SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Multimedia)  >   Apple TV Vendors:   Apple
(Apple Issues Fix for Apple TV) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
SecurityTracker Alert ID:  1039709
SecurityTracker URL:  http://securitytracker.com/id/1039709
CVE Reference:   CVE-2017-13080, CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13799, CVE-2017-13802, CVE-2017-13803, CVE-2017-13804, CVE-2017-13849   (Links to External Site)
Date:  Nov 1 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.1
Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can modify data on the target system. A remote user can cause the target application to crash. A local user can obtain potentially sensitive information. An application can obtain elevated privileges on the target system. Apple TV is affected.

A remote user can trigger a memory handling error in the CoreText component to cause denial of service conditions [CVE-2017-13849].

An application can trigger a memory corruption error in the the kernel component to execute arbitrary code with kernel privileges [CVE-2017-13799].

A physically local user can exploit a flaw in the Messages application to access photos on the locked target device via the Reply With Message function [CVE-2017-13844].

A physically local user can trigger a flaw in the Siri component to read notifications on the target system [CVE-2017-13805].

A remote user can create a specially crafted zip file that, when loaded by the target user, will trigger a path handling flaw in the StreamingZip component to modify restricted areas of the file system [CVE-2017-13804].

A physically local user can exploit a flaw in the UIKit component to view characters in a secure text field [CVE-2017-7113].

A remote user can trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803].

A remote user on the local network can cause the Wi-Fi component to reuse a nonce to potentially decrypt Wi-Fi connection data [CVE-2017-13080].

@qwertyoruiopz at KJC Research Intl. S.R.L., Hanul Choi (via Trend Micro's Zero Day Initiative), Ivan Fratric of Google Project Zero, Mathy Vanhoef of the imec-DistriNet group at KU Leuven, Miguel Alvarado of iDeviceHelp INC, Ro of SavSec, YiAYit Can YILMAZ (@yilmazcanyigit), an anonymous researcher, Duraiamuthan Harikrishnan of Tech Mahindra, Ricardo Sampayo of Bemo Ltd, chenqin of Ant-financial Light-Year Security, and xisigr of Tencent's Xuanwu Lab (tencent.com) reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can modify data on the target system.

A remote user can cause the target service to crash.

A local user can obtain potentially sensitive information on the target system.

An application can obtain elevated privileges on the target system.

Solution:   The Apple has issued a fix for CVE-2017-13080, CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13799, CVE-2017-13802, CVE-2017-13803, CVE-2017-13804, and CVE-2017-13849 for Apple TV (11.1).

The Apple advisory is available at:

https://support.apple.com/en-us/HT208219

Vendor URL:  support.apple.com/en-us/HT208219 (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Oct 31 2017 Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC