SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Multimedia)  >   Apple Watch Vendors:   Apple
(Apple Issues Fix for Apple Watch) Apple OS X Multiple Bugs Let Remote and Local Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Deny Service
SecurityTracker Alert ID:  1032365
SecurityTracker URL:  http://securitytracker.com/id/1032365
CVE Reference:   CVE-2015-1093, CVE-2015-1096, CVE-2015-1099, CVE-2015-1100, CVE-2015-1101, CVE-2015-1102, CVE-2015-1103, CVE-2015-1104, CVE-2015-1105, CVE-2015-1117   (Links to External Site)
Updated:  May 19 2015
Original Entry Date:  May 19 2015
Impact:   Denial of service via local system, Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.0.1
Description:   Multiple vulnerabilities were reported in Apple OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A local user can cause denial of service conditions on the target system. A local user can access potentially sensitive information on the target system. A remote user can view passwords in certain cases. A remote user can bypass same-origin restrictions on the target system. Apple Watch is affected by some of these vulnerabilities.

A local user can exploit a flaw in the checking of XPC entitlements to gain administrative privleges [CVE-2015-1130]. OS X versions 10.10.x are affected.

Emil Kvarnhammar at TrueSec reported this vulnerability.

A local user can trigger input validation flaws in fontd to execute arbitrary code with system privileges [CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135].

Ian Beer of Google Project Zero reported this vulnerability.

A cookie set in a redirect response may be passed on to a redirect target of another domain [CVE-2015-1089]. OS X versions 10.10.x are affected.

Niklas Keller reported this vulnerability.

An HTTP request header containing authentication credentials sent in a redirect response may be passed on to a redirect target of a different domain [CVE-2015-1091]. OS X versions 10.10.x are affected.

Diego Torres (http://dtorres.me) reported this vulnerability.

A remote user can create a specially crafted URL that, when loaded by the target user, will trigger an input validation flaw in the processing of URLs and execute arbitrary code [CVE-2015-1088]. OS X versions 10.10.x are affected.

Luigi Galli reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a use-after-free in CoreAnimation and execute arbitrary code [CVE-2015-1136].

A remote user can create specially crafted font file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code [CVE-2015-1093].

Marc Schoenefeld reported this vulnerability.

A local user can trigger a null pointer dereference in the NVIDIA graphics driver's processing of certain IOService userclient types to execute arbitrary code with system privileges [CVE-2015-1137]. OS X versions 10.9.5 and 10.10.x are affected.

Frank Graziano and John Villamil of the Yahoo Pentest Team reported this vulnerability.

A local application can trigger an input validation flaw in the hypervisor framework to cause denial of service conditions [CVE-2015-1138]. OS X versions 10.10.x are affected.

Izik Eidus and Alex Fishman reported this vulnerability.

A remote user can create a specially crafted '.sgi' file that, when processed by the target user or application, will execute arbitrary code [CVE-2015-1139].

An HID device can trigger a memory corruption error in an IOHIDFamily API to execute arbitrary code [CVE-2015-1095]. OS X versions 10.10.x are affected.

Andrew Church reported this vulnerability.

A local user can trigger a buffer overflow in IOHIDFamily to execute arbitrary code with system privileges [CVE-2015-1140].

lokihardt@ASRT (via HP's Zero Day Initiative) and Luca Todesco reported this vulnerability.

A local user can exploit a flaw in IOHIDFamily to determine kernel memory layout [CVE-2015-1096]. OS X versions 10.10.x are affected.

Ilja van Sprundel of IOActive reported this vulnerability.

A local user can trigger an error in the the mach_vm_read() operation to cause the system to shutdown [CVE-2015-1141]. OS X versions 10.10.x are affected.

Ole Andre Vadla Ravnas of www.frida.re reported this vulnerability.

A local user can trigger a race condition in the setreuid() system call to cause denial of service conditions [CVE-2015-1099].

Mark Mentovai of Google Inc reported this vulnerability.

A local application can invoke a service that makes setreuid() and setregid() system calls but does not properly drop privileges to gain elevated privileges [CVE-2015-1117].

Mark Mentovai of Google Inc reported this vulnerability.

A remote user in a privileged network position can send ICMP redirects to cause traffic from the target system to be redirected to arbitrary hosts [CVE-2015-1103]. OS X versions 10.10.x are affected.

Zimperium Mobile Security Labs reported this vulnerability.

A remote use in a privileged network position can trigger a state error in the processing of TCP headers and cause denial of service conditions [CVE-2015-1102]. OS X versions 10.10.x are affected.

Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab reported this vulnerability.

A local user can trigger an out-of-bounds memory access error in the kernel to read portions of kernel memory or cause the system to crash [CVE-2015-1100].

Maxime Villard of m00nbsd reported this vulnerability.

A remote user can send specially crafted IPv6 packets to bypass network filters [CVE-2015-1104].

Stephen Roettger of the Google Security Team reported this vulnerability.

A local user can trigger a memory corruption error in the kernel to execute arbitrary code with kernel level privileges [CVE-2015-1101].

lokihardt@ASRT reported this vulnerability (via HP's Zero Day Initiative).

