-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3181
              APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0
                             17 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iOS
                   iPadOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9992 CVE-2020-9979 CVE-2020-9976
                   CVE-2020-9973 CVE-2020-9968 CVE-2020-9964
                   CVE-2020-9959 CVE-2020-9958 CVE-2020-9952
                   CVE-2020-9946 CVE-2020-9773 

Reference:         ESB-2020.1044
                   ESB-2020.1043
                   ESB-2020.1042
                   ESB-2020.1041

Original Bulletin: 
   https://support.apple.com/en-ie/HT211850

- --------------------------BEGIN INCLUDED TEXT--------------------

iOS 14.0 and iPadOS 14.0

Released September 16, 2020

AppleAVD

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: An application may be able to cause unexpected system termination or
write kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds
checking.

CVE-2020-9958: Mohamed Ghannam (@_simo36)

Assets

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: An attacker may be able to misuse a trust relationship to download
malicious content

Description: A trust issue was addressed by removing a legacy API.

CVE-2020-9979: CodeColorist of Ant-Financial LightYear Labs

Icons

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: A malicious application may be able to identify what other applications
a user has installed

Description: The issue was addressed with improved handling of icon caches.

CVE-2020-9773: Chilik Tamir of Zimperium zLabs

IDE Device Support

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: An attacker in a privileged network position may be able to execute
arbitrary code on a paired device during a debug session over the network

Description: This issue was addressed by encrypting communications over the
network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7.

CVE-2020-9992: Dany Lisiansky (@DanyL931), Nikias Bassen

IOSurfaceAccelerator

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory
handling.

CVE-2020-9964: Mohamed Ghannam (@_simo36), Tommy Muir (@Muirey03)

Keyboard

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

Model I/O

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: Processing a maliciously crafted USD file may lead to unexpected
application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9973: Aleksandar Nikolic of Cisco Talos

Phone

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: The screen lock may not engage after the specified time period

Description: This issue was addressed with improved checks.

CVE-2020-9946: Daniel Larsson of iolight AB

Sandbox

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: A malicious application may be able to access restricted files

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9968: Adam Chester(@xpn) of TrustedSec

Siri

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: A person with physical access to an iOS device may be able to view
notification contents from the lockscreen

Description: A lock screen issue allowed access to messages on a locked device.
This issue was addressed with improved state management.

CVE-2020-9959: an anonymous researcher, an anonymous researcher, an anonymous
researcher, an anonymous researcher, an anonymous researcher, Andrew Goldberg
The University of Texas at Austin, McCombs School of Business, Melih Kerem
Gunes of Liv College, Sinan Gulguler

WebKit

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and
later, and iPad mini 4 and later

Impact: Processing maliciously crafted web content may lead to a cross site
scripting attack

Description: An input validation issue was addressed with improved input
validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)


Additional recognition

App Store

We would like to acknowledge Giyas Umarov of Holmdel High School for their
assistance.

Bluetooth

We would like to acknowledge Andy Davis of NCC Group and Dennis Heinze
(@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance.

CallKit

We would like to acknowledge Federico Zanetello for their assistance.

CarPlay

We would like to acknowledge an anonymous researcher for their assistance.

Core Location

We would like to acknowledge Yiit Can YILMAZ (@yilmazcanyigit) for their
assistance.

debugserver

We would like to acknowledge Linus Henze (pinauten.de) for their assistance.

iAP

We would like to acknowledge Andy Davis of NCC Group for their assistance.

iBoot

We would like to acknowledge Brandon Azad of Google Project Zero for their
assistance.

Kernel

We would like to acknowledge Brandon Azad of Google Project Zero for their
assistance.

libarchive

We would like to acknowledge Dzmitry Plotnikau and an anonymous researcher for
their assistance.

Location Framework

We would like to acknowledge an anonymous researcher for their assistance.

Maps

We would like to acknowledge Matthew Dolan of Amazon Alexa for their
assistance.

NetworkExtension

We would like to acknowledge Thijs Alkemade of Computest and Qubo Song of
Symantec, a division of Broadcom for their assistance.

Phone Keypad

We would like to acknowledge an anonymous researcher for their assistance.

Status Bar

We would like to acknowledge Abdul M. Majumder, Abdullah Fasihallah of Taif
university, Adwait Vikas Bhide, Frederik Schmid, Nikita, and an anonymous
researcher for their assistance.

Telephony

We would like to acknowledge Yigit Can YILMAZ (@yilmazcanyigit) for their
assistance.

UIKit

We would like to acknowledge Borja Marcos of Sarenet, Simon de Vegt, and Talal
Haj Bakry (@hajbakri) and Tommy Mysk (@tommymysk) of Mysk Inc for their
assistance.

Web App

We would like to acknowledge Augusto Alvarez of Outcourse Limited for their
assistance.

Information about products not manufactured by Apple, or independent websites
not controlled or tested by Apple, is provided without recommendation or
endorsement. Apple assumes no responsibility with regard to the selection,
performance, or use of third-party websites or products. Apple makes no
representations regarding third-party website accuracy or reliability. Contact
the vendor for additional information.

Published Date: September 16, 2020

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2LzbONLKJtyKPYoAQh4NxAAgj8Fcnw4SW0Dc/nD4TUuLitjU0LOzbv1
P2EuLDkzCPzBYLlQoyGzKoBNG/5ldAjMwIr19eoURxD0OAvM8fljuLhs62h6c8ul
yuUwsQW8//Iux6aUn/wAka1nKtI5jnGe0Ne/CnUhP4qa48PKVK5LXDSwAk/LPkIh
wbAV16E6ttQ6G0FdEpoTdFbU26PKMcY6UVKTGiBSoKKNxoscAWFCMg3r/MvIpsum
i/iAi/Irbjgfjzvw5HiDnjhxpwik98lXKxnU1BXqzECo8xkLnbwoq7zfjGQkACca
g5Rw+UyzFUhds6g0QJMdS4VCwvbyoFHy4/Apnfa3C0AjmWjvC1+qBGFt0SHCAMt5
kIMx64nwqvxYQZdOnAM97am+X0wf5RiS19Wkh2YsZo+mDJQ7qwJposgnSKZ2Cl1W
KLlJ13CsfAhMUWRtCjkjhox1O1XFrgFt2HjVlv1wLzV6kBkRTkj0xKmDnAkUtKWG
+T8Sw9SPlMldcyjv1BWbCzB5Cdis5rrmRd++TuLQhQ2mNQfgPVFLw/hYf8LZFCvb
t3kPy8LXP4OsT9LeCrnfEGELGV+dYzJrfWe8bdWdGSk6u4xN6Cr1Zluete8kocrq
8d6/mt1qdxWckfFarto9NlcRCdtwrNlkxeqkRChdli0SLGO7BF7Q0v0BDHCaMtAT
js62fHhesLk=
=jQAZ
-----END PGP SIGNATURE-----