VARIoT IoT vulnerabilities database
| VAR-201504-0090 | CVE-2015-1139 | Apple OS X of ImageIO Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
ImageIO in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .sgi file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3
| VAR-201504-0089 | CVE-2015-1138 | Apple OS X Service disruption in Japanese hypervisors (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Hypervisor in Apple OS X before 10.10.3 allows local users to cause a denial of service via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. Hypervisor (also known as virtual machine monitor, VMM) is an intermediate software layer running between the physical server and the operating system, which allows multiple operating systems and applications to share a set of underlying physical hardware. A local attacker could exploit this vulnerability to cause a denial of service
| VAR-201504-0091 | CVE-2015-1140 | Apple OS X of IOHIDFamily Vulnerable to buffer overflow |
CVSS V2: 7.2 CVSS V3: - Severity: MEDIUM |
Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors. The issue lies in the failure to properly sanitize user-supplied pointers before they are dereferenced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within IOKit IOHIDSecurePromptClient. This does not check the length of an attacker-supplied string to the __InsertBytes method before copying it into a fixed length buffer on the heap. This allows an attacker to execute arbitrary code in the context of the kernel.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. A local attacker could exploit this vulnerability to gain privileges
| VAR-201504-0087 | CVE-2015-1136 | Apple OS X of CoreAnimation Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in CoreAnimation in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code by leveraging improper use of a mutex. Supplementary information : CWE Vulnerability type by CWE-416: Use After Free ( Use of freed memory ) Has been identified.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3
| VAR-201504-0088 | CVE-2015-1137 | Apple OS X of NVIDIA Vulnerability gained in the graphics driver |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via an unspecified IOService userclient type. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3
| VAR-201504-0085 | CVE-2015-1134 | Apple OS X of Apple Type Services of fontd Vulnerable to gaining privileges |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1135. This vulnerability is CVE-2015-1131 , CVE-2015-1132 , CVE-2015-1133 and CVE-2015-1135 This is a different vulnerability.Local users may be able to gain privileges.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. The following versions are affected: Apple OS X 10.8.5 and earlier, 10.9.5 and earlier, 10.10.2 and earlier
| VAR-201504-0086 | CVE-2015-1135 | Apple OS X of Apple Type Services of fontd Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1134. This vulnerability CVE-2015-1131 , CVE-2015-1132 , CVE-2015-1133 and CVE-2015-1134 Is a different vulnerability.Authority may be obtained by local users. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. The following versions are affected: Apple OS X 10.8.5 and earlier, 10.9.5 and earlier, 10.10.2 and earlier
| VAR-201504-0084 | CVE-2015-1133 | Apple OS X of Apple Type Services of fontd Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1134, and CVE-2015-1135. This vulnerability CVE-2015-1131 , CVE-2015-1132 , CVE-2015-1134 and CVE-2015-1135 Is a different vulnerability.Authority may be obtained by local users. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. The following versions are affected: Apple OS X 10.8.5 and earlier, 10.9.5 and earlier, 10.10.2 and earlier
| VAR-201504-0103 | CVE-2015-1087 | Apple iOS of Backup Vulnerable to directory traversal |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Directory traversal vulnerability in Backup in Apple iOS before 8.3 allows attackers to read arbitrary files via a crafted relative path. Apple iOS is prone to multiple security vulnerabilities.
Attackers can exploit these issues to gain sensitive information, perform unauthorized actions, bypass security restrictions, and perform other attacks.
These issues affect iOS versions prior to 8.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0083 | CVE-2015-1132 | Apple OS X of Apple Type Services of fontd Vulnerability gained in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. This vulnerability CVE-2015-1131 , CVE-2015-1133 , CVE-2015-1134 and CVE-2015-1135 Is a different vulnerability.Authority may be obtained by local users. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. The following versions are affected: Apple OS X 10.8.5 and earlier, 10.9.5 and earlier, 10.10.2 and earlier
| VAR-201504-0081 | CVE-2015-1130 | Apple OS X of Admin Framework of XPC Vulnerabilities that prevent authentication from being implemented |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlAuthentication bypassed by local users, and admin You may get permission.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3
| VAR-201504-0109 | CVE-2015-1093 | Apple iOS and Apple OS X of FontParser Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file. Apple Mac OS X and iOS is prone to multiple security vulnerabilities.
