Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3185.2
APPLE-SA-2020-09-16-4 watchOS 7.0
16 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: watchOS
Publisher: Apple
Operating System: Apple iOS
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-15358 CVE-2020-13631 CVE-2020-13630
CVE-2020-13435 CVE-2020-13434 CVE-2020-9993
CVE-2020-9991 CVE-2020-9989 CVE-2020-9983
CVE-2020-9981 CVE-2020-9976 CVE-2020-9969
CVE-2020-9968 CVE-2020-9966 CVE-2020-9965
CVE-2020-9961 CVE-2020-9954 CVE-2020-9952
CVE-2020-9951 CVE-2020-9950 CVE-2020-9949
CVE-2020-9947 CVE-2020-9946 CVE-2020-9944
CVE-2020-9943 CVE-2020-9941 CVE-2020-9876
CVE-2020-9849
Reference: ESB-2020.3181
ESB-2020.3183
ESB-2020.3184
Original Bulletin:
https://support.apple.com/en-gb/HT211844
Revision History: November 16 2020: Vendor added additional entries, CVEs and updated entries
September 17 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-11-13-6 Additional information for
APPLE-SA-2020-09-16-4 watchOS 7.0
watchOS 7.0 addresses the following issues. Information about the
security content is also available at
https://support.apple.com/HT211844.
Audio
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020
Audio
Available for: Apple Watch Series 3 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2020-9954: Francis working with Trend Micro Zero Day Initiative,
JunDong Xie of Ant Group Light-Year Security Lab
Entry added November 12, 2020
CoreCapture
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9949: Proteas
Entry added November 12, 2020
Disk Images
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9965: Proteas
CVE-2020-9966: Proteas
Entry added November 12, 2020
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab
Entry added November 12, 2020
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9876: Mickey Jin of Trend Micro
Entry added November 12, 2020
Keyboard
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved state
management.
CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany
libxml2
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9981: found by OSS-Fuzz
Entry added November 12, 2020
Mail
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to unexpectedly alter
application state
Description: This issue was addressed with improved checks.
CVE-2020-9941: Fabian Ising of FH University of Applied
Sciences and Damian Poddebniak of FH University of Applied
Sciences
Entry added November 12, 2020
Messages
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to discover a users deleted
messages
Description: The issue was addressed with improved deletion.
CVE-2020-9989: von Brunn Media
Entry added November 12, 2020
Phone
Available for: Apple Watch Series 3 and later
Impact: The screen lock may not engage after the specified time
period
Description: This issue was addressed with improved checks.
CVE-2020-9946: Daniel Larsson of iolight AB
Safari
Available for: Apple Watch Series 3 and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI handling.
CVE-2020-9993: Masato Sugiyama (@smasato) of University of Tsukuba,
Piotr Duszynski
Entry added November 12, 2020
Sandbox
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to view senstive user information
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2020-9969: Wojciech Regua of SecuRing (wojciechregula.blog)
Entry added November 12, 2020
Sandbox
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to access restricted
files
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9968: Adam Chester (@_xpn_) of TrustedSec
Entry updated September 17, 2020
SQLite
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-13434
CVE-2020-13435
CVE-2020-9991
Entry added November 12, 2020
SQLite
Available for: Apple Watch Series 3 and later
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating SQLite to
version 3.32.3.
CVE-2020-15358
Entry added November 12, 2020
SQLite
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to leak memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9849
Entry added November 12, 2020
SQLite
Available for: Apple Watch Series 3 and later
Impact: A maliciously crafted SQL query may lead to data corruption
Description: This issue was addressed with improved checks.
CVE-2020-13631
Entry added November 12, 2020
SQLite
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-13630
Entry added November 12, 2020
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
CVE-2020-9950: cc working with Trend Micro Zero Day Initiative
CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
Entry added November 12, 2020
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to code
execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9983: zhunki
Entry added November 12, 2020
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9952: Ryan Pickren (ryanpickren.com)
Additional recognition
Audio
We would like to acknowledge JunDong Xie and XingWei Lin of Ant-
financial Light-Year Security Lab for their assistance.
Entry added November 12, 2020
Bluetooth
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
Clang
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Entry added November 12, 2020
Core Location
We would like to acknowledge Yiit Can YILMAZ (@yilmazcanyigit) for
their assistance.
iAP
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
Entry added November 12, 2020
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero,
Stephen Röttger of Google for their assistance.
