   CVE-2022-26736 CVE-2022-26724 CVE-2022-26719
                   CVE-2022-26717 CVE-2022-26716 CVE-2022-26714
                   CVE-2022-26711 CVE-2022-26710 CVE-2022-26709
                   CVE-2022-26706 CVE-2022-26702 CVE-2022-26701
                   CVE-2022-26700 CVE-2022-23308 CVE-2022-22675

Original Bulletin: 
   https://support.apple.com/HT213254

Comment: CVSS (Max):  7.5* CVE-2022-23308 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-05-16-6 tvOS 15.5

tvOS 15.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213254.

AppleAVD
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-26702: an anonymous researcher

AppleAVD
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges. Apple is aware of a report that this issue may
have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22675: an anonymous researcher

AuthKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A local user may be able to enable iCloud Photos without
authentication
Description: An authentication issue was addressed with improved
state management.
CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

AVEVideoEncoder
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-26736: an anonymous researcher
CVE-2022-26737: an anonymous researcher
CVE-2022-26738: an anonymous researcher
CVE-2022-26739: an anonymous researcher
CVE-2022-26740: an anonymous researcher

DriverKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: An out-of-bounds access issue was addressed with
improved bounds checking.
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend
Micro Zero Day Initiative

IOKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

IOMobileFrameBuffer
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2022-26771: an anonymous researcher

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26714: Peter Nguyá»\x{133}n VÅ© Hoàng (@peternguyen14) of STAR Labs
(@starlabs_sg)

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: An attacker that has already achieved kernel code execution
may be able to bypass kernel memory mitigations
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: A race condition was addressed with improved state
handling.
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with additional sandbox
restrictions on third-party applications.
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-23308

Security
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A malicious app may be able to bypass signature validation
Description: A certificate parsing issue was addressed with improved
checks.
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 238178
CVE-2022-26700: ryuzaki

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
WebKit Bugzilla: 236950
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
WebKit Bugzilla: 237475
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
WebKit Bugzilla: 238171
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 238183
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab
WebKit Bugzilla: 238699
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple
TV HD
Impact: A malicious application may disclose restricted memory
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity
We would like to acknowledge Wojciech ReguÃ…\x{130}a (@_r3ggi) of SecuRing
for their assistance.

WebKit
We would like to acknowledge James Lee, an anonymous researcher for
their assistance.

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software."  To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TcACgkQeC9qKD1p
rhiw7BAAy82XZ2+vjnjFB1FrZ7ZnKtM4pz8MMpX4ZTD2ytgkwXi0qnyzBdMe/w4p
zrpedL4p/RfdDOiM/4kWBtiH62qetiXDcE8tBqN8WTE9rf55cX4jlXrHASohFI2q
ErkAjo51j2fg8S7a+luyaZWzBUZqlghtzWjtFgaHOQAP5dDf+He92kDerbrIDQw9
dg0nL4os0VFgWdX0EtFC7umK8iiTFbvtoEbLDLFODWweaJN8LOP/LHe71YzAryKg
Dh9ItWqVdzkCOKWR8F96NnoBs7c6B4naqQkS4k2F/m6C6ckPb8LI18ss7oiD3eMB
k7oo7+u1zQFRKmk0XlfH7awxtEHjYjjw3LT8ko9QJ8mEuspxoiwW7n1mINWa7Khp
YoCe88xR06kfti4h6MJDSN6JpxSnikEyJzR4j4xGL6rWjqCj+XV9ejrt9EgF8BL2
JZ+Oceoh23m7IqVoMe1Hzjf1X3nsxXJQEg/xxRwHRknAjSNtVJUKhT4/ioOc9pu6
TROAHYdSO5yRLNUNpj9RlkBeDbXtiWgA2IEg0wcUPzwf3Uzt2Qw9zBFbMb1hPSht
7zTIOtF4Ub+MD6cFuHbC7hL58pRmA4FzEczLG81BoGGaFOCD2QDt0/ySTFr1M+YD
g2L2PlZNgxd0zetkTkZbvAwroMUTRSi1GqxAhVeKwbvW4XAN+yc=
=G3ho
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoMppckNZI30y1K9AQgB/Q//UVRtkZGXFfkORKbqMjbPaFx8KvseBLny
coA4uYYE52nXuX9h0YlCpc/MseC1BVPd2ndOcvoYWmxLBrYsOjBncfIcBeQjRO2Q
pEKFe4BSD/dlZTm5I8qA798bP3hlAoia/Z01ZjJujY08bP7iBKFpWPmuCG30YA0V
+wtLYJ/CCObHMbK/QkiO4O84+Hd0SP4uFZcPdGOjMSZUj1iY6rRn9QbNHbRFAHeK
Pc3oP5ZKVWDSCm+9c+vkRmEgz+DATh3nwtoj9jkGYxnQ5O2Tl1lcMDtaWVYdqNcs
riUOUuu03ZFiCw0DZzsNdyKPJF0pS+fgn8a9sMs2SACZO2l4V5Eu2YByzMfU+I/Z
Wsfg58fpGbB07qTmDmhf2aG2Gwab9TsirNrGh6tpjNY/cF24M7lZzP31EH0hZEt7
2X265Cz7VPctcWm6HTTAOVZTVWZ0eIMowC2Fq4ANoSvYbmrK5z70Ysa+YQdJVo3K
VryijRSkxxPhj9SMGyVWF2JoOThLou0GWA99oFhx31Nil2c51bhIJ+fs6oNYB/Xg
10iBcmgIwuVPUFC1rTxKSQSGUcgnYfdnw99mk13wFAsxU5wk0Zl4YHy92sc0w7Jn
pXqWnBpdc/ds5VC/OL0ueSM+axUoa6fyNTK+RK4GtUArcnQrm5agwQhMY7Ecg7SJ
ITFg63CL8Yk=
=Rwh6
-----END PGP SIGNATURE-----