ESB-2018.3348.2 - UPDATE [OSX] Apple MacOS: Multiple vulnerabilities 2018-11-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3348.2
        macOS Mojave 10.14.1, Security Update 2018-001 High Sierra,
                      Security Update 2018-005 Sierra
                              1 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple MacOS
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Increased Privileges            -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8780 CVE-2018-8779 CVE-2018-8778
                   CVE-2018-8777 CVE-2018-6914 CVE-2018-6797
                   CVE-2018-5383 CVE-2018-4426 CVE-2018-4425
                   CVE-2018-4424 CVE-2018-4423 CVE-2018-4422
                   CVE-2018-4420 CVE-2018-4419 CVE-2018-4418
                   CVE-2018-4417 CVE-2018-4415 CVE-2018-4414
                   CVE-2018-4413 CVE-2018-4412 CVE-2018-4411
                   CVE-2018-4410 CVE-2018-4408 CVE-2018-4407
                   CVE-2018-4406 CVE-2018-4403 CVE-2018-4402
                   CVE-2018-4401 CVE-2018-4400 CVE-2018-4399
                   CVE-2018-4398 CVE-2018-4396 CVE-2018-4395
                   CVE-2018-4394 CVE-2018-4393 CVE-2018-4389
                   CVE-2018-4383 CVE-2018-4371 CVE-2018-4369
                   CVE-2018-4368 CVE-2018-4355 CVE-2018-4354
                   CVE-2018-4353 CVE-2018-4351 CVE-2018-4350
                   CVE-2018-4348 CVE-2018-4347 CVE-2018-4346
                   CVE-2018-4344 CVE-2018-4343 CVE-2018-4342
                   CVE-2018-4341 CVE-2018-4340 CVE-2018-4338
                   CVE-2018-4337 CVE-2018-4336 CVE-2018-4334
                   CVE-2018-4333 CVE-2018-4332 CVE-2018-4331
                   CVE-2018-4326 CVE-2018-4324 CVE-2018-4321
                   CVE-2018-4310 CVE-2018-4308 CVE-2018-4304
                   CVE-2018-4295 CVE-2018-4291 CVE-2018-4288
                   CVE-2018-4287 CVE-2018-4286 CVE-2018-4259
                   CVE-2018-4242 CVE-2018-4203 CVE-2018-4153
                   CVE-2018-4126 CVE-2018-3646 CVE-2018-3640
                   CVE-2018-3639 CVE-2017-17742 CVE-2017-17405
                   CVE-2017-14064 CVE-2017-14033 CVE-2017-12618
                   CVE-2017-12613 CVE-2017-10784 CVE-2017-898
                   CVE-2016-1777 CVE-2016-702 CVE-2015-5334
                   CVE-2015-5333 CVE-2015-3194 

Reference:         ASB-2018.0204
                   ASB-2018.0121
                   ESB-2018.3344
                   ESB-2018.3338
                   ESB-2018.3337
                   ESB-2018.3332

Original Bulletin: 
   https://support.apple.com/en-au/HT209193
   https://support.apple.com/kb/HT201222

Comment: This bulletin contains two (2) Apple security advisories.

Revision History:  November  1 2018: New CVEs added
                   October  31 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001
High Sierra, Security Update 2018-005 Sierra

macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and
Security Update 2018-005 Sierra are now available and address
the following:

afpserver
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A remote attacker may be able to attack AFP servers through
HTTP clients
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC
Berkeley

AppleGraphicsControl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4410: an anonymous researcher working with Trend Micro's
Zero Day Initiative

AppleGraphicsControl
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4417: Lee of the Information Security Lab Yonsei University
working with Trend Micro's Zero Day Initiative

APR
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Multiple buffer overflow issues existed in Perl
Description: Multiple issues in Perl were addressed with improved
memory handling.
CVE-2017-12613: Craig Young of Tripwire VERT
CVE-2017-12618: Craig Young of Tripwire VERT

ATS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend
Micro's Zero Day Initiative

ATS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2018-4308: Mohamed Ghannam (@_simo36)

CFNetwork
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero
Day Initiative

CoreAnimation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4415: Liang Zhuo working with Beyond Security's SecuriTeam
Secure Disclosure

