watchOS 8.6: CVSS (Max): 7.5*

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2410
                                watchOS 8.6
                                17 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           watchOS 8.6
Publisher:         Apple
Operating System:  Apple iOS
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-26771 CVE-2022-26768 CVE-2022-26766
                   CVE-2022-26765 CVE-2022-26764 CVE-2022-26763
                   CVE-2022-26757 CVE-2022-26745 CVE-2022-26726
                   CVE-2022-26719 CVE-2022-26717 CVE-2022-26716
                   CVE-2022-26714 CVE-2022-26711 CVE-2022-26710
                   CVE-2022-26709 CVE-2022-26706 CVE-2022-26702
                   CVE-2022-26700 CVE-2022-23308 CVE-2022-22675

Original Bulletin: 
   https://support.apple.com/HT213253

Comment: CVSS (Max):  7.5* CVE-2022-23308 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-05-16-5 watchOS 8.6

watchOS 8.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213253.

AppleAVD
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-26702: an anonymous researcher

AppleAVD
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges. Apple is aware of a report that this issue may
have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22675: an anonymous researcher

DriverKit
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: An out-of-bounds access issue was addressed with
improved bounds checking.
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend
Micro Zero Day Initiative

IOMobileFrameBuffer
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2022-26771: an anonymous researcher

Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26714: Peter Nguyá»\x{133}n VÅ© Hoàng (@peternguyen14) of STAR Labs
(@starlabs_sg)

Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel
Available for: Apple Watch Series 3 and later
Impact: An attacker that has already achieved kernel code execution
may be able to bypass kernel memory mitigations
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: A race condition was addressed with improved state
handling.
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices
Available for: Apple Watch Series 3 and later
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with additional sandbox
restrictions on third-party applications.
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-23308

Security
Available for: Apple Watch Series 3 and later
Impact: A malicious app may be able to bypass signature validation
Description: A certificate parsing issue was addressed with improved
checks.
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

TCC
Available for: Apple Watch Series 3 and later
Impact: An app may be able to capture a user's screen
Description: This issue was addressed with improved checks.
CVE-2022-26726: an anonymous researcher

WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 238178
CVE-2022-26700: ryuzaki

WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
WebKit Bugzilla: 236950
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
WebKit Bugzilla: 237475
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
WebKit Bugzilla: 238171
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 238183
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab
WebKit Bugzilla: 238699
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi
Available for: Apple Watch Series 3 and later
Impact: A malicious application may disclose restricted memory
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity
We would like to acknowledge Wojciech ReguÃ…\x{130}a (@_r3ggi) of SecuRing
for their assistance.

WebKit
We would like to acknowledge James Lee, an anonymous researcher for
their assistance.

Instructions on how to update your Apple Watch software are available
at https://support.apple.com/kb/HT204641  To check the version on
your Apple Watch, open the Apple Watch app on your iPhone and select
"My Watch > General > About".  Alternatively, on your watch, select
"My Watch > General > About".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TYACgkQeC9qKD1p
rhhgaBAAq/igmuSba0Occu1TcS6aXG50gjUZyJXPu7/UVVWI4icwz+c/ruKquy/w
XuiT+C2Q6CJIWn2qM+hHrHtgsi3EYI6XxrbgcLgmvGvbwICs9RwHyHc1ztSyurTe
ys8gJkc+/nZWPKR4dy7JUl8NdjoTWuUyGVE9xOJQeISND5xUoDz2i9d8FKgkZta6
FoJlIWCDuNq01vgcAfKSZqPX2mEPMnWL47Q6g69PXIs34iBcOrHNesZ/mH/jz5Nz
aAnisEj9gC0+KERoMSmGoBrYmP7kr/DmVBEwa9cDA0rGfNntgNliQ7wbLxnT8kJG
rJARAyLPtPsygs7UmnkDaNDkI/a63dIRWwPIKUOQYtKKqwNL5GSoytdk/OhRGjmN
Hi7k1GmvGiJA7bFI3PIQDSi3YSC1cs9CeyIL2rNUSVmRZ7jHlXxlDQYH1/ad4DU1
TqVw9Rwg0mlc0tYKUNjChg/uAK1G5OGidxtLRt0FzUaXvPoVLe0/btYeaH6ijfU9
i1W+xJ8jGgWddP7r1HvNeN6B+WGuIEcla+GNduEV3+AcnxL9h6FP8sAzQuTHQtKC
AkqUO1G20ieIQHKJPNEIpgLlrCFYVajDfRtB9zGDme6aBZNHxefOWMMxdKfnspj2
MtFpJ9qPmpnRITjCF5z1RDfqFjXUZvePcRA6rS1Lq4ClgQ575yI=
=zdvf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoMp08kNZI30y1K9AQjm+g//c9KWpHYQ9TOBK68qHawu62tmw/MYx/gI
Jg2cxJr/Y2fcjPSd7Mh2ePHmnbNjIzWVrOURc3sQ31repgrWp9fiWhqBBK+GFHtg
gYgwx8pDrosvKO1LDZIxOMO9qi9hsnI0KT9SbHaSj1Iz3KqdCny8Cyta1qUkf6b0
QxVh6gi3JwzMNihqmY3UJK3Ag+xQcxEh+Uy71wCm+BS6wu+8IYpOShjsnGIVghNR
4LV/6tLTixH3hufhx4sLmJVanjPhuUYH+VRKoHIHYT1BXiACdgkFsaw5QgB5aI9F
fcCqLRASYA1THctHJbDEmVTw8QjcG2ofQTkm9d34KsrH5nTvuI7a7NNkW+jplptK
U5dNHHUlUnRgDwGgsBorCrCneiRiDCDvR+q9Bw70l+pTKTnCGUJ4IqPgL/2OJYe5
qE+xUX/wPsMySsuDYTN2PQZr/AUMDAa2AIAo9GhWE/4raUrSRyV9iVcRJ7z9JPy8
jccgtDz1eH5OKm6wgKsca+thEgywDbZmuhjQIQuAmk8mUyq7fIc7teyyfo8jx7J+
A1TAzZ5N3+gvOTuvKqq2XPvqx1iJYG8pB9ZBtqc2b2THLAghNNjPL6qnZCugUV63
0eENpCf3VsZxsNtZqohRN94gnJ3bhsPVFFmecltlAkMTZjEDSB8vX5TBdmi5VNx+
hNZyaObQbwo=
=OSLV
-----END PGP SIGNATURE-----