Entry updated November 12, 2020
Location Framework
We would like to acknowledge Nicolas Brunner
(linkedin.com/in/nicolas-brunner-651bb4128) for their assistance.
Entry updated October 19, 2020
Mail Drafts
We would like to acknowledge Jon Bottarini of HackerOne for their
assistance.
Entry added November 12, 2020
Safari
We would like to acknowledge Andreas Gutmann (@KryptoAndI) of
OneSpan's Innovation Centre (onespan.com) and University College
London, Steven J. Murdoch (@SJMurdoch) of OneSpan's Innovation Centre
(onespan.com) and University College London, Jack Cable of Lightning
Security, Ryan Pickren (ryanpickren.com), Yair Amit for their
assistance.
Entry added October 19, 2020, updated November 12, 2020
WebKit
We would like to acknowledge Pawel Wylecial of REDTEAM.PL, Ryan
Pickren (ryanpickren.com) for their assistance.
Entry added November 12, 2020
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uxnUACgkQZcsbuWJ6
jjBSNA/9Fo7IsnnHAT7UAmepT0esn2tFafOZC9aupUH+KLAnslIqkhLibj8KdZ2z
jtpOn8IzYKrFXQOxm9x+QGjzmxNhBQE2fNQRiATIaOdpkgOz7j6yqIRSUqA2aN0y
QmaDwPzYEtEHKRF0Tk4cj8N8dGM3mgQTvS2YcTASFme/9jkbVX77F+CbbaxJUMHd
7fxUrMev+kTDx7kmG9aiec1+pfiV2JZUuv0a1IN7+VxbAHhVKHE2hDHNNPPLlG0Z
50sqhO/1vaRf6Ewe+A+xGi/Z31P81hhozyBZEcr8WDD7RBUA9QYyq7Duor6ZRUQ/
sUlTWctb+jPzyFePmYKEr7RIE1JSnANHHKMmLfTwLOaHqH5TMtcP6k6QRRVPjKBb
zeWg6Xheaz+5h6ymX5woYNbzGN9TaAysz2KeFO3mK9XjPaUbzEAJT9+IryHYSLnT
P3TgQw3g/HPVpWyp+s3fjcmpi9jGyxjdFezuMekeO4VktlgdK1lBs0gELPA0Zrkh
MRl1ztd4FbMMAKHAzIgIcUUg5kgMMC6hO/DCVMlHCctHoNQeh2rEQo15YRRCEfAo
OgDJsznRtf3hYsZC7Q19D8q0E/SeMtYrRdzjeSNvSQffyiNf3hvUcbxVYQMqm3Vw
/tzliqnfshdjfpxB6sS4oDrnEqrM/x+2oETEgzHXWa9nt1rrLBI=
=8ihy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7HXjONLKJtyKPYoAQjMnBAAmx1QSi+/PIKlSZorXlG7irGjV+XLBu6C
vfvXl1J2SBmOWGAIeQ7LyEZ4HU9ZG00xr38/T6KwOFLKzk3cuGz0iSR2mH0eluV8
sdqYickm8ehAWoVR2YyTdAOf88UHw8d2aXNuwiylG0NSQNWpdc5RT0Vm40ftUDO0
DA3+yed37Sa2haTcjQg7Hrm0OBzFMfjoNhExb5WuDkWi26L2uw/ZPuIdluntrtMI
J8PzRKMJJMPa6nZbMw+58xkWnZQjlISzdgbQQ0RZwHGXd/41451vgv4Sru3bUcuc
DsborxpQlNukChxTzppZ0eDEiHXuK737nyi4bD6kY0q7jP3tWY0f+rx1pEnXnYxS
QZ4oW7oW1fCukcHvE+XRnkQ+pVHFV9xDfOrJ+4QIpT9L5mUhikiZReOiWE3ZuSwG
PmgkBKdZpxo+xgORzJSI7lsBEYnQ3q1e/d2heNwwF9720NN47Dn4H0SyxaXUeYqe
wIHQoF3dklO5/P1DoyUFpnGae+C16wu+bjiOhPeW09AnjRiRV/ok8QrU/JH4q9Yg
EBFFp589JGSCrrPv14jNc/gPVQz9DmHaruEmRvle9WRl/AlsFIUmn9ofjCYFfInw
SrBkSsORhPuF9tJHdvqm5DUdwEuGF0EQg4TmkXGO4ZdriUnrfNmG80PakkxrqpdM
uN7oSct5T6s=
=c9sG
-----END PGP SIGNATURE-----