A remote user can trigger a state error in the processing of TCP out-of-band data to cause denial of service conditions [CVE-2015-1105]. OS X versions 10.10.x are affected.

Kenton Varda of Sandstorm.io reported this vulnerability.

A local user can trigger an input validation flaw in LaunchServices in the processing of application localization data and cause Finder to crash [CVE-2015-1142]. OS X versions 10.10.x are affected.

A local user can trigger a type confusion error in LaunchServices in the processing of localized strings to execute arbitrary code with system privileges [CVE-2015-1143].

A local user can create a specially crafted configuration profile that, when loaded, will trigger a memory corruption error in libnetcore and cause the target application to crash [CVE-2015-1118]. OS X versions 10.10.x are affected.

Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of FireEye, Inc reported this vulnerability.

When an Open Directory client is bound to an OS X Server but does not have the certificates of the OS X Server installed and then a user on the client changes their password, the password change request is transmitted over the network without encryption [CVE-2015-1147]. OS X versions 10.9.5 and 10.10.x are affected.

A remote user can create a specially crafted iWork file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code [CVE-2015-1098].

Christopher Hickstein reported this vulnerability.

The Screen Sharing feature may log the target user's password [CVE-2015-1148]. OS X versions 10.10.x is affected.

A remote user can modify an application that, when launched by the target user, will bypass the code signing signature verification and launch [CVE-2015-1145, CVE-2015-1146].

A local user can trigger a buffer overflow in the processing of Uniform Type Identifiers to execute arbitrary code with system privileges [CVE-2015-1144].

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

A remote or local user can cause denial of service conditions.

A local user can access potentially sensitive information on the target system.

A remote user can view passwords in certain cases.

A remote user can bypass same-origin restrictions on the target system.

Solution:   Apple has issued a fix for CVE-2015-1093, CVE-2015-1096, CVE-2015-1099, CVE-2015-1100, CVE-2015-1101, CVE-2015-1102, CVE-2015-1103, CVE-2015-1104, CVE-2015-1105, and CVE-2015-1117 for Apple Watch (1.0.1).

The Apple advisory is available at:

https://support.apple.com/en-us/HT204870

Vendor URL:  support.apple.com/en-us/HT204870 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 8 2015 Apple OS X Multiple Bugs Let Remote and Local Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Deny Service



 Source Message Contents

Subject:  APPLE-SA-2015-05-19-1 Watch OS 1.0.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2015-05-19-1 Watch OS 1.0.1

Watch OS 1.0.1 is now available and addresses the following:

Certificate Trust Policy
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete
list of certificates may be viewed at
https://support.apple.com/kb/204873

FontParser
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld

Foundation
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An application using NSXMLParser may be misused to disclose
information
Description:  An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive

IOAcceleratorFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to cause a system denial
of service
Description:  A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description:  ICMP redirects were enabled by default. This issue was
addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A remote attacker may be able to cause a denial of service
Description:  A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description:  setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A remote attacker may be able to bypass network filters
Description:  The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may be able
to cause a denial of service
Description:  A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to cause unexpected
system termination or read kernel memory
Description:  An out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative

Secure Transport
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may intercept
SSL/TLS connections
Description:  Secure Transport accepted short ephemeral RSA keys,
usually used only in export-strength RSA cipher suites, on
connections using full-strength RSA cipher suites. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".


Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJVW38oAAoJEBcWfLTuOo7tXpIP/3v/tqCIVXg28xQpAK2vRVtw
S3clbM17RBsJ1b239DmGUdRNNCVimQCHk1dQ4M3szrXx73VjWroh1hSq2+hObL65
FGa4jYbns7OGbTr9YZW/fScJ9mnAuG1nDHcNLL8W2DyFuxNEJsCB668QPdTTMOoO
Xpx8jZUZyXIyX2V3Ch1qasXsSV0IwSA5GPg5IFFFuaNXGC62AXx49UmFTtjBCs4w
bvTRPKKBowuP80zmIaxlWpGXhTIe8TwjCDGSejk5kdddcqjXe1yzA1UPM+uBTHZK
7xOX55CctqT2LkO4ND6EWaaPUozDJtEoUf+pFjnJmZxNd6BHPx86KbkUw3lcBXso
xZplhgaFlaA4UTxMLFJONId0DYtyXH7CLOYW9BKjyzMMo0YZHdt/2CQ1HQKfzQ9m
bT+MT/wdFcgCjr90GLG9OFLCwf5h8bAHRtpvhWrV78ek6V92GuwjZUA8x18avNQO
1th8l49j+JN+OcVv0bvmxVSQpFurTfVRAxZ9lTq4VDdqZanwbvP6INOB8wxhKNbK
8phc4Amh8TwFf2esdmMWawWWAqxXL1+2D+MWxR+C8Hm4CWyxYvKhvHacM20IDTfF
6exVyn4D9FhnT16ggkF6qH9vOOrQk3msHmxdC3fdE4dRhR8W7xRbuNEMXn3CyP6f
ssKTqTcaARrUZzOjyx2Z
=HMct
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC