VARIoT IoT vulnerabilities database

Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4001/tcp to trigger this vulnerability. Moxa EDR-810 Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The EDR-810 is a highly integrated industrial multiport secure router with firewall/NAT/VPN and two layers of manageable switch functionality. Moxa EDR-810 is a secure router with firewall and VPN functions from Moxa

Cisco Cloud Web Security before 3.0.1.7 allows remote attackers to bypass intended filtering protection mechanisms by leveraging improper handling of HTTP methods, aka Bug ID CSCut69743. Cisco Cloud Web Security Contains a buffer error vulnerability and a data processing vulnerability. Vendors have confirmed this vulnerability Bug ID CSCut69743 It is released as.Information may be tampered with. The connector engine is one of the connector engines. The vulnerability stems from the fact that the program does not handle HTTP methods correctly

The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a resource from an unauthorized actor, resulting in ordinary users being able to download configuration files to steal information like administrator accounts and passwords. ZXR10 1800-2S Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEZXR101800-2S is a router of China ZTE Corporation (ZTE). A security vulnerability exists in versions prior to ZTEZXR101800-2S3.00.40 that caused the program to fail to properly restrict access to resources for unauthorized users. There is a security vulnerability in ZTE ZXR10 1800-2S versions before 3.00.40

The ZXR10 1800-2S before v3.00.40 incorrectly restricts the download of the file directory range for WEB users, resulting in the ability to download any files and cause information leaks such as system configuration. ZXR10 1800-2S Contains a path traversal vulnerability.Information may be obtained. ZTEZXR101800-2S is a router of ZTE. ZTE ZXR10 1800-2S is a router made by China ZTE Corporation (ZTE). There is a security hole in ZTE ZXR10 1800-2S versions before 3.00.40

The Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app for iOS use cleartext to exchange messages with other apps and the PLAIN SASL mechanism to send auth tokens to Vibease servers, which allows remote attackers to obtain user credentials, messages, and other sensitive information by sniffing the network for XMPP traffic. Vibease Wireless Remote Vibrator and Vibease Chat An application contains an information disclosure vulnerability.Information may be obtained. Vibease Chat app for iOS is an online chat software based on iOS platform. There are security vulnerabilities in the Vibease Wireless Remote Vibrator app based on the Android platform and the Vibease Chat app based on the iOS platform. The vulnerability stems from the fact that the program exchanges messages with other applications in clear text and uses the PLAIN SASL mechanism to send identities to the Vibease server Validation token

The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash) via a crafted request, aka SAP Security Note 2389181. SAP NetWeaver AS JAVA Contains a resource exhaustion vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2389181 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the remoteNetmask0= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability. Moxa EDR-810 Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The EDR-810 is a highly integrated industrial multiport secure router with firewall/NAT/VPN and two layers of manageable switch functionality. Moxa EDR-810 is a secure router with firewall and VPN functions from Moxa

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the openvpnServer0_tmp= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability. Moxa EDR-810 Is OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The EDR-810 is a highly integrated industrial multiport secure router with firewall/NAT/VPN and two layers of manageable switch functionality. Moxa EDR-810 is a secure router with firewall and VPN functions from Moxa

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar. Apple iOS , Safari ,and iCloud Used in etc. WebKit is prone to multiple security vulnerabilities. An attacker may leverage this issue to spoof the originating URL of a trusted web site or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to carry out phishing-style attacks, and steal cookie-based authentication credentials. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. WebKit is one of the web browser engine components. Security vulnerabilities exist in the WebKit component of Apple iOS versions prior to 11, Safari versions prior to 11, and iCloud versions prior to Windows 7.0. CVE-2017-7087: Apple CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-7092: Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Microas Zero Day Initiative CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Microas Zero Day Initiative CVE-2017-7096: Wei Yuan of Baidu Security Lab CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica CVE-2017-7099: Apple CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53 CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7104: likemeng of Baidu Secutity Lab CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative CVE-2017-7117: lokihardt of Google Project Zero CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security Lab Entry added September 25, 2017 WebKit Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6, macOS High Sierra 10.13 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. CVE-2017-7089: Frans RosA(c)n of Detectify, Anton Lopanitsyn of ONSEC WebKit Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6, macOS High Sierra 10.13 Impact: Cookies belonging to one origin may be sent to another origin Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7109: avlidienbrunn Entry added September 25, 2017 WebKit Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6, macOS High Sierra 10.13 Impact: A malicious website may be able to track users in Safari private browsing mode Description: A permissions issue existed in the handling of web browser cookies. CVE-2017-7144: an anonymous researcher Entry added September 25, 2017 WebKit Storage Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6, macOS High Sierra 10.13 Impact: Website data may persist after a Safari Private browsing session Description: An information leakage issue existed in the handling of website data in Safari Private windows. CVE-2017-7142: an anonymous researcher, an anonymous researcher, an anonymous researcher Entry added September 25, 2017 Additional recognition WebKit We would like to acknowledge xisigr of Tencent's Xuanwu Lab (tencent.com) for their assistance. Installation note: Safari 11 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-19-1 iOS 11 iOS 11 is now available and addresses the following: Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS. CVE-2017-7088: Ilya Nesterov, Maxim Goncharov iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7072: JAdrzej Krysztofiak Mail MessageUI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A memory corruption issue was addressed with improved validation. CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A denial of service issue was addressed through improved validation. CVE-2017-7118: Kiki Jiang and Jason Tokoph MobileBackup Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2017-7133: Don Sparks of HackediOS.com Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com) Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwVI3AAoJEIOj74w0bLRGSncQAMxcG5XB4dncEVU3cTFGO0e/ LVQJzWpK50Lwr7kM+1CV3Nh9oa9b6+3f2hh9vYJ34OHPJbUEasqrZmAFiDjbJoZn 46e34Rxwk7+oGXSFUS15SEAxAsctTCG3redczoZy/7k75q1z/lq1KZPD9WKCoieP m30OuTsEy3x9UZpJ5xcGJXTCy1LE6kFeGtcNBc7T2JBDXR2Y/4inQvIqhhj15Cg+ o6kvRVcUIysDTbeEB2WNRWQn6uKWw/Gl0eg9wei2dMzkbNUIEOSVhPoOCrnLLkQb Ud/YpIYCDn8Uy9on9bnVRa8ZOg0Yx52tuZJ920vu4+8xnSyBvkmSy7AtSU9IZ5SW QLHYuDSECo+nW7xPuFHce2KkUHcZrzAHKpJBGpruq2IX7Vfz5/1w0YJU93pwj5Sy A68JREYoThj/Ath+nPZAvUXUHR0sLXgRlBWUfwo1UsXt4lsVy+b7b0wQP/wX1atz 6/c72oChTp5c8VWlfajHadC6EmLRuBYoLW8HxlemyWU+RZDNjMMb11ytL/vg+VOL 51u+BjCs/6BIJI6+mirfG+XK/DVjStgy5W3atup5yEJXy8ouWyBT4vi1PJgjqQOh 0s4G3yE0J38pvtbCFtSb7VOJBh4ocFz7ggeZ5Z3tSQsawtSlcTfl3+93rJ87yRQG 4UIRwN/cWfzukSyrDAis =ufig -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. Apple: Heap overflow in "assembleBGScanResults" when handling ioctl results CVE-2017-7105 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. Along with the regular flow of frames transferred between the host and the dongle, the two communicate with one another via a set of "ioctls" which can be issued to read or write dongle configuration from the host. This information is exchanged using the "Control Completion" ring, rather than the regular "RX" ring. The "AppleBCMWLANCore" driver performs periodic scans for nearby networks. To do so, the "retrieveBGScanCachedInfo" function issues the WLC_GET_VAR ioctl (262) to read the "pfnbest_bssid" IO-var. Then, after the scan results are collected into a heap-allocated buffer, they are processed by the "assembleBGScanResults" function. The returned PFN results buffer has the following structure: ----------------------------------------------------------------------------- | Version | Status | Count (n) | PFN #1 | ... | PFN #n | ----------------------------------------------------------------------------- 0 4 8 12 24 12+(n-1)*12 12+n*12 However, it is important to note that an attacker controlling the dongle can fully control the result of arbitrary ioctl calls. As a result, all ioctl command results should be considered untrusted. For example, on the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56 (used on the iPhone 7 build 14C92), the "iovar" handling function is located at ROM address 0x4678C, and can be hooked by overwriting its registration pointer at RAM address 0x2068F4. Assuming an attacker has control over the Wi-Fi dongle, the returned PFN buffer can be arbitrarily crafted. Taking a look at the "assembleBGScanResults" function, we can see that it has the following approximate high-level logic: int64_t assembleBGScanResults(..., char* results) { ... uint32_t status = *(uint32_t*)(results + 4); uint32_t count_pfns = *(uint32_t*)(results + 8); if (!count_pfns) return 1; if (status == 0) { ... char* copied_pfn_results = IOMalloc((count_pfns * 20) & 0xFFFC); char* pfn = results + 12; char local_pfn[20]; for (uint32_t i=0; i < count_pfns; i++, pfn += 12, copied_pfn_results += 20) { memmove(local_pfn, pfn, 6); *((int32_t*)(local_pfn + 12) = (int32_t)(pfn[6]); *((int32_t*)(local_pfn + 16) = (int32_t)(pfn[7]); memmove(local_pfn + 8, pfn + 10, 2); memmove(copied_pfn_results, local_pfn, 20); } ... } ... } (where "results" is the buffer returned by the dongle when reading the IO-Var). As we can see above, the value "(count_pfns * 20) & 0xFFFC" is used as the length of the allocated buffer, but no check is performed to make sure that this calculation does not result in a truncation of the multiplication. As a result, an attacker can choose the value of the "Count" field so that (count_pfns * 20) & 0xFFFC < count_pfns * 20 (for example, by setting count_pfns to 0x10001). This will cause the copy loop above to copy the contents of the returned IO-Var OOB into the heap allocated buffer, resulting in a heap overflow. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 watchOS 4 addresses the following: CFNetwork Proxies Available for: All Apple Watch models Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: All Apple Watch models Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: All Apple Watch models Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, an anonymous researcher, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: All Apple Watch models Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/ CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4 Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1 E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5 viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR 39wnv7L2yjedzyd+/y5E =ACi9 -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Mail MessageUI" component. It allows attackers to cause a denial of service (memory corruption) via a crafted image. Apple iOS is prone to a memory-corruption vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. Versions prior to Apple iOS 11 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-19-1 iOS 11 iOS 11 is now available and addresses the following: Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS. CVE-2017-7088: Ilya Nesterov, Maxim Goncharov iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7072: JAdrzej Krysztofiak Mail MessageUI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A memory corruption issue was addressed with improved validation. CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A denial of service issue was addressed through improved validation. CVE-2017-7118: Kiki Jiang and Jason Tokoph MobileBackup Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2017-7133: Don Sparks of HackediOS.com Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com) Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwVI3AAoJEIOj74w0bLRGSncQAMxcG5XB4dncEVU3cTFGO0e/ LVQJzWpK50Lwr7kM+1CV3Nh9oa9b6+3f2hh9vYJ34OHPJbUEasqrZmAFiDjbJoZn 46e34Rxwk7+oGXSFUS15SEAxAsctTCG3redczoZy/7k75q1z/lq1KZPD9WKCoieP m30OuTsEy3x9UZpJ5xcGJXTCy1LE6kFeGtcNBc7T2JBDXR2Y/4inQvIqhhj15Cg+ o6kvRVcUIysDTbeEB2WNRWQn6uKWw/Gl0eg9wei2dMzkbNUIEOSVhPoOCrnLLkQb Ud/YpIYCDn8Uy9on9bnVRa8ZOg0Yx52tuZJ920vu4+8xnSyBvkmSy7AtSU9IZ5SW QLHYuDSECo+nW7xPuFHce2KkUHcZrzAHKpJBGpruq2IX7Vfz5/1w0YJU93pwj5Sy A68JREYoThj/Ath+nPZAvUXUHR0sLXgRlBWUfwo1UsXt4lsVy+b7b0wQP/wX1atz 6/c72oChTp5c8VWlfajHadC6EmLRuBYoLW8HxlemyWU+RZDNjMMb11ytL/vg+VOL 51u+BjCs/6BIJI6+mirfG+XK/DVjStgy5W3atup5yEJXy8ouWyBT4vi1PJgjqQOh 0s4G3yE0J38pvtbCFtSb7VOJBh4ocFz7ggeZ5Z3tSQsawtSlcTfl3+93rJ87yRQG 4UIRwN/cWfzukSyrDAis =ufig -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. Apple: Heap Overflow in AppleBCMWLANCore driver when handling Completed Firmware Timestamp messages (0x27) CVE-2017-7103 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. The host and dongle communicate with one another using a set of "message rings". Two of the message rings are used to transfer data from the host to the dongle (H2D). Similarly, the following three rings are used to communicate data back to the host from the dongle (D2H): -"Control Completion" Ring (Ring #2) -"TX Completion" Ring (Ring #3) -"RX Completion" Ring (Ring #4) As their name implies, the last two rings are used to signal to the host when TX and RX events respectively are completed by the dongle. In contrast, the first ring is used to indicate completion of several "special" control events. Each posted message to this ring has the following structure: -------------------------------------------------------------------------------------- | Message Type | unused | Flags | unused | Resource ID | Message-Type Dependent Data | -------------------------------------------------------------------------------------- 0 1 2 3 4 6 X On the iPhone 7 build 14C92, messages posted to the "Control Completion" ring are processed by the "drainControlCompleteRing" function in the AppleBCMWLANBusInterfacePCIe driver. This function goes over each of the posted completion structures, and checks whether they match any of the supported message types. Messages of type 0x27 indicate a completion of a "Firmware Timestamp" request, and are handled by the "completeFirmwareTimestampMsg" function. The completion data for these events has the following structure: ---------------------------------------------------------------------------------------------- | Message Type | unused | Flags | unused | Resource ID | unused | Timestamp Length | unknown | ---------------------------------------------------------------------------------------------- 