Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1419
Apple security update for watchOS
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: watchOS
Publisher: Apple
Operating System: Apple iOS
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30661 CVE-2021-30660 CVE-2021-30659
CVE-2021-30653 CVE-2021-30652 CVE-2021-1885
CVE-2021-1884 CVE-2021-1883 CVE-2021-1882
CVE-2021-1881 CVE-2021-1880 CVE-2021-1875
CVE-2021-1872 CVE-2021-1868 CVE-2021-1864
CVE-2021-1860 CVE-2021-1858 CVE-2021-1857
CVE-2021-1851 CVE-2021-1849 CVE-2021-1846
CVE-2021-1843 CVE-2021-1832 CVE-2021-1826
CVE-2021-1825 CVE-2021-1822 CVE-2021-1820
CVE-2021-1817 CVE-2021-1816 CVE-2021-1815
CVE-2021-1814 CVE-2021-1813 CVE-2021-1811
CVE-2021-1809 CVE-2021-1808 CVE-2021-1807
CVE-2021-1740 CVE-2021-1739
Reference: ESB-2021.1408
Original Bulletin:
https://support.apple.com/HT212324
Comment: Apple is aware of a report that CVE-2021-30661 arbitrary code execution may have been actively exploited.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-04-26-5 watchOS 7.4
watchOS 7.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212324.
AppleMobileFileIntegrity
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An issue in code signature validation was addressed with
improved checks.
CVE-2021-1849: Siguza
Audio
Available for: Apple Watch Series 3 and later
Impact: An application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved
validation.
CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab
CFNetwork
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may disclose
sensitive user information
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2021-1857: an anonymous researcher
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted audio file may disclose
restricted memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved
validation.
CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab
CoreFoundation
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: A validation issue was addressed with improved logic.
CVE-2021-30659: Thijs Alkemade of Computest
CoreText
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: A logic issue was addressed with improved state
management.
CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
FaceTime
Available for: Apple Watch Series 3 and later
Impact: Muting a CallKit call while ringing may not result in mute
being enabled
Description: A logic issue was addressed with improved state
management.
CVE-2021-1872: Siraj Zaneer of Facebook
FontParser
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-1881: an anonymous researcher, Xingwei Lin of Ant Security
Light-Year Lab, Mickey Jin of Trend Micro, and Hou JingYi
(@hjy79425575) of Qihoo 360
Foundation
Available for: Apple Watch Series 3 and later
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2021-1882: Gabe Kirkpatrick (@gabe_k)
Foundation
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to gain root privileges
Description: A validation issue was addressed with improved logic.
CVE-2021-1813: Cees Elzinga
Heimdal
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted server messages may lead to
heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1883: Gabe Kirkpatrick (@gabe_k)
Heimdal
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A race condition was addressed with improved locking.
CVE-2021-1884: Gabe Kirkpatrick (@gabe_k)
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: This issue was addressed with improved checks.
CVE-2021-1880: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-30653: Ye Zhang of Baidu Security
CVE-2021-1814: Ye Zhang of Baidu Security, Mickey Jin & Qi Sun of
Trend Micro, and Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1843: Ye Zhang of Baidu Security
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-1885: CFF of Topsec Alpha Team
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-1858: Mickey Jin of Trend Micro
iTunes Store
Available for: Apple Watch Series 3 and later
Impact: An attacker with JavaScript execution may be able to execute
arbitrary code
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-1864: CodeColorist of Ant-Financial LightYear Labs
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to disclose kernel memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2021-1860: @0xalsr
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-1816: Tielei Wang of Pangu Lab
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-1851: @0xalsr
Kernel
Available for: Apple Watch Series 3 and later
Impact: Copied files may not have the expected file permissions
Description: The issue was addressed with improved permissions logic.
CVE-2021-1832: an anonymous researcher
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to disclose kernel memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30660: Alex Plaskett
libxpc
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional
validation.
CVE-2021-30652: James Hutchins
libxslt
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted file may lead to heap
corruption
Description: A double free issue was addressed with improved memory
management.
CVE-2021-1875: Found by OSS-Fuzz
MobileInstallation
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to modify protected parts of the
file system
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1822: Bruno Virlet of The Grizzly Labs
Preferences
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to modify protected parts of the
file system
Description: A parsing issue in the handling of directory paths was
addressed with improved path validation.
CVE-2021-1815: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
Safari
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to write arbitrary files
Description: A validation issue was addressed with improved input
sanitization.
CVE-2021-1807: David Schütz (@xdavidhu)
Tailspin
Available for: Apple Watch Series 3 and later
Impact: A local attacker may be able to elevate their privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-1868: Tim Michaud of Zoom Communications
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2021-1825: Alex Camboe of Aonâ\x{128}\x{153}s Cyber Solutions
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-1817: an anonymous researcher
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1826: an anonymous researcher
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2021-1820: an anonymous researcher
WebKit Storage
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30661: yangkang(@dnpushme) of 360 ATA
Additional recognition
AirDrop
We would like to acknowledge @maxzks for their assistance.
