copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0742 - [Mobile] Apple Watch: Multiple vulnerabilities

Date: 22 March 2016
References: ESB-2016.0139  ESB-2016.0184  ESB-2016.0185  ESB-2016.0369  ASB-2016.0025  ESB-2016.0678  ESB-2016.0725  ESB-2016.0746  ESB-2016.0747  ESB-2016.0770  


Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0742
           Multiple vulnerabilities identified in Apple watch OS
                               22 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Watch
Publisher:         Apple
Operating System:  Mobile Device
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1950 CVE-2016-1788 CVE-2016-1775
                   CVE-2016-1762 CVE-2016-1761 CVE-2016-1755
                   CVE-2016-1754 CVE-2016-1753 CVE-2016-1752
                   CVE-2016-1751 CVE-2016-1750 CVE-2016-1748
                   CVE-2016-1740 CVE-2016-1727 CVE-2016-1726
                   CVE-2016-1725 CVE-2016-1724 CVE-2016-1723
                   CVE-2016-1722 CVE-2016-1721 CVE-2016-1720
                   CVE-2016-1719 CVE-2016-1717 CVE-2016-0802
                   CVE-2016-0801 CVE-2015-8659 CVE-2015-8242
                   CVE-2015-8035 CVE-2015-7995 CVE-2015-7942
                   CVE-2015-7500 CVE-2015-7499 CVE-2015-5312
                   CVE-2015-1819  

Reference:         ASB-2016.0025
                   ESB-2016.0725
                   ESB-2016.0678
                   ESB-2016.0369
                   ESB-2016.0185
                   ESB-2016.0184
                   ESB-2016.0139

Original Bulletin: 
   https://support.apple.com/en-au/HT206168

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-03-21-2 watchOS 2.2

watchOS 2.2 is now available and addresses the following:

Disk Images
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team

FontParser
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with
Trend Micro's Zero Day Initiative (ZDI)

HTTPProtocol
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple vulnerabilities existed in nghttp2 versions
prior to 1.6.0, the most serious of which may have led to remote code
execution. These were addressed by updating nghttp2 to version 1.6.0.
CVE-ID
CVE-2015-8659

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1719 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to determine kernel memory layout
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1748 : Brandon Azad

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1720 : Ian Beer of Google Project Zero
CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend
Micro
CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2016-1755 : Ian Beer of Google Project Zero

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A use after free issue was addressed through improved
memory management.
CVE-ID
CVE-2016-1750 : CESG

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple integer overflows were addressed through
improved input validation.
CVE-ID
CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero
Day Initiative (ZDI)

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to bypass code signing
Description:  A permissions issue existed in which execute permission
was incorrectly granted. This issue was addressed through improved
permission validation.
CVE-ID
CVE-2016-1751 : Eric Monti of Square Mobile Security

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to cause a denial of service
Description:  A denial of service issue was addressed through
improved validation.
CVE-ID
CVE-2016-1752 : CESG

libxml2
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-1819
CVE-2015-5312 : David Drysdale of Google
CVE-2015-7499
CVE-2015-7500 : Kostya Serebryany of Google
CVE-2015-7942 : Kostya Serebryany of Google
CVE-2015-8035 : gustavo.grieco
CVE-2015-8242 : Hugh Davenport
CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day
Initiative (ZDI)
CVE-2016-1762

libxslt
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description:  A type confusion issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-7995 : puzzor

Messages
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An attacker who is able to bypass Apple's certificate
pinning, intercept TLS connections, inject messages, and record
encrypted attachment-type messages may be able to read attachments
Description:  A cryptographic issue was addressed by rejecting
duplicate messages on the client.
CVE-ID
CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk,
Ian Miers, and Michael Rushanan of Johns Hopkins University

Security
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted certificate may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the ASN.1 decoder.
This issue was addressed through improved input validation.
CVE-ID
CVE-2016-1950 : Francis Gabriel of Quarkslab

syslog
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs

TrueTypeScaler
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day
Initiative (ZDI)

