-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3183.2
                      APPLE-SA-2020-09-16-2 tvOS 14.0
                             16 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tvOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Root Compromise                 -- Existing Account            
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Unauthorised Access             -- Existing Account            
                   Reduced Security                -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15358 CVE-2020-13631 CVE-2020-13630
                   CVE-2020-13435 CVE-2020-13434 CVE-2020-10013
                   CVE-2020-9991 CVE-2020-9983 CVE-2020-9981
                   CVE-2020-9979 CVE-2020-9976 CVE-2020-9969
                   CVE-2020-9968 CVE-2020-9966 CVE-2020-9965
                   CVE-2020-9961 CVE-2020-9954 CVE-2020-9952
                   CVE-2020-9951 CVE-2020-9950 CVE-2020-9949
                   CVE-2020-9947 CVE-2020-9944 CVE-2020-9943
                   CVE-2020-9876 CVE-2020-9849 

Reference:         ESB-2020.3181

Original Bulletin: 
   https://support.apple.com/en-ie/HT211843

Revision History:  November  16 2020: Vendor added additional entries, CVEs and updated entries
                   September 17 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-11-13-4 Additional information for
APPLE-SA-2020-09-16-2 tvOS 14.0

tvOS 14.0 addresses the following issues. Information about the
security content is also available at
https://support.apple.com/HT211843.

Assets
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker may be able to misuse a trust relationship to
download malicious content
Description: A trust issue was addressed by removing a legacy API.
CVE-2020-9979: CodeColorist of LightYear Security Lab of AntGroup
Entry updated November 12, 2020

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020

CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2020-9954: Francis working with Trend Micro Zero Day Initiative,
JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020

CoreCapture
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9949: Proteas
Entry added November 12, 2020

Disk Images
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9965: Proteas
CVE-2020-9966: Proteas
Entry added November 12, 2020

ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab
Entry added November 12, 2020

ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9876: Mickey Jin of Trend Micro
Entry added November 12, 2020

Keyboard
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved state
management.
CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

libxml2
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9981: found by OSS-Fuzz
Entry added November 12, 2020

Sandbox
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to view senstive user information
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2020-9969: Wojciech Regua of SecuRing (wojciechregula.blog)
Entry added November 12, 2020

Sandbox
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to access restricted
files
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9968: Adam Chester (@_xpn_) of TrustedSec
Entry updated September 17, 2020

SQLite
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-13434
CVE-2020-13435
CVE-2020-9991
Entry added November 12, 2020

SQLite
Available for: Apple TV 4K and Apple TV HD
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating SQLite to
version 3.32.3.
CVE-2020-15358
Entry added November 12, 2020

SQLite
Available for: Apple TV 4K and Apple TV HD
Impact: A maliciously crafted SQL query may lead to data corruption
Description: This issue was addressed with improved checks.
CVE-2020-13631
Entry added November 12, 2020

SQLite
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9849
Entry added November 12, 2020

SQLite
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-13630
Entry added November 12, 2020

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
CVE-2020-9950: cc working with Trend Micro Zero Day Initiative
CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
Entry added November 12, 2020

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to code
execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9983: zhunki
Entry added November 12, 2020

WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9952: Ryan Pickren (ryanpickren.com)

Wi-Fi
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved state
management.
CVE-2020-10013: Yu Wang of Didi Research America
Entry added November 12, 2020

Additional recognition

Audio
We would like to acknowledge JunDong Xie and XingWei Lin of Ant-
financial Light-Year Security Lab for their assistance.
Entry added November 12, 2020

Bluetooth
We would like to acknowledge Andy Davis of NCC Group and Dennis
Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for
their assistance.

Clang
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Entry added November 12, 2020

Core Location
We would like to acknowledge YiÄ\x{159}it Can YILMAZ (@yilmazcanyigit) for
their assistance.

iAP
We would like to acknowledge Andy Davis of NCC Group for their
assistance.

