UPDATE Apple watchOS: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.2745.2
                                watchOS 5.3
                              14 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple watchOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Console/Physical      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13118 CVE-2019-8689 CVE-2019-8688
                   CVE-2019-8685 CVE-2019-8684 CVE-2019-8683
                   CVE-2019-8682 CVE-2019-8676 CVE-2019-8672
                   CVE-2019-8669 CVE-2019-8665 CVE-2019-8662
                   CVE-2019-8660 CVE-2019-8659 CVE-2019-8658
                   CVE-2019-8657 CVE-2019-8648 CVE-2019-8647
                   CVE-2019-8646 CVE-2019-8641 CVE-2019-8624
                   CVE-2018-16860  

Reference:         ESB-2019.2737
                   ESB-2019.1987
                   ESB-2019.1742

Original Bulletin: 
   https://support.apple.com/en-au/HT210353

Revision History:  August 14 2019: Added CVE-2019-9506
                   July   23 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2019-8-13-3 Additional information for
APPLE-SA-2019-7-22-4 watchOS 5.3

watchOS 5.3 addresses the following:

Bluetooth
Available for: Apple Watch Series 1 and later
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole
Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of
University of Oxford, England
Entry added August 13, 2019

Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8647: Samuel Gross and Natalie Silvanovich of Google Project
Zero

Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8660: Samuel Gross and Natalie Silvanovich of Google Project
Zero

Digital Touch
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8624: Natalie Silvanovich of Google Project Zero

FaceTime
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu

Foundation
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8641: Samuel Gross and Natalie Silvanovich of Google Project
Zero

Heimdal
Available for: Apple Watch Series 1 and later
Impact: An issue existed in Samba that may allow attackers to perform
unauthorized actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team
and Catalyst

libxslt
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz

Messages
Available for: Apple Watch Series 1 and later
Impact: Users removed from an iMessage conversation may still be able
to alter state
Description: This issue was addressed with improved checks.
CVE-2019-8659: Ryan Kontos (@ryanjkontos), Will Christensen of
University of Oregon

Messages
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may cause an unexpected application
termination
Description: A denial of service issue was addressed with improved
validation.
CVE-2019-8665: Michael Hernandez of XYZ Marketing

Quick Look
Available for: Apple Watch Series 1 and later
Impact: An attacker may be able to trigger a use-after-free in an
application deserializing an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: Natalie Silvanovich and Samuel Gross of Google Project
Zero

Siri
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

UIFoundation
Available for: Apple Watch Series 1 and later
Impact: Parsing a maliciously crafted office document may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero
Day Initiative

Wallet
Available for: Apple Watch Series 1 and later
Impact: A user may inadvertently complete an in-app purchase while on
the lock screen
Description: The issue was addressed with improved UI handling.
CVE-2019-8682: Jeff Braswell (JeffBraswell.com)

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8672: Samuel Gross of Google Project Zero
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech,
Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL,
and Eric Lung (@Khlung1) of VXRL
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero

Additional recognition

MobileInstallation
We would like to acknowledge Dany Lisiansky (@DanyL931) for their
assistance.

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXVOQ3WaOgq3Tt24GAQiTMRAAsc1CevNW2lbqSpt0x+0EBXIBp3kaTvaW
N1hkDIFksayffHR5yPWbArSD1fto3VF2JQS8mE81Wvv3q/Bd0RQeyTmbtesGi4kC
2/KhcXsvwAY/IiGEaN+QLmEwbbE9SOz4HZ/wf0WulWv4ASk367NlQTCRT5HQpzqz
lMBrSItNLOvH2MprZUixOy6Pi5q7UoCaRWBM4FgSlh92CmzlCKFQO7Lglq1JwrSl
a0I9EtsN+dzyNr9AKs0mYoa/LyQzPyOL6vX9fsdmlGyHp+kX5XtRJZrk+m1ZpR/p
LpiIWMlmALfMHuhPOnkOugBt8A9H2bMcB7TDZ2VWiQkuMmqsqXQmtaJAioKIjUgp
0B92ZWHXd2zLMtY1QEiL9pNjj6YQd8gNj6zmNpEr5WE06k0IR0vxbUOgq/rYLN2H
PWZWGahL7j2kCksB/W0dbZOD4v3e4Wgs2epxbvhcjmQD7AtcUmKAvU/gdL8GRpXX
rZEkobTlkXtSMP0SbVf5k2dQb1foceDHavWEAL5mSnT8AEMwPtl//VH0ohjnuNP2
fzyfTjMuwQ+PBLXYP3frAMrjVgi/riTwxZUrY5HyHcT9iDxl7WhJ1XxhH0oZ6Y0V
pcIzduDjnoEThAEQgh7U6PF7mmLFXScuhuSl8lgx1R6b6yb3fMBvSY4m49Ue+I3w
YkyAz3DeR50=
=9Y3m
-----END PGP SIGNATURE-----