ESB-2017.1777 - [Apple iOS] Apple tvOS: Multiple vulnerabilities 2017-07-20

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1777
                                tvOS 10.2.2
                               20 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apple tvOS
Publisher:        Apple
Operating System: Apple iOS
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                  Root Compromise                 -- Remote with User Interaction
                  Access Privileged Data          -- Remote with User Interaction
                  Denial of Service               -- Remote/Unauthenticated      
                  Cross-site Scripting            -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2017-9417 CVE-2017-7069 CVE-2017-7068
                  CVE-2017-7062 CVE-2017-7061 CVE-2017-7059
                  CVE-2017-7056 CVE-2017-7055 CVE-2017-7052
                  CVE-2017-7049 CVE-2017-7048 CVE-2017-7047
                  CVE-2017-7046 CVE-2017-7043 CVE-2017-7042
                  CVE-2017-7041 CVE-2017-7040 CVE-2017-7039
                  CVE-2017-7038 CVE-2017-7037 CVE-2017-7034
                  CVE-2017-7030 CVE-2017-7029 CVE-2017-7028
                  CVE-2017-7027 CVE-2017-7026 CVE-2017-7025
                  CVE-2017-7024 CVE-2017-7023 CVE-2017-7022
                  CVE-2017-7020 CVE-2017-7019 CVE-2017-7018
                  CVE-2017-7013 CVE-2017-7010 CVE-2017-7009
                  CVE-2017-7008 CVE-2017-7006 

Reference:        ESB-2017.1774
                  ESB-2017.1686
                  ESB-2017.1685

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2017-07-19-4 tvOS 10.2.2

tvOS 10.2.2 is now available and addresses the following:

Contacts
Available for:  Apple TV (4th generation)
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-7062: Shashank (@cyberboyIndia)

CoreAudio
Available for:  Apple TV (4th generation)
Impact: Processing a maliciously crafted movie file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team

IOUSBFamily
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team

Kernel
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7022: an anonymous researcher
CVE-2017-7024: an anonymous researcher
CVE-2017-7026: an anonymous researcher

Kernel
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7023: an anonymous researcher
CVE-2017-7025: an anonymous researcher
CVE-2017-7027: an anonymous researcher
CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team

Kernel
Available for:  Apple TV (4th generation)
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-7028: an anonymous researcher
CVE-2017-7029: an anonymous researcher

libarchive
Available for:  Apple TV (4th generation)
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow was addressed through improved bounds
checking.
CVE-2017-7068: found by OSS-Fuzz

libxml2
Available for:  Apple TV (4th generation)
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2017-7010: Apple
CVE-2017-7013: found by OSS-Fuzz

libxpc
Available for:  Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7047: Ian Beer of Google Project Zero

WebKit
Available for:  Apple TV (4th generation)
Impact: A malicious website may exfiltrate data cross-origin
Description: Processing maliciously crafted web content may allow
cross-origin data to be exfiltrated by using SVG filters to conduct a
timing side-channel attack. This issue was addressed by not painting
the cross-origin buffer into the frame that gets filtered.
CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous
researcher

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab
()
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab
()
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro's Zero Day Initiative
CVE-2017-7055: The UK's National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content with DOMParser may
lead to cross site scripting
Description: A logic issue existed in the handling of DOMParser. This
issue was addressed with improved state management.
CVE-2017-7038: Neil Jenkins of FastMail Pty Ltd, Egor Karbutov
(@ShikariSenpai) of Digital Security and Egor Saltykov
(@ansjdnakjdnajkd) of Digital Security
CVE-2017-7059: an anonymous researcher

WebKit
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-7049: Ivan Fratric of Google Project Zero

WebKit Page Loading
Available for:  Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department

Wi-Fi
Available for:  Apple TV (4th generation)
Impact: An attacker within range may be able to execute arbitrary
code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."

To check the current version of software, select
"Settings -> General -> About."

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWXBA34x+lLeg9Ub1AQhPbhAAqgUocaQIDNl/XEUvj2gn73xwtg8gJT6Q
r8HFpKC9LhfgSvE+EaXxpyJu5B8xevy4C8R5Yn5ySCvKGBAppxCvYwhcpVabOKkL
7lJmN/HqowAFbZ6766HrXXXeXI7usR1OkZkTvldJL3UnY5jTDWNRrrD0jVUuItp6
NjFTatKlQYy8ecoR3AQ1HmaT/q1Weowr9ihn0h1U/VRlqqkMbNij9cjeGVWRuVbn
5P6+8RUos76TaB0w5W1cbwE23zud8ACmA9/KSNsh0BX1979RLOoTxTx0ZXF7nxdh
u1zU6VFv4kZJosMnAB0xrlOYhlB/FeMBk/+DLrktUEXSP+1hS5rN8mQRablW+yG4
PRXQv8ccFkHknWE9LW2DdW6L9IgxDWA/+l32QyjQF2j2h1xzj7sQI0srp+YyxX0w
3/ojZjARFUfKxmzVi1SG3SKCg3pSgn3aWbIOzxJeN8jF9H+9sAmKr30vGEd52yPv
1wr8PK9BmRpf2qEDDEKCd1pyaMBS8TCoBj2Mu1rhn3ZDVZAtCmb7woQwgkI6LyMN
WgbATwgwE7/31Y59PFmUK1a29V9nmWhpkoJpJmvUOacROaubrzST5Tum4AauF9AC
Qi+BN0+5HcPS1LlgmBCQ8Npf8Bq0d1Zme5KX1jVhjUY3tpjOhlYcASH2keapT/aH
PFdUv6JCdNE=
=Dz77
-----END PGP SIGNATURE-----

« Back to bulletins