Attackers may exploit these issues to bypass certain security restrictions or execute arbitrary code in the context of the application. Failed exploit attempts may result in denial-of-service conditions. Apple iOS is an operating system developed by Apple for mobile devices. FontParser is a font parsing component.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Secure Transport
Available for: Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: Secure Transport accepted short ephemeral RSA keys,
usually used only in export-strength RSA cipher suites, on
connections using full-strength RSA cipher suites. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0080 | CVE-2015-1129 | Apple Safari User-tracked vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does not properly select X.509 client certificates, which makes it easier for remote attackers to track users via a crafted web site. Apple Safari is prone to a security-bypass vulnerability.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. The following versions are affected: Apple Safari prior to 6.2.5, 7.x prior to 7.1.5, and 8.x prior to 8.0.5. This issue was
addressed by disabling push notification prompts in private browsing
mode.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 may be obtained from
the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-16-1 iOS 9
iOS 9 is now available and addresses the following:
Apple Pay
Available for: iPhone 6, iPad mini 3, and iPad Air 2
Impact: Some cards may allow a terminal to retrieve limited recent
transaction information when making a payment
Description: The transaction log functionality was enabled in
certain configurations. This issue was addressed by removing the
transaction log functionality.
CVE-ID
CVE-2015-5916
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to reset failed passcode
attempts with an iOS backup
Description: An issue existed in resetting failed passcode attempts
with a backup of the iOS device. This was addressed through improved
passcode failure logic.
CVE-ID
CVE-2015-5850 : an anonymous researcher
Application Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Clicking a malicious ITMS link may lead to a denial of
service in an enterprise-signed application
Description: An issue existed with installation through ITMS links.
This was addressed through additional installation verification.
CVE-ID
CVE-2015-5856 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei of
FireEye, Inc.
Audio
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Playing a malicious audio file may lead to an unexpected
application termination
Description: A memory corruption issue existed in the handling of
audio files. This issue issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:
Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132.
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may read
cache data from Apple apps
Description: Cache data was encrypted with a key protected only by
the hardware UID. This issue was addressed by encrypting the cache
data with a key protected by the hardware UID and the user's
passcode.
CVE-ID
CVE-2015-5898 : Andreas Kurtz of NESO Security Labs
CFNetwork Cookies
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position can track a
user's activity
Description: A cross-domain cookie issue existed in the handling of
top level domains. The issue was address through improved
restrictions of cookie creation.
CVE-ID
CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork Cookies
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to create unintended cookies for a
website
Description: WebKit would accept multiple cookies to be set in the
document.cookie API. This issue was addressed through improved
parsing.
CVE-ID
CVE-2015-3801 : Erling Ellingsen of Facebook
CFNetwork FTPProtocol
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Malicious FTP servers may be able to cause the client to
perform reconnaissance on other hosts
Description: An issue existed in FTP packet handling if clients were
using an FTP proxy.
CVE-ID
CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted URL may be able to bypass HTTP Strict
Transport Security (HSTS) and leak sensitive data
Description: A URL parsing vulnerability existed in HSTS handling.
This issue was addressed through improved URL parsing.
CVE-ID
CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork HTTPProtocol
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: An issue existed in the handling of HSTS state in
Safari private browsing mode. This issue was addressed through
improved state handling.
CVE-ID
CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Connecting to a malicious web proxy may set malicious
cookies for a website
Description: An issue existed in the handling of proxy connect
responses. This issue was addressed by removing the set-cookie header
while parsing the connect response.
CVE-ID
CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork SSL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: A certificate validation issue existed in NSURL when a
certificate changed. This issue was addressed through improved
certificate validation.
CVE-ID
CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of RC4.