CoreAudio
We would like to acknowledge an anonymous researcher for their
assistance.
CoreCrypto
We would like to acknowledge Andy Russon of Orange Group for their
assistance.
File Bookmark
We would like to acknowledge an anonymous researcher for their
assistance.
Foundation
We would like to acknowledge CodeColorist of Ant-Financial LightYear
Labs for their assistance.
Kernel
We would like to acknowledge Antonio Frighetto of Politecnico di
Milano, GRIMM, Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng,
Youjun Huang, Haixin Duan, Mikko Kenttälä ( @Turmio_ ) of SensorFu,
Proteas, and Tielei Wang of Pangu Lab for their assistance.
Security
We would like to acknowledge Xingwei Lin of Ant Security Light-Year
Lab and john (@nyan_satan) for their assistance.
sysdiagnose
We would like to acknowledge Tim Michaud (@TimGMichaud) of Leviathan
for their assistance.
WebKit
We would like to acknowledge Emilio Cobos Ã\x{129}lvarez of Mozilla for
their assistance.
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCHO2kACgkQZcsbuWJ6
jjCSZA//dGlk6FnYdt225G6hrw0Das2JjehGetTJ/jJWvGKA0/GE5arBiMKOZTke
3Qg9l4+spRDWhTptJNYfahuoPT5L9k9V276JvIQdCgvc/FYcio2XVx0MdSTJY+Q7
ixFOkQio2zQA/WVPAqrC+Y7iY1kmsi4nVa8dnqD2wr9qz2QGV9D7na5ApSmwCqoM
AyJgzDIfvtLlMBxV4f5gPBrody/XH+py6YiQyzx/1yZGn9ExkKCKtxHWkMI3ITAB
EYH855RpXUemn6wWbJWk/iE6bHRLm/TJIEw8TS3QTWDUXYh3xY55x5jZbGtbhWZw
QpAbqEQK74pEfjqEGSlQ+X9z8r+P1pHVDbBwSsptzcUFvm3ClfOdAl4Cyvr78aDk
7/nSnT9ri3BJ3FSBiPL+Kh8ZO2DrkGM2HNYgf792G/M34uKbn+0POnEaADpvhtTo
Ot40b3kdUPMWSeEyDy0K/HJm1wlgWKsRgU2X/8xUZQGeR+OlxUv2VIQYC7l6PijW
RXCo1cUIp2q74HGg3O8B2sJaLvkk6fR9za8Bp8qcD53O6YXzabqe2SR+oqS0xp/j
W2wciUAX4kcZ1YquDjCPs5lBt96Vy75PvGc5BULV4uxmOkH3al2jVKsT4IMdJn2t
ITOpVyXUml8UIzJ9jpYALS7SYfz0rCJDMJ7W0SAT1czAF2exrB0=
=Nf4q
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIeczuNLKJtyKPYoAQi2HA/+OZhHTTjcuHXN0ujnam5QlAcZBC3LGDoT
gxyAVBNegBqgKVQe1bll7jfFQCiC4ugchCZcriltAhnsq4aVUfvXTeD59CRJGQqN
z923KofohctcsP2FeL25GYH7/+DaYLcbyErVEqVNoVkNV+rKqG6GzbJ3mf67KPMv
SBicCIFGc/oaa+A3jA8Q/yVj9gExRuvXbsAzkpnw9f5yv7WGZNcafwTwPeERcaM/
OP0WO0JwEufbKXaHmAkTxMc1QS/4OuIw07NExjrq4U78CWUmCWb8hXfIhgSIrB79
F+Hj+Wk+7oXzi0Tsd9sw2D88bPsef5hhMx6Blrugevv6n83Oj5k7la5tWi9KtU95
XD0/K2UtBrzDt5wdchd7+nJuYLMIZoXXCuS6W3hAMK9qYIRoGckDZF3JNYtsx17z
iyj0691mMMXBYovUD6Vh5rAGvw5w1dYG2oNJY4/PFysgYdrK8SGfc2a64Uhn13EK
BPXuQ49C0SVdpbxRb/pX3kZMKZlusd2I/5a2rSpx/soyMafMrzWNicVWIxYdY4MP
2spNW8+kMr2CQ+xNBD2MdOG+ykUDGQKSbV72Dtgkyu79JYRpv6KcOZwzpZ0vYRsc
R4N5dkElW/Mq3bA+0nly3SfIMXHlvqeO/bjU82qJdHsUGfobXjN2RzFwtpM5+DNZ
cqu+cEYAXuE=
=5Q7N
-----END PGP SIGNATURE-----