CoreCrypto
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An attacker may be able to exploit a weakness in the
Miller-Rabin primality test to incorrectly identify prime numbers
Description: An issue existed in the method for determining prime
numbers. This issue was addressed by using pseudorandom bases for
testing of primes.
CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of
Royal Holloway, University of London, and Juraj Somorovsky of Ruhr
University, Bochum

CoreFoundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4412: The UK's National Cyber Security Centre (NCSC)

CUPS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: In certain configurations, a remote attacker may be able to
replace the message content from the print server with arbitrary
content
Description: An injection issue was addressed with improved
validation.
CVE-2018-4153: Michael Hanselmann of hansmi.ch

CUPS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4406: Michael Hanselmann of hansmi.ch

Dictionary
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Parsing a maliciously crafted dictionary file may lead to
disclosure of user information
Description: A validation issue existed which allowed local file
access. This was addressed with input sanitization.
CVE-2018-4346: Wojciech ReguÃ…\x{130}a (@_r3ggi) of SecuRing

Dock
Available for: macOS Mojave 10.14
Impact: A malicious application may be able to access restricted
files
Description: This issue was addressed by removing additional
entitlements.
CVE-2018-4403: Patrick Wardle of Digita Security

dyld
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved validation.
CVE-2018-4423: an anonymous researcher

EFI
Available for: macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilizing speculative execution
and speculative execution of memory reads before the addresses of all
prior memory writes are known may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel
analysis
Description: An information disclosure issue was addressed with a
microcode update. This ensures that older data read from
recently-written-to addresses cannot be read via a speculative
side-channel.
CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken
Johnson of the Microsoft Security Response Center (MSRC)

EFI
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: A local user may be able to modify protected parts of the
file system
Description: A configuration issue was addressed with additional
restrictions.
CVE-2018-4342: Timothy Perfitt of Twocanoes Software

Foundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Processing a maliciously crafted text file may lead to a
denial of service
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4304: jianan.huang (@Sevck)

Grand Central Dispatch
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4426: Brandon Azad

Heimdal
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4331: Brandon Azad

Hypervisor
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilizing speculative execution
and address translations may allow unauthorized disclosure of
information residing in the L1 data cache to an attacker with local
user access with guest OS privilege via a terminal page fault and a
side-channel analysis
Description: An information disclosure issue was addressed by
flushing the L1 data cache at the virtual machine entry.
CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas
F. Wenisch of University of Michigan, Mark Silberstein and Marina
Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens
of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu
of Intel Corporation, Yuval Yarom of The University of Adelaide

Hypervisor
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team

ICU
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: Processing a maliciously crafted string may lead to heap
corruption
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4394: an anonymous researcher

Intel Graphics Driver
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4334: Ian Beer of Google Project Zero

Intel Graphics Driver
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4396: Yu Wang of Didi Research America
CVE-2018-4418: Yu Wang of Didi Research America

Intel Graphics Driver
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4350: Yu Wang of Didi Research America

IOGraphics
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4422: an anonymous researcher working with Trend Micro's
Zero Day Initiative

IOHIDFamily
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation
CVE-2018-4408: Ian Beer of Google Project Zero

IOKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4402: Proteas of Qihoo 360 Nirvan Team

IOKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4341: Ian Beer of Google Project Zero
CVE-2018-4354: Ian Beer of Google Project Zero

IOUserEthernet
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4401: Apple

IPSec
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2018-4420: Mohamed Ghannam (@_simo36)

Kernel
Available for: macOS High Sierra 10.13.6
Impact: A malicious application may be able to leak sensitive user
information
Description: An access issue existed with privileged API calls. This
issue was addressed with additional restrictions.
CVE-2018-4399: Fabiano Anemone (@anoane)

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4340: Mohamed Ghannam (@_simo36)
CVE-2018-4419: Mohamed Ghannam (@_simo36)
CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative,
Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero
Day Initiative

Kernel
Available for: macOS Sierra 10.12.6
Impact: Mounting a maliciously crafted NFS network share may lead to
arbitrary code execution with system privileges
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security
Team

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4407: Kevin Backhouse of Semmle Ltd.

Kernel
Available for: macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4424: Dr. Silvio Cesare of InfoSect

Login Window
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A local user may be able to cause a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of
MWR InfoSecurity

Mail
Available for: macOS Mojave 10.14
Impact: Processing a maliciously crafted mail message may lead to UI
spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar
Gislason of Syndis

mDNSOffloadUserClient
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4326: an anonymous researcher working with Trend Micro's
Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team

MediaRemote
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs

Microcode
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: Systems with microprocessors utilizing speculative execution
and that perform speculative reads of system registers may allow
unauthorized disclosure of system parameters to an attacker with
local user access via a side-channel analysis
Description: An information disclosure issue was addressed with a
microcode update. This ensures that implementation specific system
registers cannot be leaked via a speculative execution side-channel.
CVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone),
Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com)

NetworkExtension
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: Connecting to a VPN server may leak DNS queries to a DNS
proxy
Description: A logic issue was addressed with improved state
management.
CVE-2018-4369: an anonymous researcher

Perl
Available for: macOS Sierra 10.12.6
Impact: Multiple buffer overflow issues existed in Perl
Description: Multiple issues in Perl were addressed with improved
memory handling.
CVE-2018-6797: Brian Carpenter

Ruby
Available for: macOS Sierra 10.12.6
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple issues in Ruby were addressed in this update.
CVE-2017-898
CVE-2017-10784
CVE-2017-14033
CVE-2017-14064
CVE-2017-17405
CVE-2017-17742
CVE-2018-6914
CVE-2018-8777
CVE-2018-8778
CVE-2018-8779
CVE-2018-8780

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: Processing a maliciously crafted S/MIME signed message may
lead to a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd.

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A local user may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2018-4395: Patrick Wardle of Digita Security

Spotlight
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4393: Lufeng Li

Symptom Framework
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero
Day Initiative

WiFi
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile
Networking Lab at Technische Universität Darmstadt

Additional recognition

Calendar
We would like to acknowledge an anonymous researcher for their
assistance.

iBooks
We would like to acknowledge Sem Voigtländer of Fontys Hogeschool 
ICT for their assistance.

Kernel
We would like to acknowledge Brandon Azad for their assistance.

LaunchServices
We would like to acknowledge Alok Menghrajani of Square for their
assistance.

Quick Look
We would like to acknowledge lokihardt of Google Project Zero for
their assistance.

Security
We would like to acknowledge Marinos Bernitsas of Parachute for their
assistance.

Terminal
We would like to acknowledge an anonymous researcher for their
assistance.

Installation note:

macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and
Security Update 2018-005 Sierra may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EcGQ//
QbUbTOZRgxcStGZjs+qdXjeaXI6i1MKaky7o/iYCXf87crFu79PCsXyPU1jeMvoS
tgDxz7ornlyaxR4wcSYzfcuIeY2ZH+dkxc7JJHQbKTW1dWYHpXUUzzNm+Ay/Gtk+
2EIAgJ9oUf8FARR5cmcKBZfLFVdc40vpM3bBCV4m2Kr5KiDsqZKdZTujBQRccAsO
HKRbhDecw0WX/CfEbLprs86uIXFMIoifhmh8LMebjzIQn2ozoFG6R31vMMHeDpir
zf0xlVCJrJy/XywmkodhBWWrUWcM0hfsJ8EmyIBwFEYUxFhOV3D+x3rStd2kjyNL
LG9oWclxDkjImQXdrL8IRAQfZvcVQFZK2vSGCYfRN0LY105sxjPjeIsJ0RORzcSN
2mlDR1UuTosk0GleDbmhv/ornfOc537UebwuHVWU5LpPNFkvY1Cv8zPrQAHewuod
TmktkNuv2x2fgw9g7ntE88UBF9JMC+Ofs/FgJ67RkoT4R39P7VvaztHlmxmr/rIw
TrSs7TDVqciz+DOMRKxyNPI1cpXM5ITCTvgbY4+RWwaFJzfgY+Gc+sldvVcb1x9I
LlsI19MA0bsvi+ReOcLbWYuEHaVhVqZ7LndxR9m2gJ39L9jff+dOsSlznF4OLs+S
t7Rz6i2mOpe6vXobkTUmml3m3zYIhL3XcdcYpw3U0F8=
=uhgi
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2018-10-30-9 Additional information for
APPLE-SA-2018-9-24-1 macOS Mojave 10.14

macOS Mojave 10.14 addresses the following:

Bluetooth
Available for: iMac (21.5-inch, Late 2012), iMac (27-inch, Late 2012)
, iMac (21.5-inch, Late 2013), iMac (21.5-inch, Mid 2014), iMac
(Retina 5K, 27-inch, Late 2014), iMac (21.5-inch, Late 2015),
Mac mini (Mid 2011), Mac mini Server (Mid 2011), Mac mini (Late 2012)
, Mac mini Server (Late 2012), Mac mini (Late 2014), Mac Pro
(Late 2013), MacBook Air (11-inch, Mid 2011), MacBook Air
(13-inch, Mid 2011), MacBook Air (11-inch, Mid 2012), MacBook Air
(13-inch, Mid 2012), MacBook Air (11-inch, Mid 2013), MacBook Air
(13-inch, Mid 2013), MacBook Air (11-inch, Early 2015), MacBook Air
(13-inch, Early 2015), MacBook Pro (13-inch, Mid 2012), MacBook Pro
(15-inch, Mid 2012), MacBook Pro (Retina, 13-inch, Early 2013),
MacBook Pro (Retina, 15-inch, Early 2013), MacBook Pro (Retina,
13-inch, Late 2013), and MacBook Pro (Retina, 15-inch, Late 2013)
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2018-5383: Lior Neumann and Eli Biham

The updates below are available for these Mac models:
MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later),
MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later),
iMac (Late 2012 and later), iMac Pro (all models), Mac Pro
(Late 2013, Mid 2010, and Mid 2012 models with recommended
Metal-capable graphics processor, including MSI Gaming Radeon RX 560
and Sapphire Radeon PULSE RX 580)

afpserver
Impact: A remote attacker may be able to attack AFP servers through
HTTP clients
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC
Berkeley
Entry added October 30, 2018

App Store
Impact: A malicious application may be able to determine the Apple ID
of the owner of the computer
Description: A permissions issue existed in the handling of the Apple
ID. This issue was addressed with improved access controls.
CVE-2018-4324: Sergii Kryvoblotskyi of MacPaw Inc.

AppleGraphicsControl
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4417: Lee of the Information Security Lab Yonsei University
working with Trend Micro's Zero Day Initiative
Entry added October 30, 2018

Application Firewall
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A configuration issue was addressed with additional
restrictions.
CVE-2018-4353: Abhinav Bansal of LinkedIn Inc.

APR
Impact: Multiple buffer overflow issues existed in Perl
Description: Multiple issues in Perl were addressed with improved
memory handling.
CVE-2017-12613: Craig Young of Tripwire VERT
CVE-2017-12618: Craig Young of Tripwire VERT
Entry added October 30, 2018

ATS
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend
Micro's Zero Day Initiative
Entry added October 30, 2018

ATS
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2018-4308: Mohamed Ghannam (@_simo36)
Entry added October 30, 2018

Auto Unlock
Impact: A malicious application may be able to access local users
AppleIDs
Description: A validation issue existed in the entitlement
verification. This issue was addressed with improved validation of
the process entitlement.
CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc.

CFNetwork
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero
Day Initiative
Entry added October 30, 2018

CoreFoundation
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4412: The UK's National Cyber Security Centre (NCSC)
Entry added October 30, 2018

CoreFoundation
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4414: The UK's National Cyber Security Centre (NCSC)
Entry added October 30, 2018

CoreText
Impact: Processing a maliciously crafted text file may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2018-4347: an anonymous researcher
Entry added October 30, 2018

Crash Reporter
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4333: Brandon Azad

CUPS
Impact: In certain configurations, a remote attacker may be able to
replace the message content from the print server with arbitrary
content
Description: An injection issue was addressed with improved
validation.
CVE-2018-4153: Michael Hanselmann of hansmi.ch
Entry added October 30, 2018

CUPS
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4406: Michael Hanselmann of hansmi.ch
Entry added October 30, 2018

Dictionary
Impact: Parsing a maliciously crafted dictionary file may lead to
disclosure of user information
Description: A validation issue existed which allowed local file
access. This was addressed with input sanitization.
CVE-2018-4346: Wojciech Regula (@_r3ggi) of SecuRing
Entry added October 30, 2018

Grand Central Dispatch
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4426: Brandon Azad
Entry added October 30, 2018

Heimdal
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4331: Brandon Azad
CVE-2018-4332: Brandon Azad
CVE-2018-4343: Brandon Azad
Entry added October 30, 2018