0 1 2 3 4 6 12 14 16 The handler function first performs a lookup using the "Resource ID" in order to locate the buffer associated with the message. Then, the associated buffer is copied to a new "mbuf" chain, and lastly the function calls the "receiveFirmwareTimeSyncMessage" function in the AppleBCMWLANCore driver. Here is the snippet of the corresponding approximate high-level logic: ... void* resource = find_resource_by_resource_id(..., evt->resource_id); if (!resource) return 0xE00002C6; mbuf_t mbuf; int64_t res = get_mbuf_from_resource(resource, &mbuf); if (!res) return 0xE00002F0; void* event_data = mbuf_data(mbuf); mbuf_pkthdr_setlen(mbuf, evt->timestamp_length); receiveFirmwareTimeSyncMessage(..., evt->unknown, event_data, evt->timestamp_length); ... Note that the function erroneously fails to verify the "Timestamp Length" field before setting it as the packet header's length. Regardless, continuing to follow the processing flow, the "receiveFirmwareTimeSyncMessage" function passes the message on to "processFirmwareTimeSyncMessage". At this point since only the pointer to the message's data and the supplied timestamp length field are given to the processing functions, they are unable to verify that the length field is indeed valid (i.e., that it does not exceed the corresponding mbuf's length). Lastly, let's take a look at the "processFirmwareTimeSyncMessage" function, which performs the following approximate high-level logic: int64_t processFirmwareTimeSyncMessage(void* this, uint16_t unknown, char* event_data, uint16_t timestamp_length) { ... if (timestamp_length % 0x1C) { //Handle error... } if (timestamp_length > 0x1B) { //Validating each TLV struct timestamp_tlv* tlvs = (struct timestamp_tlv*)event_data; for (uint64_t i=0; i<(timestamp_length / 0x1C); i++) { struct timestamp_tlv* tlv = &(tlvs[i]); if (tlv->tag) //Handle error... if (tlv->len != 0x18) //Handle error... if (processFirmwareClockInfoTLV(..., tlv, ...) != 0xE3FF8E00) //Handle error... } } //Copying the result into a buffer int bytes_left = 2048; write_current_timestamp_to_buffer(..., result_buffer, &bytes_left); ... memmove(result_buffer + (2048 - bytes_left), event_data, timestamp_length); ... } struct timestamp_tlv { uint16_t tag; uint16_t len; char data[0x18]; }; Where "result_buffer" is a heap-allocated buffer of length 2048. Since the code above only verifies that each individual firmware timestamp TLV is valid, supplying a large number of valid TLVs will result in the verification stage completing successfully, therefore causing a "memmove" to the "result_buffer" using the attacker-controlled "timestamp_length" field. Note that several restrictions apply to the data copied in the overflow, namely: -It must start with the 16-bit tag zero -It must have a 16-bit length field of 0x18 -It must pass validation by "processFirmwareClockInfoTLV" This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-6 Additional information for APPLE-SA-2017-09-20-3 tvOS 11 tvOS 11 addresses the following: CFNetwork Proxies Available for: Apple TV (4th generation) Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: Apple TV (4th generation) Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: Apple TV (4th generation) Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: Apple TV (4th generation) Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: Apple TV (4th generation) Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: Apple TV (4th generation) Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher Entry added September 25, 2017 WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-7081: Apple Entry added September 25, 2017 WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7087: Apple CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-7092: Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Microas Zero Day Initiative CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Microas Zero Day Initiative CVE-2017-7096: Wei Yuan of Baidu Security Lab CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica CVE-2017-7099: Apple CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53 CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7104: likemeng of Baidu Secutity Lab CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative CVE-2017-7117: lokihardt of Google Project Zero CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security Lab Entry added September 25, 2017 WebKit Available for: Apple TV (4th generation) Impact: Cookies belonging to one origin may be sent to another origin Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7090: Apple Entry added September 25, 2017 WebKit Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: Application Cache policy may be unexpectedly applied. CVE-2017-11120: Gal Beniamini of Google Project Zero CVE-2017-11121: Gal Beniamini of Google Project Zero Entry added September 25, 2017 Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: Apple TV (4th generation) Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGmH0P/1rZBEQnrvLIzN5gACvcHV/C EKodfm/gKl7oLx6imZ+DB8/bihcvCGzrxAH6EOIfLaKS3kOpHoEU6FnfppxQfeh5 6YDyVbckCj7Z1WLsEJdjr69+BeCsuqmNs9uR00M3W4sAAZoBV22kTc1qqcsRBkI4 AuiqivNeLYn0ugJYG16IL59Owew8MhSrJNDrFPEL6ASiJX54pyLUvshRHbFvllzO XjhlScXBZ3n7LhEpWfwJHiS31p3Sqcxdi3UhY5j4zrwR+mWB2SJneo2C3rYGf/jq U/nwNMFJz2s9VLpvijPKrZ6f5P2VObPQbiZB0PKCXa9pJj62Z4xj4E/EcH6CM49o qRwWH87xFrjBdhGAzI1rUc2ytbCiz6rdlpELL4CNgGXKaaQNv88HSBVB3XEGzJYH wa4fq4eSBl/nxwo/tHroyHjL70LLFdbhtmCDO24Bp1lu4ukmH1TsM/k6S3GLxVCl SYLtwcTzE+V4iFaASWdFP2j87OxhdzA9XZqOfR9eU2ydNvWFIJ9+S1JaFEZYTJYy UFRJmvTFw910mq3Sf5G8JdBFu9MMOL/2UEaOyAzd29xK2TQKiTijd+Zlq1FJAIoF lezymTMM4ArlK1pmz3er9Jodh6Xj4Pse09NvwYxrZ1WPChAqV7C6ygBaib7CRTI6 zuNm/zMi6PIpOGbB5Wvh =YZ+q -----END PGP SIGNATURE----- . Alternatively, on your watch, select "My Watch > General > About"

An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Exchange ActiveSync" component. It allows remote attackers to erase a device in opportunistic circumstances by hijacking a cleartext AutoDiscover V1 session during the setup of an Exchange account. Apple iOS is prone to multiple security vulnerabilities. Successful exploits will allow attackers to perform unauthorized actions, or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Apple iOS 11 are vulnerable. Exchange ActiveSync is one of the Microsoft Exchange synchronization protocols. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-4 Additional information for APPLE-SA-2017-09-19-1 iOS 11 iOS 11 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to access restricted files Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management. CVE-2017-7131: Dominik Conrads of Federal Office for Information Security, an anonymous researcher, Elvis (@elvisimprsntr), an anonymous researcher Entry added September 25, 2017 CFNetwork Proxies Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup Description: A validation issue existed in AutoDiscover V1. This was addressed by requiring TLS for AutoDiscover V1. AutoDiscover V2 is now supported. CVE-2017-7088: Ilya Nesterov, Maxim Goncharov Heimdal Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to impersonate a service Description: A validation issue existed in the handling of the KDC- REP service name. This issue was addressed through improved validation. CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams Entry added September 25, 2017 iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7072: JAdrzej Krysztofiak Entry added September 25, 2017 Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 Keyboard Suggestions Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Keyboard autocorrect suggestions may reveal sensitive information Description: The iOS keyboard was inadvertently caching sensitive information. This issue was addressed with improved heuristics. CVE-2017-7140: an anonymous researcher Entry added September 25, 2017 