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero,
Stephen Röttger of Google for their assistance.
Entry updated November 12, 2020

Location Framework
We would like to acknowledge Nicolas Brunner
(linkedin.com/in/nicolas-brunner-651bb4128) for their assistance.
Entry updated October 19, 2020

Safari
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their
assistance.
Entry added November 12, 2020

WebKit
We would like to acknowledge Pawel Wylecial of REDTEAM.PL, Ryan
Pickren (ryanpickren.com), Tsubasa FUJII (@reinforchu), Zhiyang
Zeng(@Wester) of OPPO ZIWU Security Lab for their assistance.
Entry added November 12, 2020

Installation note:

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."

To check the current version of software, select
"Settings -> General -> About."

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uyHoACgkQZcsbuWJ6
jjAwvw/+LOihEZ6W7DntL6nfl432KOZ58vNbauzTxYCo6HHsfu9d80SP7BF/BiIf
5rXBfJSyP8K0cQwmhli5xv4DH2VPSwP9GKZXDEG9OYQoHZJ3aie2bOUyPlH14WTZ
JbL00oIdSXaPeovCNah6ahyI6apX63NpJr3FZkbNCDFsGdv7bjkoshRacGMkVSqG
ytAoAsTpuaQEzHCWkvj0hdUasB/VmlnZQS5CzasGplL+1Y6pkwxjxEnN4BlV1/Zn
r7ZWn2SOrf1UZoB/TAE39WdXY7pZ2WfDIyOzIqCioPc3ZlE7bRh7KKRMHwXNDp6Q
XMeb6G818+XpHFKTV/NbLKpq0SjS8YEVhPmpS5e30HepgGbU3h/ufjqJQdnSWyj4
P33pI5Bfo5nFISyyJ+EsDczfWjpUn10F3xiOUb3IZcFuXrbkCFx4GrpnZ25eg1Z0
sXSTq9+lSc1lqDkyBVRNyWAKp5/lsLAmV+WaFugv9svXoxdDyYVA9waFiaxnGHPy
E1hTrVKUFKZmUmiYxEo4b/LSdr8IdaLvsdlWb/4z+C9c1ei/U+yMtOYU8U+JCsVP
4v5hVcnPvL7sFiKfBPW7LsvRq5z1L58l61AivGbPZRkRG4oObOtoWvec4ygQ6tbM
Hmc8HATllbUSoeu0eTtnlYgIKdia14DQFclcbTdMBU37y0DrBJc=
=CBpG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7HXbeNLKJtyKPYoAQgdTQ//ZlqxwMkw4EEYjI0hja+5uw2sNRY/FrPl
5i0B7Ym1784wSMJxFNQ9UBm73ILBbmmGhCz7rWJMvjV7FmT7E7abZ7ipJFH3Pz/w
v5FNSqFIqnD5m9ejPqqFOVttQ8MafaPZ/aZq0Vvu9zrF8L2PM62KP++L+mfH6uVl
01uyf7qjFeIoc/czB2XbAu/sdz1UP+En3zWoqi8tY9KfgWmwv12fp33al4JszEV2
maKY8Jj+nYS/WY4urlYZ9RFNmcP7+Yzf4MGi23ZDa3CcQujANNiOiyh+vw9HSrQ9
bMbo60BfhPI6g28lupg8N6dvMcehNsJHvySfErwFdAVMVV7fgRMNixSV0pDToRK6
91yq47RgYDoerNTrHFk/0+/G21JlpoD26FOtU4uBvAs1wPZMxAoXQdDyUdI6bBt2
NS3o59ruoDRiOZxVHKMQJCL883G89CUizlv13SvrqLY8yJLfklMfDtdB6NvLJMpY
By1qw5Mjemeve2CWJ4hfAxmJoFnrwECcKXerXj38xT/TX7GFnJt9gTCc5e0+vTR/
6n8icS1rnZfQ4QUkhkr0bebiIvWpdobCs0ybilDczYnbgAB7E8Wki1SfSTs/A5RX
zGGoQ4jaA6p6/8z3HtflIvAupDpviQqybXsfYm/sBE2JPFvIV6T8rXEyNyCUIG36
AqkWb5YC6DM=
=M8mm
-----END PGP SIGNATURE-----