Operating System:

[Apple iOS]

Published:

16 July 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.2432 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2432
             watchOS 6.2.8 addresses multiple vulnerabilities
                               16 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           watchOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Unauthorised Access             -- Unknown/Unspecified         
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9936 CVE-2020-9933 CVE-2020-9925
                   CVE-2020-9923 CVE-2020-9918 CVE-2020-9916
                   CVE-2020-9915 CVE-2020-9910 CVE-2020-9909
                   CVE-2020-9895 CVE-2020-9894 CVE-2020-9893
                   CVE-2020-9891 CVE-2020-9890 CVE-2020-9889
                   CVE-2020-9888 CVE-2020-9885 CVE-2020-9865
                   CVE-2020-9862  

Reference:         ESB-2020.2430
                   ESB-2020.2429

Original Bulletin: 
   https://support.apple.com/en-gb/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-07-15-4 watchOS 6.2.8

watchOS 6.2.8 is now available and addresses the following:

Audio
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab

Audio
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab
CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab
CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year
Security Lab

Crash Reporter
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360
BugCloud

GeoServices
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to read sensitive
location information
Description: An authorization issue was addressed with improved state
management.
CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

ImageIO
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9936: Mickey Jin of Trend Micro

Kernel
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-9923: Proteas

Kernel
Available for: Apple Watch Series 1 and later
Impact: An attacker that has already achieved kernel code execution
may be able to bypass kernel memory mitigations
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9909: Brandon Azad of Google Project Zero

Messages
Available for: Apple Watch Series 1 and later
Impact: A user that is removed from an iMessage group could rejoin
the group
Description: An issue existed in the handling of iMessage tapbacks.
The issue was resolved with additional verification.
CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP
High School North (medium.com/@suryanshmansha)

WebKit
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced
Description: An access issue existed in Content Security Policy.
This issue was addressed with improved access restrictions.
CVE-2020-9915: an anonymous researcher

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2020-9925: an anonymous researcher

WebKit
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
CVE-2020-9895: Wen Xu of SSLab, Georgia Tech

WebKit
Available for: Apple Watch Series 1 and later
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: Multiple issues were addressed with improved logic.
CVE-2020-9910: Samuel GroÃ\x{159} of Google Project Zero

WebKit Page Loading
Available for: Apple Watch Series 1 and later
Impact: A malicious attacker may be able to conceal the destination
of a URL
Description: A URL Unicode encoding issue was addressed with improved
state management.
CVE-2020-9916: Rakesh Mane (@RakeshMane10)

WebKit Web Inspector
Available for: Apple Watch Series 1 and later
Impact: Copying a URL from Web Inspector may lead to command
injection
Description: A command injection issue existed in Web Inspector. This
issue was addressed with improved escaping.
CVE-2020-9862: Ophir Lojkine (@lovasoa)

Wi-Fi
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud
(bugcloud.360.cn)

Additional recognition

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PhNUACgkQBz4uGe3y
0M0E+RAAp2U0LzUJ1tDoQZsm0yUZ9aEz1BDuQXKH9wAMV+nHCa9A7PbaLqwwxbni
T3jjW35hw5s5II2l4HpN2qtFbm8B2ZLrMRyFTFvlOyLtyWmn5iOPYTdT6Uf4EUgS
xXtPdYJ/7lFBeCCGuVuBJ2QnJN9L2MJQFhh5Cvya2YOhxHYsRA5iPNJeehFZ1N0f
42Se8Tcn/0NXLK0+qRl0m8TLa80hQaisGLH9RPQTxCu3vaJVD0fvcQ1eOkH8ETXR
dqIO4nsP2kuD8QMjC8DXo3KT9fTFv1iUy0s96zMEl95Ekg4dL0nsBxKwfI2kSyZ5
1vE346GRG23w9on0FU+2qoq4LfXKmJ5HLB4xDxegm/PLdd842tppv2LAmSO8vRZR
Qmin4IERfEmGEUGKDsFM4tGH5j34mAlDklgil3/H9Ca0ucchpoIFiP8jmXytNCqy
lIafyOfIfInBAqlZizV0/9l37JKXTvispcAuJMg5fb29zvtprOSIP075jN9KMRB3
k3liMFwPgs+kNS5smQsbVVYOWphP1jgbXozjqfoIKUdFxecHjHVfl6e2W3kDPgf6
noQSn3lgPulVYgn3LqzEhL7G3QtRyzEzgqWG1sinlFJCDrmCBC5p+6lESuRVCcAk
d3AKO4eyJ9CCcLL9+nBYL1tx94Wb2MyaIHJld3GcLFf3Y+UmtB8=
=TFfd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXw/qDONLKJtyKPYoAQiu3A//f/yXBxWuWzelY0n376v98wEcP06iXg5t
RXV6kx3Fb0PQIe4Yd+5PZHCjwcG/jQra5MkoRrWox/mXMYDVgbzP8IRJs4Ys1QYj
9RPt71qj8oagutYpLHv3WJ53tpGlM+njsi2Df2zZu2vfCL8tbs4IAuLGmUPlFO4r
JqGYiBUSzHBf9WT5wbSzQxAHus/UZc8jydV0FoXBJtcYuw/0b7EwLVdCUHWMQWXQ
enr0w1E6FFLgLxf38G/VA60gZupGF1faTh1KKuugBFoLlepeu0ivOcnGY9AxUkR7
8VF5SafwegfjXPw/2l5K5q3+7jX+Yt4Nk4SqQPHSKjlLp+J1uXZpJIrkCmXlt1od
8KetYqlWJIkIK6eZ8H7AnFLP3Mc18tQkXXfei0HfD2PRVEI0n/BszKxEyTX/0tgk
lUfB16bbr8LHk3EthnqPX5f7O0fcXWY4ZD9p3Bu1XJla3tYWEUS7QuzuGw9133mF
EAviEJSxM5vKWKscN/BRg+jY430Exy1nWT4HqCp85PxVuqerbPnNiI4Fzg/hBZ5N
fjJt+KVM3M9YHw6fHQfT4BaJvjbjIDE1w0e5fG4LUGodbtq8aOQ5U7fOBiSYugWk
yZeLIGm/QHBmSxGtFAx/tw5GhxlnxOx/ittWZjPbbqQnXSwml+Vlp0Jy7MaElAJi
QGd5oY1ltbQ=
=a58k
-----END PGP SIGNATURE-----