Hypervisor
Impact: Systems with microprocessors utilizing speculative execution
and address translations may allow unauthorized disclosure of
information residing in the L1 data cache to an attacker with local
user access with guest OS privilege via a terminal page fault and a
side-channel analysis
Description: An information disclosure issue was addressed by
flushing the L1 data cache at the virtual machine entry.
CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas
F. Wenisch of University of Michigan, Mark Silberstein and Marina
Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens
of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu
of Intel Corporation, Yuval Yarom of The University of Adelaide
Entry added October 30, 2018

iBooks
Impact: Parsing a maliciously crafted iBooks file may lead to
disclosure of user information
Description: A configuration issue was addressed with additional
restrictions.
CVE-2018-4355: evi1m0 of bilibili security team
Entry added October 30, 2018

Intel Graphics Driver
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4396: Yu Wang of Didi Research America
CVE-2018-4418: Yu Wang of Didi Research America
Entry added October 30, 2018

Intel Graphics Driver
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2018-4351: Appology Team @ Theori working with Trend Micro's Zero
Day Initiative
Entry added October 30, 2018

Intel Graphics Driver
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4350: Yu Wang of Didi Research America
Entry added October 30, 2018

Intel Graphics Driver
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4334: Ian Beer of Google Project Zero
Entry added October 30, 2018

IOHIDFamily
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation
CVE-2018-4408: Ian Beer of Google Project Zero
Entry added October 30, 2018

IOKit
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4341: Ian Beer of Google Project Zero
CVE-2018-4354: Ian Beer of Google Project Zero
Entry added October 30, 2018

IOKit
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2018-4383: Apple
Entry added October 30, 2018

IOUserEthernet
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4401: Apple
Entry added October 30, 2018

Kernel
Impact: A malicious application may be able to leak sensitive user
information
Description: An access issue existed with privileged API calls. This
issue was addressed with additional restrictions.
CVE-2018-4399: Fabiano Anemone (@anoane)
Entry added October 30, 2018

Kernel
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4407: Kevin Backhouse of Semmle Ltd.
Entry added October 30, 2018

Kernel
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4336: Brandon Azad
CVE-2018-4337: Ian Beer of Google Project Zero
CVE-2018-4340: Mohamed Ghannam (@_simo36)
CVE-2018-4344: The UK's National Cyber Security Centre (NCSC)
CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative,
Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero
Day Initiative
Entry added October 30, 2018

LibreSSL
Impact: Multiple issues in libressl were addressed in this update
Description: Multiple issues were addressed by updating to libressl
version 2.6.4.
CVE-2015-3194
CVE-2015-5333
CVE-2015-5334
CVE-2016-702
Entry added October 30, 2018

Login Window
Impact: A local user may be able to cause a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of
MWR InfoSecurity
Entry added October 30, 2018

mDNSOffloadUserClient
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4326: an anonymous researcher working with Trend Micro's
Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team
Entry added October 30, 2018

MediaRemote
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs
Entry added October 30, 2018

Microcode
Impact: Systems with microprocessors utilizing speculative execution
and speculative execution of memory reads before the addresses of all
prior memory writes are known may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel
analysis
Description: An information disclosure issue was addressed with a
microcode update. This ensures that older data read from
recently-written-to addresses cannot be read via a speculative
side-channel.
CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken
Johnson of the Microsoft Security Response Center (MSRC)
Entry added October 30, 2018

Security
Impact: A local user may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2018-4395: Patrick Wardle of Digita Security
Entry added October 30, 2018

Security
Impact: An attacker may be able to exploit weaknesses in the RC4
cryptographic algorithm
Description: This issue was addressed by removing RC4.
CVE-2016-1777: Pepi Zawodsky

Spotlight
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4393: Lufeng Li
Entry added October 30, 2018

Symptom Framework
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero
Day Initiative
Entry added October 30, 2018

Text
Impact: Processing a maliciously crafted text file may lead to a
denial of service
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4304: jianan.huang (@Sevck)
Entry added October 30, 2018

Wi-Fi
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend
Micro's Zero Day Initiative
Entry added October 30, 2018

Additional recognition

Accessibility Framework
We would like to acknowledge Ryan Govostes for their assistance.

Core Data
We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security
Labs GmbH for their assistance.

CoreDAV
We would like to acknowledge an anonymous researcher for their
assistance.

CoreGraphics
We would like to acknowledge Nitin Arya of Roblox Corporation for
their assistance.

CoreSymbolication
We would like to acknowledge Brandon Azad for their assistance.

IOUSBHostFamily
We would like to acknowledge an anonymous researcher for their
assistance.

Kernel
We would like to acknowledge Brandon Azad for their assistance.

Mail
We would like to acknowledge Alessandro Avagliano of Rocket Internet
SE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron
Software Systems, and Zbyszek ŻóÅ\x{130}kiewski for their assistance.

Quick Look
We would like to acknowledge Wojciech Regula (@_r3ggi) of SecuRing
and Patrick Wardle of Digita Security and lokihardt of Google Project
Zero for their assistance.

Security
We would like to acknowledge Christoph Sinai, Daniel Dudek
(@dannysapples) of The Irish Times and Filip Klubika (@lemoncloak)
of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of
Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson
Ding, and an anonymous researcher for their assistance.

SQLite
We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security
Labs GmbH for their assistance.

Terminal
We would like to acknowledge an anonymous researcher for their
assistance.

WindowServer
We would like to acknowledge Patrick Wardle of Digita Security for
their assistance.

Installation note:

macOS Mojave 10.14 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3GrtxAA
iVBcAdusz88zFzkT05EIxb9nSp4CGOlhKlChK4N7Db17o2fNT0hNpQixEAC0wC/A
zqIzsXEzZlPobI4OnwiEVs7lVBsvCW+IarrRZ8pgSllKs1VlbNfOO3z9vB5BqJMr
d9PjPvtHyG3jZmWqQPIjvJb3l3ZjHAt+HAvTItNMkhIUjqV80JI8wP3erzIf3tAt
VoLIw5iL5w4HAYcWsn9DYcecXZdv39MnKL5UGzMX3bkee2U7kGYtgskU+mdPa1Wl
WzquIPlLeKL2KNSXEfbkPtcKM/fvkURsNzEDvg+PBQLdI3JeR1bOeN24aiTEtiEL
TecGm/kKMMJWmDdhPhFvZVD+SIdZd4LgbTawR1UE1JJg7jnEZKCvZ45mXd2eBwn/
rpEKCLBsgA59GILs3ZjZSIWskRJPzZrt463AKcN2wukkTUUkY1rhRVdOf6LZMs9Z
w9iJOua3vt+HzCCxTEaH53WUeM6fn/Yeq+DGIS5Fk0G09pU7tsyJVwj3o1nJn0dl
e2mcrXBJeSmi6bvvkJX45y/Y8E8Qr+ovS4uN8wG6DOWcCBQkDkugabng8vNh8GST
1wNnV9JY/CmYbU0ZIwKbbSDkcQLQuIl7kKaZMHnU74EytcKscUqqx1VqINz1tssu
1wZZGLtg3VubrZOsnUZzumD+0nI8c6QAnQK3P2PSZ0k=
=i9YR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9pXUGaOgq3Tt24GAQg6Ng/8D64najCIGp15CfKB/AyPkgiiONbLC3qr
oPJrEwGJrBoICDJrPcutWl38v/udGvTyUPFzdQGCqV9D/IfM8PctcFPofap+PlRA
5iyvvWAJCbHMILHPEqyytqBCT/7cUvcRcSAGKLK0yAUGMxzXQ4oSzLD050ofQEI0
3ZV390hFr5w/C0PrHv++pj3l0NYZ7agqwjuJjQuYHdqicDofyOqU+7wGMAZw+xRE
g7esYimjwMkff7kocqCFQfnLXSyGfUqvRRCuLvYuGwhMr1c3XDNbMHUhzU5rpfLy
8aQD+td3w02YO16segvQ643kwhGBmI5gODbcoqWoWWMFrY/JHSlItQPk/vYsz0og
LNMw/it4cVK7CxuqsC8AOmZ2wJt8qi7bSIlMrf49HyWU1TPvM35/oWLrZ+ZBjuu+
OfYJ2/yA0DVY//whKw3v+vDp8CoGXjExjYrmvpM3X8vk+KD+rNOKpQraXVQLKdRE
VcdbjZDz+q5dkGlDEBAlUl/FG9yUVzdfK+068mrurv2nkhRNRytpxzvRnasI0oUh
qszwRxGmDzMLs6fl4o34pgOqlYuywEx6TpOnhKcbI+FKcW/KTD4vxIqq8z96X3BM
nN+KyNO0RcsUVzzm/Hc2liHAsAh6JssLDwqTxH1/p6C8XktjVStZiSlpfVTiXDFV
CPOAEdNESNs=
=YImX
-----END PGP SIGNATURE-----

« Back to bulletins