-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2431
              tvOS 13.4.8 addresses multiple vulnerabilities
                               16 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tvOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Unauthorised Access             -- Unknown/Unspecified         
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9936 CVE-2020-9933 CVE-2020-9925
                   CVE-2020-9918 CVE-2020-9916 CVE-2020-9915
                   CVE-2020-9914 CVE-2020-9910 CVE-2020-9909
                   CVE-2020-9907 CVE-2020-9895 CVE-2020-9894
                   CVE-2020-9893 CVE-2020-9891 CVE-2020-9890
                   CVE-2020-9889 CVE-2020-9888 CVE-2020-9865
                   CVE-2020-9862 CVE-2019-14899 

Reference:         ESB-2020.2430
                   ESB-2020.2429

Original Bulletin: 
   https://support.apple.com/en-gb/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-07-15-3 tvOS 13.4.8

tvOS 13.4.8 is now available and addresses the following:

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab
CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab
CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab

AVEVideoEncoder
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2020-9907: an anonymous researcher

Crash Reporter
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360
BugCloud

GeoServices
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to read sensitive
location information
Description: An authorization issue was addressed with improved state
management.
CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

iAP
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2020-9914: Andy Davis of NCC Group

ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9936: Mickey Jin of Trend Micro

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker in a privileged network position may be able to
inject into active connections within a VPN tunnel
Description: A routing issue was addressed with improved
restrictions.
CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R.
Crandall

Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker that has already achieved kernel code execution
may be able to bypass kernel memory mitigations
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9909: Brandon Azad of Google Project Zero

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced
Description: An access issue existed in Content Security Policy.
This issue was addressed with improved access restrictions.
CVE-2020-9915: an anonymous researcher

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2020-9925: an anonymous researcher

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
CVE-2020-9895: Wen Xu of SSLab, Georgia Tech

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: Multiple issues were addressed with improved logic.
CVE-2020-9910: Samuel GroÃ\x{159} of Google Project Zero

WebKit Page Loading
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious attacker may be able to conceal the destination
of a URL
Description: A URL Unicode encoding issue was addressed with improved
state management.
CVE-2020-9916: Rakesh Mane (@RakeshMane10)

WebKit Web Inspector
Available for: Apple TV 4K and Apple TV HD
Impact: Copying a URL from Web Inspector may lead to command
injection
Description: A command injection issue existed in Web Inspector. This
issue was addressed with improved escaping.
CVE-2020-9862: Ophir Lojkine (@lovasoa)

Wi-Fi
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud
(bugcloud.360.cn)

Additional recognition

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."

To check the current version of software, select
"Settings -> General -> About."
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PhQUACgkQBz4uGe3y
0M33Vw//fmvay18+s9sn8Gv2VfSgT2VcmDHMNTch9QoYbm7spSflAc8zWdToUOpK
fiJAVEHB+adcGy3syi4z+utNf3l1XchVMuaxLKzDyS7LDiDIwczivrr642A+ahlk
vrHXcdwQkf0Y3QdQF9DwcOfzyNvaRRJ2eICKlrjm4BrcoP63eoBTGKgcZp6EAOQu
c0X5M2F2GcV4VwSmSuzKtsNlkjWlaD55meVWjGZGGUp4d0tk0BtmAWISAXf2NfFF
WQyKQ9snXMzzF4SRA3cbWqFFluKDYyPx7Lh2jLB+KcrTRCtuMi+cAu3QQezRwIUD
LnKzLbAbOO8Mu67aLjoBdW0IdCHbGpdK6I/aGi0eV029+tBdcn5UOfPIhGT9WDkQ
tlDr5RCqWvc02F6e5SetIGRY1YGV6DWqo0U1h6cBdVgnx5g3aIZzXihATMV+4bxj
Vijf8iDG5LsO4Bx8g1aekrn37OQnr7WuFHLZrHKZyQejn6IdOQ2fyzH43/0mLiE3
eaoGwghlFXhOpbUx26owjEkDuC5GgboctjefqtJ9Zu7yfSS2GDAq23Qp9IXy/Avf
cIIB0bnz9Mk+2qrZ2GDZXBePacLoVSNvaBywyrs6MMANrsi3Ioq3xug8b8WnTozL
lMrdAVr64+qTn0YTc6QwNs9golbRQh3z2U6Hk/niQXlWZilaK/s=
=+zqK
- -----END PGP SIGNATURE-----
 _______________________________________________

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXw/poeNLKJtyKPYoAQgS6xAAiTeNrqbKXriswuU7NDgH4LWrOjRHGfDr
cX9xHkoK5/VP3OJB57BQD3bXwuTFmgCGgXquLIXrmSBu+4/BVphbtUzxmz1bdL7O
+MGm//4UO4XHHlmkCA9X/10dGTPU7/G3Hx38nzVyou++yNiIKhphmIgSZGM0J9bV
6rOw5NYt8Kq5L8LfYMenTQVM6pG9SBXF7uKiwtOTJ3gJ7vdt9gojzmPEghWhmkQQ
vp6Pp1GZZYplQfJOzA+wqyIHS+pj4pOT3HGUz6S7WU/6xkMimg541FrO2MI1vf/2
fYcxm3ONRwJgFitrgqkdHICJxrBlFrVVWj34Xtf20mW6d2k7W9vJoDZ9aqYRdmpb
PjkxOpsAZK/bcEB4FliMQ2zC1ThxRE2yu3fPIrRl0AN/g/bicS98IuOHRwsS7QEx
u/Gns0xgmhBKBKWZL602K83MCen0jJJ9VPEwTQqZ7kYogejCqUouExpsBnptDd4z
UF8nXfGKOnqeSkz+tlygTtdI1vd3YfuyT+f2wjKHsnoRvYwFOFTxzlKu1vp83pIu
9PmuBE2PZCzmj813EowCgwBeCfeE3FZ3+N+mOmERwVn6C2QnyERWCtzoBS2kPItT
nbith7pAMYu8p18tzs6+1uozWPmlhb7b+uaoxlXb6LWIQUymowbLfefpQMHI26/v
Y8Gg/RV4Mig=
=aXVM
-----END PGP SIGNATURE-----