-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0355
                                tvOS 13.3.1
                              31 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tvOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Root Compromise                 -- Existing Account      
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3878 CVE-2020-3875 CVE-2020-3872
                   CVE-2020-3870 CVE-2020-3868 CVE-2020-3857
                   CVE-2020-3856 CVE-2020-3853 CVE-2020-3842
                   CVE-2020-3840 CVE-2020-3838 CVE-2020-3837
                   CVE-2020-3836 CVE-2020-3829 

Reference:         ESB-2020.0354
                   ESB-2020.0353
                   ESB-2020.0351
                   ESB-2020.0346

Original Bulletin: 
   https://support.apple.com/en-au/HT210920

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2020-1-28-4 tvOS 13.3.1

tvOS 13.3.1 is now available and addresses the following:

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3857: Zhuo Liang of Qihoo 360 Vulcan Team

ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3870
CVE-2020-3878: Samuel Gross of Google Project Zero

IOAcceleratorFamily
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3837: Brandon Azad of Google Project Zero

IPSec
Available for: Apple TV 4K and Apple TV HD
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: An off by one issue existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-2020-3840: @littlelailo

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-3875: Brandon Azad of Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-3872: Haakon Garseg Mørk of Cognite and Cim Stordal of
Cognite

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to determine kernel
memory layout
Description: An access issue was addressed with improved memory
management.
CVE-2020-3836: Brandon Azad of Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3842: Ned Williamson working with Google Project Zero

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-3853: Brandon Azad of Google Project Zero

libxpc
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted string may lead to heap
corruption
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-3856: Ian Beer of Google Project Zero

libxpc
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-3829: Ian Beer of Google Project Zero

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2020-3868: Marcin Towalski of Cisco Talos

wifivelocityd
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
system privileges
Description: The issue was addressed with improved permissions logic.
CVE-2020-3838: Dayton Pidhirney (@_watbulb)

Additional recognition

IOSurface
We would like to acknowledge Liang Chen (@chenliang0817) for their
assistance.

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."

To check the current version of software, select
"Settings -> General -> About."

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjNvqWaOgq3Tt24GAQiuJw//fyYu+KnQqWMNumRRUKL6H1k1rAX/zzn7
XFVu2/lEoOjRNHWy0qDkqOnsdHNNT0WiGQawM2bTNvOKcIMKvAGB4ciRUfruKLMe
oMJENrknarCeOflpQtOUvY2skpJIql/7dK4xq4sXYi2iONfoTwu2fu4LBa+NzRle
X4GYfV9n/qZ6SrPLVQIpgjBbKjXCFPG9ZCQMcClJRs6vJacCtx6Izjyuu9KU/yY6
t/XF2cDYR7UBXdjN43I1RUA98v3Cn619Q90OM98dDpUSjz9k4xISsh0gOlMeW0qR
rfbptOdrq1ODn5YjTklR3FGirRyTCqkooS6oH9LO6pTxepTNADmIU8OfJcK5xq5u
isib73VuPjDG4ZhWlG6oRzoltuu0A5BRKh2U+jCfk3LGy2TO7UKbDzNiVA94jwji
XbwVtURrRoILpmXUyHKvjfTZT5+v+rDR8KkoZ9puzPDABSd5vvx7rU0du7N2y2OI
JsMtWY+AnXoP+BMQadu5bfNd2tdpSwpUsuKpP8dHSYQg1gPeyynBpXntN94/u0gA
Jk79SS99MsAwX9YfmZvJ8bR8MY2a7KYKi8eTtR3o4QEYOnhbaG4eDuLEY+OjGM9j
+6N9Tw4QeF6gww+wtfheU6VzPH05NEL72PHNm7vRu9HEF3K0Fed9qxkZ4qBnMn2P
0cn0+GrqsU0=
=6XwW
-----END PGP SIGNATURE-----