libc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Location Framework Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read sensitive location information Description: A permissions issue existed in the handling of the location variable. This was addressed with additional ownership checks. CVE-2017-7148: an anonymous researcher, an anonymous researcher Entry added September 25, 2017 Mail Drafts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker with a privileged network position may be able to intercept mail contents Description: An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted. CVE-2017-7078: an anonymous researcher, an anonymous researcher, an anonymous researcher Entry added September 25, 2017 Mail MessageUI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A memory corruption issue was addressed with improved validation. CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A denial of service issue was addressed through improved validation. CVE-2017-7118: Kiki Jiang and Jason Tokoph MobileBackup Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2017-7133: Don Sparks of HackediOS.com Phone Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A screenshot of secure content may be taken when locking an iOS device Description: A timing issue existed in the handling of locking. This issue was addressed by disabling screenshots while locking. CVE-2017-7139: an anonymous researcher Entry added September 25, 2017 Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com) Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious app may be able to track users between installs Description: A permission checking issue existed in the handling of an app's Keychain data. This issue was addressed with improved permission checking. CVE-2017-7146: an anonymous researcher Entry added September 25, 2017 SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher Entry added September 25, 2017 Time Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: "Setting Time Zone" may incorrectly indicate that it is using location Description: A permissions issue existed in the process that handles time zone information. The issue was resolved by modifying permissions. CVE-2017-7145: an anonymous researcher Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-7081: Apple Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7087: Apple CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Microas Zero Day Initiative CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Microas Zero Day Initiative CVE-2017-7096: Wei Yuan of Baidu Security Lab CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica CVE-2017-7099: Apple CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53 CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7104: likemeng of Baidu Secutity Lab CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative CVE-2017-7117: lokihardt of Google Project Zero CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security Lab Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cookies belonging to one origin may be sent to another origin Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7090: Apple Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: Application Cache policy may be unexpectedly applied. CVE-2017-7109: avlidienbrunn Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to track users in Safari private browsing mode Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2017-7144: an anonymous researcher Entry added September 25, 2017 Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-11120: Gal Beniamini of Google Project Zero CVE-2017-11121: Gal Beniamini of Google Project Zero Entry added September 25, 2017 Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Webkit We would like to acknowledge xisigr of Tencent's Xuanwu Lab (tencent.com) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRGvBgQAJIF/+cKGy/7YWEugFrwr8A3 rNzHU/yZ3X976fmlYM8l+VUJEn2khu5huPsQzYUvEdbHOWkUGThKil+NzDr3YP6V YYRIi+6i9KJEATGQAdR9YW6bcqJCu7S2xxNBnXtOxR/1TzO4LvVQsWJo0c5z91dD Aid3uYhx1SPwcaF5O5CfRQcp1JSLOWKZOaxO+u+DmtYIM746jrz3FOrfEN8mQp0q CwUSE/Vum7ImOsNUO308QnGmL7s/FGkp86/JtNTbAxJ47Rhqu5lcXj3q1ntrlLdX VFC+K7mNdwNtc1vqB03W5gamyD1qVcTvvwJ3D9cpQAySTDyRFF9cGw+TrzaDl48B 8iiY7D/KkhHuY4jskCF6xyjzloK9RfgKg2FzEBndoESt7bEw4eufF9wnrfV/M1xw 6U4DSjZxgqUwV7YqMX/VnpcEuxg5q9emCQmBfudnVIPKuOITg8x1oyE1e036MDo5 zon/cRIxqaSt8K6rI7TafxQIwpM541N89O/VZbcVey5JFIu1kew4G/gMivMOyroE +xqxLmeGgD10LMZOgoRsNBiKDy8JLJa2lO2dVTZMV4bdtCngeDikDNLqYUcW8lfa 5ZsQBceoCI6abj4PV35N7dHVATFudhrZmhY0epHt13xmRHUFTywOktu/TkOZM8HR eU2TBtOsDF6N5SFunvAC =s5yy -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar. An attacker may exploit this issue to spoof the originating URL of a trusted web site. This may allow a remote attacker to carry out phishing-style attacks. Versions prior to Safari 11 and iOS 11 are vulnerable. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. Installation note: Safari 11 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-4 Additional information for APPLE-SA-2017-09-19-1 iOS 11 iOS 11 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to access restricted files Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management. CVE-2017-7131: Dominik Conrads of Federal Office for Information Security, an anonymous researcher, Elvis (@elvisimprsntr), an anonymous researcher Entry added September 25, 2017 CFNetwork Proxies Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup Description: A validation issue existed in AutoDiscover V1. This was addressed by requiring TLS for AutoDiscover V1. AutoDiscover V2 is now supported. CVE-2017-7088: Ilya Nesterov, Maxim Goncharov Heimdal Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to impersonate a service Description: A validation issue existed in the handling of the KDC- REP service name. This issue was addressed through improved validation. CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams Entry added September 25, 2017 iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7072: JAdrzej Krysztofiak Entry added September 25, 2017 Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 Keyboard Suggestions Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Keyboard autocorrect suggestions may reveal sensitive information Description: The iOS keyboard was inadvertently caching sensitive information. This issue was addressed with improved heuristics. CVE-2017-7140: an anonymous researcher Entry added September 25, 2017 libc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Location Framework Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to read sensitive location information Description: A permissions issue existed in the handling of the location variable. This was addressed with additional ownership checks. CVE-2017-7148: an anonymous researcher, an anonymous researcher Entry added September 25, 2017 Mail Drafts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker with a privileged network position may be able to intercept mail contents Description: An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted. CVE-2017-7078: an anonymous researcher, an anonymous researcher, an anonymous researcher Entry added September 25, 2017 Mail MessageUI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A memory corruption issue was addressed with improved validation. CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A denial of service issue was addressed through improved validation. CVE-2017-7118: Kiki Jiang and Jason Tokoph MobileBackup Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2017-7133: Don Sparks of HackediOS.com Phone Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A screenshot of secure content may be taken when locking an iOS device Description: A timing issue existed in the handling of locking. This issue was addressed by disabling screenshots while locking. CVE-2017-7139: an anonymous researcher Entry added September 25, 2017 Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com) Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 Security Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious app may be able to track users between installs Description: A permission checking issue existed in the handling of an app's Keychain data. This issue was addressed with improved permission checking. CVE-2017-7146: an anonymous researcher Entry added September 25, 2017 SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher Entry added September 25, 2017 Time Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: "Setting Time Zone" may incorrectly indicate that it is using location Description: A permissions issue existed in the process that handles time zone information. The issue was resolved by modifying permissions. CVE-2017-7145: an anonymous researcher Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-7081: Apple Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7087: Apple CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Microas Zero Day Initiative CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Microas Zero Day Initiative CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Microas Zero Day Initiative CVE-2017-7096: Wei Yuan of Baidu Security Lab CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica CVE-2017-7099: Apple CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53 CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7104: likemeng of Baidu Secutity Lab CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative CVE-2017-7117: lokihardt of Google Project Zero CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security Lab Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Cookies belonging to one origin may be sent to another origin Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7090: Apple Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: Application Cache policy may be unexpectedly applied. CVE-2017-7109: avlidienbrunn Entry added September 25, 2017 WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious website may be able to track users in Safari private browsing mode Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2017-7144: an anonymous researcher Entry added September 25, 2017 Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-11120: Gal Beniamini of Google Project Zero CVE-2017-11121: Gal Beniamini of Google Project Zero Entry added September 25, 2017 Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero Wi-Fi Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Webkit We would like to acknowledge xisigr of Tencent's Xuanwu Lab (tencent.com) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRGvBgQAJIF/+cKGy/7YWEugFrwr8A3 rNzHU/yZ3X976fmlYM8l+VUJEn2khu5huPsQzYUvEdbHOWkUGThKil+NzDr3YP6V YYRIi+6i9KJEATGQAdR9YW6bcqJCu7S2xxNBnXtOxR/1TzO4LvVQsWJo0c5z91dD Aid3uYhx1SPwcaF5O5CfRQcp1JSLOWKZOaxO+u+DmtYIM746jrz3FOrfEN8mQp0q CwUSE/Vum7ImOsNUO308QnGmL7s/FGkp86/JtNTbAxJ47Rhqu5lcXj3q1ntrlLdX VFC+K7mNdwNtc1vqB03W5gamyD1qVcTvvwJ3D9cpQAySTDyRFF9cGw+TrzaDl48B 8iiY7D/KkhHuY4jskCF6xyjzloK9RfgKg2FzEBndoESt7bEw4eufF9wnrfV/M1xw 6U4DSjZxgqUwV7YqMX/VnpcEuxg5q9emCQmBfudnVIPKuOITg8x1oyE1e036MDo5 zon/cRIxqaSt8K6rI7TafxQIwpM541N89O/VZbcVey5JFIu1kew4G/gMivMOyroE +xqxLmeGgD10LMZOgoRsNBiKDy8JLJa2lO2dVTZMV4bdtCngeDikDNLqYUcW8lfa 5ZsQBceoCI6abj4PV35N7dHVATFudhrZmhY0epHt13xmRHUFTywOktu/TkOZM8HR eU2TBtOsDF6N5SFunvAC =s5yy -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to read data from kernel memory locations via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. A security vulnerability exists in the Wi-Fi component of several Apple products. Apple: Information Leak when handling WLC_E_COUNTRY_CODE_CHANGED event packets CVE-2017-7116 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. When the dongle wishes to notify the host OS of an event, it does so by encoding a special "packet" and transmitting it to the host. These packets have an ether type of 0x886C, and do not contain actual packet data, but rather encapsulate information about events which must be handled by the driver. One of the supported event packets is the WLC_E_COUNTRY_CODE_CHANGED message, which notifies that host that the country code has been modified. On iOS, these events are handled by the "handleCountryCodeChangedEvent" function in the "AppleBCMWLANCore" driver. Each packet of this type starts with the common event message header (which is 48 bytes long), followed by the 3-character country code, delimited by a NUL. Here is a snippet of "handleCountryCodeChangedEvent"'s high-level logic: int64_t handleCountryCodeChangedEvent(void* this, uint8_t* event_packet) { char* country_code = (char*)this + 3244; char* alt_country_code = (char*)this + 3248; strncpy(country_code, event_packet + 48, 3); country_code[3] = '\0'; if ( strncmp(country_code, "XZ", strlen("XZ")) && strncmp(alt_country_code, country_code 4)) { strncpy(alt_country_code, country_code, 3); alt_country_code[3] = '\0'; updateChannelSpecsAsync(this); } ... } int64_t updateChannelSpecsAsync(void* this) { char request_buffer[0x1C2]; bzero(request_buffer, 0x1C2); char* country_code = (char*)this + 3244; strlcpy(request_buffer, country_code, 4); return issueCommand(..., request_buffer, ...); //Getting the "chanspecs" IO-Var ... } As can be seen above, the function fails to verify that the length of the event message is sufficiently long (that is, larger than just the message header itself). As a result, an attacker controlling the dongle can send a WLC_E_COUNTRY_CODE_CHANGED event packet with no body payload. Doing so will cause the 3 bytes of the country code to be copied OOB (from event_packet + 48). As long as these bytes are not "XZ" or the previously stored country code ("alt_country_code"), "updateChannelSpecsAsync" will be called, causing the OOB data to be sent back to the dongle in the WLC_GET_VAR ioctl - thus leaking the bytes back to the dongle. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 watchOS 4 addresses the following: CFNetwork Proxies Available for: All Apple Watch models Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: All Apple Watch models Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: All Apple Watch models Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, an anonymous researcher, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher Entry added September 25, 2017 Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: All Apple Watch models Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/ CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4 Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1 E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5 viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR 39wnv7L2yjedzyd+/y5E =ACi9 -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition. Apple iOS and tvOS are prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to Apple tvOS 11 and iOS 11 are vulnerable. in the United States. tvOS is a smart TV operating system. Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read CVE-2017-7115 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. The host and dongle communicate with one another using a set of "message rings". Two message rings (distinct from the "flow rings") are used to transfer data from the host to the dongle (H2D): -H2D_MSGRING_CONTROL_SUBMIT (Ring #0) -H2D_MSGRING_RXPOST_SUBMIT (Ring #1) When the host wishes to notify the dongle of an event (such as submitting an IO-Control request or posting an address into which an RX frame may be written), it does so by writing a small structure to the appropriate message ring buffer at the current write index. Similarly, when reading events from any of the completion rings (D2H), the host uses the read index for the current ring in order to access the posted message buffer by the dongle within the ring. Each ring has a corresponding fixed "item size" which is set during the ring's initialisation -- individual items' addresses within the ring can therefore be calculated like so: "ring_base + ring_index * item_size". As the Wi-Fi dongle is connected to the host over PCIe, it is able to issue IO requests to the Root Complex. To prevent a malicious dongle from overwriting arbitrary physical memory and subverting the host OS, some isolation is needed between the device-visible IO-Space and the host's physical address space. This is facilitated on iOS by using an IOMMU called the "Device Address Resolution Table" (DART). On iOS, the read and write indices for each of the rings (H2D and D2H) are synchronised between the peers by mapping them into IO-Space -- this way, each side of the communication can freely access the R/W indices for each ring and know where the next buffers are going to be posted (either by itself or by its peer). These IO-Space addresses are submitted by the AppleBCMWLANBusInterfacePCIe driver into the PCIe shared structure at the end of the Wi-Fi chip's RAM by writing directly into the chip's TCM. Indeed, we can dump the structure's contents and see the IO-Space addresses for each of these buffers: Dumping ring_info ----------------------------------------- h2d_w_idx_ptr: 0x0020249C h2d_r_idx_ptr: 0x00202548 d2h_w_idx_ptr: 0x002025F4 d2h_r_idx_ptr: 0x00202604 -> h2d_w_idx_hostaddr: 0x80538000 -> h2d_r_idx_hostaddr: 0x80530000 -> d2h_w_idx_hostaddr: 0x80548000 -> d2h_r_idx_hostaddr: 0x80540000 By installing a hook on the DMA function in the Wi-Fi chip, we can verify that indeed these buffers are not only readable in IO-Space, they are also *writable* (including the H2D indices!). Here's a snippet (from the chip's console) in which we installed such a hook in order to DMA into the "h2d_w_idx_ptr" buffer: Before: 00 00 00 00 00 00 00 00 After : 48 BF 6B 4B 50 34 4A BF ^---------------^ Wi-Fi MAC When a PCIe MSI interrupt occurs, the AppleBCMWLANBusInterfacePCIe driver first handles the interrupt and checks which operations should be performed (by reading the MailBox register). If an interrupt signalling an event's completion arrives, the pending messages in each D2H ring are processed by calling AppleBCMWLANPCIeCompletionRing::signalWorkAvailable(). This, in turn, calls a virtual function in the ring instance (at offset 0x138). The handled function reads the events at the current "read index" and subsequently handles them by invoking the registered callback function for the given ring (e.g., "drainControlCompleteRing" for the D2H_MSGRING_CONTROL_COMPLETE ring). Here is a short snippet of the approximate high-level logic of the virtual function that iterates over each pending buffer: int64_t AppleBCMWLANPCIeCompletionRing_iterateAndCallCompletionCallbacks(void* this) { ... do { uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 216); int32_t item_size = *(int32_t*) ((uint64_t)this + 92); (1) uint32_t read_index = **(uint32_t**)((uint64_t)this + 144); uint8_t* next_buffer = ring_base + item_size * read_index; (2) uint64_t num_events = calculateNumberOfReadEventsToDrain(this); //Call the registered callback callback_t cb = *(callback_t*)(this + 24); uint32_t events_handled = cb(this, next_buffer, ..., num_events); read_index += events_handled; uint32_t max_ring_index = *(uint32_t*)(this + 88); if (read_index >= max_ring_index) read_index = 0; ... } while (hasMoreEvents(this)); ... } uint64_t calculateNumberOfReadEventsToDrain(void* this) { //AppleBCMWLANPCIeCompletionRing::getReadIndex() uint64_t (*getReadIndex)(void*) = (uint64_t (*) (void*))(*(uint64_t*)this + 0x120); uint64_t read_index = getReadIndex(this); ... return read_index - last_index; } uint64_t AppleBCMWLANPCIeCompletionRing__getReadIndex(void* this) { uint32_t read_index = **(uint32_t**)((uint64_t)this + 144); if (read_index >= 0x10000) panic(...); return read_index; } Similarly, when data need to be written into the submission rings, the corresponding AppleBCMWLANPCIeSubmissionRing instance's work loop function is invoked (virtual function @ offset 0x138). Here is the approximate high-level logic for this function: uint64_t AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks(void* this) { ... (3) uint32_t write_index = **(uint32_t**)((uint64_t)this + 184); (4) while (hasMoreEvents(this)) { uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 248); int32_t item_size = *(int32_t*) ((uint64_t)this + 92); uint8_t* next_buffer = ring_base + item_size * write_index; (5) uint64_t num_events = calculateNumberOfWriteEvents(this); //Call the registered callback callback_t cb = *(callback_t*)(this + 112); uint32_t num_written = cb(this, next_buffer, ..., num_events); if (!num_written) break; write_index += num_written; uint32_t max_ring_index = *(uint32_t*)(this + 88); if ( write_index >= max_ring_index) write_index = 0; **(uint32_t**)((uint64_t)this + 184) = write_index; } ... } uint64_t calculateNumberOfWriteEvents(void* this) { //AppleBCMWLANPCIeSubmissionRing::getIndices() void (*getIndices)(void*, uint64_t*, uint64_t*) = (uint64_t (*) (void*, uint64_t*, uint64_t*))(*(uint64_t*)this + 0x128); uint64_t read_index, write_index; getIndices(this, &read_index, &write_index); ... } uint64_t AppleBCMWLANPCIeSubmissionRing__getIndices(void* this, uint64_t* rindex, uint64*t windex) { uint32_t read_index = **(uint32_t**)((uint64_t)this + 176); uint32_t write_index = **(uint32_t**)((uint64_t)this + 184); if (read_index >= 0x10000 || write_index >= 0x10000) panic(...); *rindex = read_index; *windex = write_index; } Note that in both the snippets above, the pointers to the "read_index" and "write_index" are both pointers to the same memory addresses which were mapped into IO-Space earlier and submitted to the dongle. As such, the dongle can freely DMA into these addresses and modify their contents. Following the logic of the two snippets above, we can see that a malicious dongle can therefore trigger several race conditions by modifying the indices' values: 1. The dongle can trigger OOB writes to offsets not larger than 0xFFFF * item_size, by executing the following attack: a. Host calls AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks on ring #n b. Dongle DMA-s into ring #n's write index, setting a value <= 0x10000 c. Host reaches (3) and reads the malicious write index d. Dongle DMA-s into ring #n's write index, restoring the original write index e. Host reaches (4), calls hasMoreEvents() and succeeds since the index is now valid f. Host reaches (5), calculates the correct number of events to process, and calls the callback g. The callback writes arbitrary data into the attacker-controlled offset, triggering an OOB write 2. Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB. 3. The dongle can also cause OOB writes to an offset larger than 0xFFFF * item_size, by executing the same attack as described in (1). However, if the dongle fails to restore the write index before the bounds checks in AppleBCMWLANPCIeSubmissionRing::getIndices, this will result in a panic and reboot the device. 4. Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB at an offset larger than 0xFFFF * item_size One possibility to exploit this vulnerability would be to trigger an OOB write from a ring into the DART's translation tables, thus effectively adding mappings to the chip's IO-Space. If the attacker can add the DART's translation table itself to the DART mapping, they can then freely add memory mappings, allowing for arbitrary R/W into the kernel's physical address space. Indeed, by locating the DART's translation table and reverse engineering it, we can find the location of the DART's descriptors in relation to the ring base addresses. In one execution, dumping the addresses for the DART descriptors and the ring base addresses resulted in the following output: Ring #0 - Base: 0xFFFFFFE00380D000 Ring #1 - Base: 0xFFFFFFE0B0DE8000 Ring #2 - Base: 0xFFFFFFE0B0DEC000 Ring #3 - Base: 0xFFFFFFE0B0CC4000 Ring #4 - Base: 0xFFFFFFE0B0CD0000 DART: First Level Descriptor: 0xFFFFFFE02BB4000 Second Level Descriptor: 0xFFFFFFE0B0CD4000 ... As we can see above, the DART's second level descriptor is comfortably placed within range of ring #0 (H2D_MSGRING_CONTROL_SUBMIT) -- allowing an attacker to add entries to the DART's mapping. Moreover, even if the Wi-Fi chip or driver encounters an error and the chip is reset, the added mappings in the DART are not cleared (!). Suggested Mitigations: 1. The indices can never be larger the 16-bits. As such, there's no reason to introduce possible mistakes when handling values larger than that. This can be mitigated by changed the index types to 16-bit wide types instead of 32-bits. 2. There's no reason to map the H2D indices as writable: 2.1. If DART supports read-only mappings, I suggest the indices be mapped as such. 2.2. Otherwise, the index should only be read from the shared region *once* on each iteration, instead of re-reading it in several "helper" functions. 3. The indices in both the submission and completion rings should be verified against the ring's maximal index (this+88) and not against the maximal possible value (0xFFFF). 4. Clear all DART mappings when the chip is reset. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwtdFAAoJEIOj74w0bLRGD90P/3SlwWGkh+yI71C2P4n52kwK EAJj475W7WveTPOeQkfc+MP0P8D7UPUpoNTGHnDvl9TKdW/ZksHF6OMolt0lvfbc EQKsM4KJhIcynZOSBHVjcoUZ53+u1eoW0UAqZgvde7hv2ex6JybRHJdb0ysk3cGg LlX5gQeG2oVx+j510fO5ZeBFm1NSXFjE9z1ldytQBLOScfdWHN9x+jM+elqr1tzt T0p9Y1d2ukbWHaRWm+D3Jn6NrxXcGKzC+HI8CcX3x7UHIXn0Ofl0prBrPZ5GhbG8 hGw8mIcOCpjk7+zmToqQRNVFpHv8RCe61Jf+Jvd1d0a7ROD2sa2nSiEKyTppnomH 9As1OrZnrE+c1tfrttN4iwUhEqGa4kVXiceK728oFx8phUKpgJGe1uJG3MaAOGTp Bg3DzTRIQufm4VOEY3G7wko1edr6wltGN4DZQJReIXPc0MTptyNh88WlK/O9NZok KXvMYgl6GvU9WA+QNDXVSobOUpmELbnsmaADrAF+5rUwFDlOSIn33nUVhVixpMWG LhJHHm5S3nbtkq/rZoWiDmo8q/fPgpDXi+yD8yd2PNx46xZzxw1//ff4UMrKMi9m ucZhu9yd2xLAyeSFZTf2r2Wa6jenP80GOf3ZwDIpmy+9CsOzVlfQ2c/YI/Mb0T3J 1xEedCIxogsKRuNXEosG =A3qE -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. Apple: OOB NUL byte write when handling WLC_E_TRACE event packets CVE-2017-7112 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. When the dongle wishes to notify the host OS of an event, it does so by encoding a special "packet" and transmitting it to the host. These packets have an ether type of 0x886C, and do not contain actual packet data, but rather encapsulate information about events which must be handled by the driver. One of the supported event packets is the WLC_E_TRACE message, containing a trace sent from the firmware which may be logged or stored by the host. On iOS, these events are handled by the "handleTraceEvent" function in the "AppleBCMWLANCore" driver. Each packet of this type starts with the common event message header (which is 48 bytes long), followed by the message-trace header: struct msgtrace_hdr { uint8 version; uint8 trace_type; uint16 len; uint32 seqnum; uint32 discarded_bytes; uint32 discarded_printf; }; Here is a snippet of "handleTraceEvent"'s high-level logic: int64_t handleTraceEvent(void* this, uint8_t* event_packet) { struct msgtrace_hdr hdr; memmove(&hdr, event_packet + 48, sizeof(struct msgtrace_header)); if (hdr.version == 1) { ... //Is this a MSGTRACE_HDR_TYPE_MSG trace? if (hdr.trace_type == 0) { event_packet[htons(hdr.len) + 64] = 0; ... } ... } } As can be seen above, for messages of type 0 no attempt is made to validate the "len" field in the msgtrace header before using it as an index into the event packet. As a result, an attacker controlling the firmware can craft a WLC_E_TRACE event packet with a large msgtrace length field, causing an OOB NUL byte to be written at the attacker-controlled 16-bit offset. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 watchOS 4 addresses the following: CFNetwork Proxies Available for: All Apple Watch models Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: All Apple Watch models Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: All Apple Watch models Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, an anonymous researcher, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: All Apple Watch models Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/ CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4 Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1 E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5 viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR 39wnv7L2yjedzyd+/y5E =ACi9 -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. Apple: Heap overflow and information disclosure in "setVendorIE" when handling ioctl results CVE-2017-7110 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. Along with the regular flow of frames transferred between the host and the dongle, the two communicate with one another via a set of "ioctls" which can be issued to read or write dongle configuration from the host. This information is exchanged using the "Control Completion" ring, rather than the regular "RX" ring. When handling certain events such as setting up an access-point, the Wi-Fi chip must be configured to broadcast new information elements for the created network. This is achieved by calling the "setVendorIE" function, which supplies the firmware with a new vendor-specified information element. Before the information element can be added, the driver must first ensure that no previous IE with the same tag and data has already been configured. This is done by querying the Wi-Fi chip for the current list of Vendor IEs. Each IE's tag and contents are compared to the newly provided IE -- if a match is found, the function issues an additional ioctl to the Wi-Fi chip in order to request that the previous IE be deleted. The list of IEs returned by the Wi-Fi firmware starts with a 32-bit "count" field, indicating the number of IEs in the list. Each IE is a TLV, where the "tag" and the "length" are both 8-bits fields. Here is a snippet of the approximate high-level code for "setVendorIE": uint64_t setVendorIE(void* this, void* new_ie) { ... //Extracting some information about the new IE uint8_t* new_ie_buffer = *((uint8_t**)new_ie + 3); uint32_t new_ie_length = *((uint32_t*)new_ie + 4); uint8_t new_ie_tag = new_ie_buffer[0]; ... //Reading the Vendor IE list from the firmware - the IOVar is "vndr_ie" uint8_t* vendor_ie_list = (uint8_t*)IOMalloc(...); uint64_t res = issueCommand(..., &vendor_ie_list, ...); //Searching for a matching IE uint32_t count = *((uint32_t*)vendor_ie_list); uint8_t* current_ie = vendor_ie_list + sizeof(uint32_t); if (count >= 1) { for (uint32_t i=0; i<count; i++, current_ie += 4) { //Is this a matching IE? if (current_ie[8] == new_ie_tag && new_ie_length != 1 && !bcmp(new_ie + 1, current_ie + 10, new_ie_length-1)) { //Found a match! Ask the firmware to delete the old IE void* ie_buffer = IOMalloc(new_ie_length + 13); strlcpy(ie_buffer, "del", 4); *(uint32_t*)(ie_buffer + 4) = 1; ovbcopy(current_ie + 4, ie_buffer + 8, current_ie[9] + 6); issueCommand(...); //Send the deletion request ... } } ... } ... } As can be seen above, "setVendorIE" fails to verify both the "count" field in the returned IE list, and the length of each individual IE. As a result, an attacker controlling the firmware may choose arbitrarily large values for these fields. For example, an attacker controlling the firmware could return a list containing an IE with the same tag and payload bytes as the IE being set, but with a large length field (larger than the previous IE's length + 13). Doing so will cause the match above to succeed (as it only compares the contents up to the new IE's length), but will then trigger the "obvcopy" using the attacker-controlled IE length (current_ie[9] + 6), thus overflowing the heap-allocated buffer (ie_buffer). Alternately, an attacker may choose to supply a large "count" field. Doing so will cause the loop above to read data past the end of the buffer containing the ioctl's results. If, at any point, a sequence of bytes matching the new vendor IE is encountered, the matching conditions above will be satisfied. An attacker can use this as an "oracle" to leak information from the host by spraying sequences containing the vendor IE's contents and slowly incrementing the "count" field. When a match occurs, the driver will issue the deletion ioctl to the firmware, allowing the firmware to deduce that a match occurred at the current offset. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 watchOS 4 addresses the following: CFNetwork Proxies Available for: All Apple Watch models Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: All Apple Watch models Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: All Apple Watch models Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, an anonymous researcher, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: All Apple Watch models Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/ CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4 Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1 E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5 viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR 39wnv7L2yjedzyd+/y5E =ACi9 -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. Xcode before 9 is affected. The issue involves the "ld64" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Mach-O file. Apple Xcode is prone to multiple memory corruption vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. Versions prior to Xcode 9 are vulnerable. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-19-3 Xcode 9 Xcode 9 is now available and addresses the following: Git Available for: macOS Sierra 10.12.6 or later Impact: Checking out a maliciously crafted repository may lead to arbitrary code execution Description: An ssh:// URL scheme handling issue was addressed through improved input validation. CVE-2017-7076: riusksk (ae3aY=) of Tencent Security Platform Department CVE-2017-7134: riusksk (ae3aY=) of Tencent Security Platform Department CVE-2017-7135: riusksk (ae3aY=) of Tencent Security Platform Department CVE-2017-7136: riusksk (ae3aY=) of Tencent Security Platform Department CVE-2017-7137: riusksk (ae3aY=) of Tencent Security Platform Department subversion Available for: macOS Sierra 10.12.6 or later Impact: Checking out a maliciously crafted repository may lead to arbitrary code execution Description: An input validation issue was addressed through improved input validation. CVE-2017-9800 Installation note: Xcode 9 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "9". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwVI5AAoJEIOj74w0bLRG//MQAMZhTTHk4DQEuoWwW7U63c+R TVo7gRf4AVVQWJ+4FU4fT/I0l8IuxhTOfG14+sumHtsOIQV0evsAGeA9k4+RAgo8 N1DIJ3mZxYobd8KfP0DXt8fX4yfjYtLmTDJqMRvGZ6765UK+ctRQYCuN/+TWR0BM CyU6UqVQVhN+Z/Lgg8CnK2KTFbykMCHgZ7EYrwIhY3z9SvOiFCakXxUlZkLcziov 7Mkr/BKv6YlMVB+r/keuifLn2fOxa51Ic+k/n1Vb5wBmOEA2DH0w8NaBJeA/aPNd Cgwj750S0gjPG7Zk/IAOy17TJJzor2Ewrvb6wNQB5zzb32TScw58mOzydyLg0jBl j0D1k7d2+f31utzkT9gcvkq6490HginWdmUzwXuZV8dMz/Bwc4dJlF7u9gXBGrZe SymSagb28TxFVZHHO7nOVuydmafgB4tSJ9yQq4vASDbOso0pScPuAw6FhpPBaKb+ IiLpYJOOO2pJpSfgq0Z3U/rV7X2WBGcRJoJLYNXVQyyyCEXmMIAzEurn3nXUh75f LKMZxT1i3Q37KfSxOmx3o7bh9MeE3/FrZQsYRFunCAESAxn3s+JoF+EMXSjC0k5V t5mz1t+qaPkI1cQYXRxi/PwfcXUqNtXwdngrr3dVXqL8V+Yx9oVWQiC1OB60aP4i qcRPihCW7/qqjks6q8Ew =Bzk4 -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. watchOS before 4 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic. Apple iOS, WatchOS and tvOS are prone to multiple memory corruption and security-bypass vulnerabilities. Attackers can exploit these issues to execute arbitrary code and perform unauthorized actions. Failed exploit attempts may result in a denial-of-service condition. The following versions are affected: Versions prior to Apple iOS 11 Versions prior to Apple watchOS 4 Versions prior to Apple tvOS 11. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. Apple: Heap overflow in "updateRateSetAsyncCallback" when handling ioctl results CVE-2017-7108 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. Along with the regular flow of frames transferred between the host and the dongle, the two communicate with one another via a set of "ioctls" which can be issued to read or write dongle configuration from the host. This information is exchanged using the "Control Completion" ring, rather than the regular "RX" ring. When handling certain events, such as link status changes (indicated by the firmware-originated "WLC_E_LINK" event frame), the "AppleBCMWLANCore" driver updates the rate-set. This is done by issuing an asynchronous ioctl to the firwmare using the WLC_GET_CURR_RATESET (114) command code. Upon completion, this ioctl is handled by the "updateRateSetAsyncCallback" function, which performs the following high-level logic: int64_t updateRateSetAsyncCallback(void* this, ..., uint64_t error_code, void **ptr_to_result_struct) { void* result_buf = *ptr_to_result_struct; uint8_t results[0x14]; if (error_code) { //Handle error... } else if (result_buf) { memmove(results, results_buf, 0x14); save_rate_set((uint8_t*)this + 2196, results); ... } ... } void save_rate_set(void* this, uint8_t* rate_set_buffer) { uint32_t num_entries = *((uint32_t*)rate_set_buffer); *((uint16_t*)this + 2) = (uint16_t)num_entries; if (!num_entries) return; uint32_t* save_ptr = (uint32_t*)((uint8_t*)this + 16); uint8_t* rates_array = rate_set_buffer + sizeof(uint32_t); for (uint32_t i=0; i<num_entries; i++, save_ptr += 3) { save_ptr[-1] = rates_array[i] & 0x3F; save_ptr[0] = rates_array[i] >> 7; } } As can be seen above, both "updateRateSetAsyncCallback" and the helper function (named "save_rate_set" in the snippet above) make no attempts to validate the length field returned from the firmware in the ioctl response. As a result, an attacker controlling the firmware may choose an arbitrarily large value. Doing so will cause the copy loop in "save_rate_set" to copy data out-of-bounds into the buffer at (this + 2196). Note that the buffer's length is only 0xBC, but the attacker can cause arbitrarily many bytes to by copied. Since the data is copied from the stack buffer to which the ioctl's results were originally transferred, the OOB bytes will contain information from the stack, removing some degree of control over the copied contents. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 watchOS 4 addresses the following: CFNetwork Proxies Available for: All Apple Watch models Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. Entry added September 25, 2017 CoreAudio Available for: All Apple Watch models Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Entry added September 25, 2017 Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google Entry added September 25, 2017 libc Available for: All Apple Watch models Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 Entry added September 25, 2017 libexpat Available for: All Apple Watch models Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Entry added September 25, 2017 Security Available for: All Apple Watch models Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso mobile solutions gmbh, an anonymous researcher, Rune Darrud (@theflyingcorpse) of BA|rum kommune Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz Entry added September 25, 2017 SQLite Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: All Apple Watch models Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero zlib Available for: All Apple Watch models Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Entry added September 25, 2017 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/ CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4 Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1 E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5 viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR 39wnv7L2yjedzyd+/y5E =ACi9 -----END PGP SIGNATURE-----