-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1042
         macOS Catalina 10.15.4, Security Update 2020-002 Mojave,
                   Security Update 2020-002 High Sierra
                               25 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           macOS
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Root Compromise          -- Existing Account            
                   Increased Privileges     -- Existing Account            
                   Access Privileged Data   -- Existing Account            
                   Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9785 CVE-2020-9776 CVE-2020-9773
                   CVE-2020-9769 CVE-2020-3919 CVE-2020-3914
                   CVE-2020-3913 CVE-2020-3912 CVE-2020-3911
                   CVE-2020-3910 CVE-2020-3909 CVE-2020-3908
                   CVE-2020-3907 CVE-2020-3906 CVE-2020-3905
                   CVE-2020-3904 CVE-2020-3903 CVE-2020-3893
                   CVE-2020-3892 CVE-2020-3884 CVE-2020-3883
                   CVE-2020-3881 CVE-2020-3851 CVE-2019-19232
                   CVE-2019-14615 CVE-2019-8853 

Reference:         ASB-2020.0010
                   ESB-2020.0305
                   ESB-2019.4632

Original Bulletin: 
   https://support.apple.com/en-au/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2020-03-24-2 macOS Catalina 10.15.4, Security Update
2020-002 Mojave, Security Update 2020-002 High Sierra

macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security
Update 2020-002 High Sierra are now available and address the
following:

Apple HSSPI Support
Available for: macOS Catalina 10.15.3
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team

AppleGraphicsControl
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved state management.
CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team

AppleMobileFileIntegrity
Available for: macOS Catalina 10.15.3
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-3883: Linus Henze (pinauten.de)

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3907: Yu Wang of Didi Research America
CVE-2020-3908: Yu Wang of Didi Research America
CVE-2020-3912: Yu Wang of Didi Research America

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-3892: Yu Wang of Didi Research America
CVE-2020-3893: Yu Wang of Didi Research America
CVE-2020-3905: Yu Wang of Didi Research America

Call History
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to access a user's call
history
Description: This issue was addressed with a new entitlement.
CVE-2020-9776: Benjamin Randazzo (@____benjamin)

CoreFoundation
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to elevate privileges
Description: A permissions issue existed. This issue was addressed
with improved permission validation.
CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

FaceTime
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to view sensitive user information
Description: A logic issue was addressed with improved state
management.
CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion -
Israel Institute of Technology

Icons
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to identify what other
applications a user has installed
Description: The issue was addressed with improved handling of icon
caches.
CVE-2020-9773: Chilik Tamir of Zimperium zLabs

Intel Graphics Driver
Available for: macOS Catalina 10.15.3
Impact: A malicious application may disclose restricted memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2019-14615: Wenjian HE of Hong Kong University of Science and
Technology, Wei Zhang of Hong Kong University of Science and
Technology, Sharad Sinha of Indian Institute of Technology Goa, and
Sanjeev Das of University of North Carolina

IOHIDFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-3919: an anonymous researcher

IOThunderboltFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and
Luyi Xing of Indiana University Bloomington

Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai

Kernel
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved state management.
CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz

libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com

Mail
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A remote attacker may be able to cause arbitrary javascript
code execution
Description: An injection issue was addressed with improved
validation.
CVE-2020-3884: Apple

sudo
Available for: macOS Catalina 10.15.3
Impact: An attacker may be able to run commands as a non-existent
user
Description: This issue was addressed by updating to sudo version
1.8.31.
CVE-2019-19232

TCC
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A maliciously crafted application may be able to bypass code
signing enforcement
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3906: Patrick Wardle of Jamf

Vim
Available for: macOS Catalina 10.15.3
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to version
8.1.1850.
CVE-2020-9769: Steve Hahn from LinkedIn

Additional recognition

CoreText
We would like to acknowledge an anonymous researcher for their
assistance.

FireWire Audio
We would like to acknowledge Xiaolong Bai and Min (Spark) Zheng of
Alibaba Inc. and Luyi Xing of Indiana University Bloomington for
their assistance.

FontParser
We would like to acknowledge Matthew Denton of Google Chrome for
their assistance.

Install Framework Legacy
We would like to acknowledge Pris Sears of Virginia Tech, Tom Lynch
of UAL Creative Computing Institute, and an anonymous researcher for
their assistance.

LinkPresentation
We would like to acknowledge Travis for their assistance.

OpenSSH
We would like to acknowledge an anonymous researcher for their
assistance.

rapportd
We would like to acknowledge Alexander Heinrich (@Sn0wfreeze) of
Technische Universität Darmstadt for their assistance.

Sidecar
We would like to acknowledge Rick Backley (@rback_sec) for their
assistance.

Installation note:

macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security
Update 2020-002 High Sierra may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnqpKGaOgq3Tt24GAQho8RAAi5Mfz/zfdt8nMKRuJJl/YnBBm/ZynuQL
lOaP/NFdaCJ8IDPZZyZTEwirbSKF/YR+/K5+JYcXhkAwjQiGpmezheDQmyD71wtT
SfgEAxCw/9vyoKfJrxZelCa7UtKNk/kFKiBY7NAFQJPnucdT5ZBUl0zAIva8Ga7h
V2M2JQy9BYB2E91dsZF5hEgj5/R/KRrWUPa2qSuGF0+gIXg2LVwLQ5lQKd6fro/J
lHNRT6SUUaZzRdOf6L53OvytnbTsmH133NN6xS6Osdag3fGnQNgf2XtUANH+xIyI
5/A1g0A59brx/5eYvYBaJZWYxL5s8iNkSMKz/2aHs0NYk1v45ued76+01UOP6gVt
3Rc2r7VY7nPnqzhUUuempMj0UH8XKUuz5KBodnWLpXlaIMzuxTuFS3zH2FORpauH
upFk6RiXyxPwWF9w2ObJGUlRZDGSLaHUd77+DeKFWht3d8KXCARgFdF2Ljq/vZyy
7AqZqg7D26gdqTbOQ6YIaiKapLFDBUoS1D/dgNgxKpz1S7dHicBbcucGLxaqDyWP
sHf2O8TkZrSLf4827AiWa3xVB9DgCF6C2IRPG6veX4jARhlMWszMhVvXE7fzBi9j
43KpAkGng3Uo0tHSQULl9U+SabAqvoaQOvsnra46EMWciZbrwJ9M8nm+EnbbKNja
WjmG1ECWb4w=
=nCAK
-----END PGP SIGNATURE-----