WebKit
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing maliciously crafted web content may lead to
arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1723 : Apple
CVE-2016-1724 : Apple
CVE-2016-1725 : Apple
CVE-2016-1726 : Apple
CVE-2016-1727 : Apple

Wi-Fi
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  An attacker with a privileged network position may be able
to execute arbitrary code
Description:  A frame validation and memory corruption issue existed
for a given ethertype. This issue was addressed through additional
ethertype validation and improved memory handling.
CVE-ID
CVE-2016-0801 : an anonymous researcher
CVE-2016-0802 : an anonymous researcher

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJW8JP2AAoJEBcWfLTuOo7tegQQAK8H21zT1jYAaMerAKWp6Vo6
CHFN6M5KQwKMHDdTfn0tK29IK8Ewkb+ruOFvRWMHBPxdkYTsYfSPupuj0oUM1dV9
+bQR6BfQu1QLi7j73Ub4XowoiTJbAE4apisFCbO/eM+TyupODJSMBmuKUcFBuVQt
xLxOOHKiJ3CuaJmoc7fxOXzqx9+34jMbvjmaXjG0m4pktc7tsmTFXS0+GIVFbUXu
ArvcuVoO/jXUjWD6dB4n1bnLi+q7I/P/xP2tW4L1dqnP8i4fKZRt2Pq22VvyJlHb
5dP++yjRY79qfCyiVmRPmYfsIRgx716+tbEZl6Y3AUTy5n0S06XwDQQTR+y22why
oB+baS2eTzTEXOx5GxeFwFe4DYi5fqCwGWa7EQfnTPPd7gDc/JnuQI4F/ccRCiL4
5q+bGiEH34F5zDXqaXELZ399mCKsN24gxT4WrBI/EgZ182DFkyUg8XO1Ff6PVe3+
7NcoijUj2A+NWeaIPPWg81DHZnKHdcrG9Q35L/TrxrKigHBgfO3G09yfsCsvZjm9
MGIiaSfIGqYfgtyX15EQd8NVFN/ZhLMj5WRPChJoxNVLoXr+MdrhLG3tUae6nDXj
nmP1iBKbkgDkVQnuPfQyzZkvNHO9H2ZxnP3qSk6670V+VzpqpVXDm8nrEgcpDm1b
82FzLX2fEJg5XYLhXQrg
=lORW
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvC3Mn6ZAP0PgtI9AQKLzQ//aEplgHWr8Gkf+ng2UyMPWdJAilhV/rL+
vlG7xiIOqx0FstIH/H1qT4BqJJL5Bu5Ux4+Krpn02+dID8vTJCc16v2f0DsqUaGo
5XAlVZKJDfGq6QIUY9BL8Dc8gY66NcHnGeQ43UmQr9WAwN+K+LPC33LbgmXZpH3/
PekBrFJ3zeQ31FI5uF2Fe0EIGLE1IEQmAJ54lGEkxsxbDNLq7mfH/dTczd+jsGSk
p76eSrkVhpfrBw+kwZU4nBH2rk3PmEz3BiRtw6Xg7L2F3nSkbbI1LHplRLCW76Ae
kcDo4ECNiDpCoEfZiBHtRgoWDKlR2cjRe68ZhOW0xGGkP5qRmC6INU+FUJ9y5qDl
6KMtnO/9Xk7jeJbAiFPGLn938q8p9rru3CGUBv6KfacIJ7iFyt1NJuD47lEinvt4
NnaLiXifh5DIoeIuUyW++erm1zz9pzdfCZSOyH4naO9YsLyIIPDAxxMy07qU0S+b
EPCjY6Xpm65/DBCpXG5t4XOIZ4dJhi72AmAPpV+iFokzHAxuCJ7d5G8wUPxopaSS
pm3g5o2ATcgOCKsNvrxV61XSlwyhln8/sFdusPhS+xbuTC0sXsm0tOA3Ua493thO
dRPnuddQt9GDNiOmoLbTiGYfXbyf6q1EeMh5OgEOGZsYA4+fMBjGpx/hDVGoLbj4
HH5zPEhKGBM=
=3gkr
-----END PGP SIGNATURE-----