An attacker could force the use of RC4, even if the server preferred
better ciphers, by blocking TLS 1.0 and higher connections until
CFNetwork tried SSL 3.0, which only allows RC4. This issue was
addressed by removing the fallback to SSL 3.0.
CoreAnimation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: Applications could access the screen framebuffer while
they were in the background. This issue was addressed with improved
access control on IOSurfaces.
CVE-ID
CVE-2015-5880 : Jin Han, Su Mon Kywe, Qiang Yan, Robert Deng, Debin
Gao, Yingjiu Li of School of Information Systems Singapore Management
University, Feng Bao and Jianying Zhou of Cryptography and Security
Department Institute for Infocomm Research
CoreCrypto
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to determine a private key
Description: By observing many signing or decryption attempts, an
attacker may have been able to determine the RSA private key. This
issue was addressed using improved encryption algorithms.
CoreText
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Data Detectors Engine
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted text file may lead to
arbitrary code execution
Description: Memory corruption issues existed in the processing of
text files. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-5829 : M1x7e1 of Safeye Team (www.safeye.org)
Dev Tools
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in dyld. This was
addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash
dyld
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : @PanguTeam, TaiG Jailbreak Team
Disk Images
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in DiskImages. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5847 : Filippo Bigarella, Luca Todesco
Game Center
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious Game Center application may be able to access a
player's email address
Description: An issue existed in Game Center in the handling of a
player's email. This issue was addressed through improved access
restrictions.
CVE-ID
CVE-2015-5855 : Nasser Alnasser
ICU
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in ICU
Description: Multiple vulnerabilities existed in ICU versions prior
to 53.1.0. These issues were addressed by updating ICU to version
55.1.
CVE-ID
CVE-2014-8146
CVE-2015-1205
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed that led to the disclosure of kernel
memory content. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5834 : Cererdlong of Alibaba Mobile Security Team
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5848 : Filippo Bigarella
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5867 : moony li of Trend Micro
IOKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5844 : Filippo Bigarella
CVE-2015-5845 : Filippo Bigarella
CVE-2015-5846 : Filippo Bigarella
IOMobileFrameBuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOMobileFrameBuffer. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5843 : Filippo Bigarella
IOStorageFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to read kernel memory
Description: A memory initialization issue existed in the kernel.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5863 : Ilja van Sprundel of IOActive
iTunes Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: AppleID credentials may persist in the keychain after sign
out
Description: An issue existed in keychain deletion. This issue was
addressed through improved account cleanup.
CVE-ID
CVE-2015-5832 : Kasif Dekel from Check Point Software Technologies
JavaScriptCore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Memory corruption issues existed in WebKit. These
issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5791 : Apple
CVE-2015-5793 : Apple
CVE-2015-5814 : Apple
CVE-2015-5816 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team
CVE-2015-5896 : Maxime Villard of m00nbsd
CVE-2015-5903 : CESG
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may control the value of stack cookies
Description: Multiple weaknesses existed in the generation of user
space stack cookies. This was addressed through improved generation
of stack cookies.
CVE-ID
CVE-2013-3951 : Stefan Esser
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local process can modify other processes without
entitlement checks
Description: An issue existed where root processes using the
processor_set_tasks API were allowed to retrieve the task ports of
other processes. This issue was addressed through added entitlement
checks.
CVE-ID
CVE-2015-5882 : Pedro Vilaca, working from original research by Ming-
chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to launch denial of service attacks
on targeted TCP connections without knowing the correct sequence
number
Description: An issue existed in xnu's validation of TCP packet
headers. This issues was addressed through improved TCP packet header
validation.
CVE-ID
CVE-2015-5879 : Jonathan Looney
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a local LAN segment may disable IPv6 routing
Description: An insufficient validation issue existed in handling of
IPv6 router advertisements that allowed an attacker to set the hop
limit to an arbitrary value. This issue was addressed by enforcing a
minimum hop limit.
CVE-ID
CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in XNU that led to the disclosure of
kernel memory. This was addressed through improved initialization of
kernel memory structures.
CVE-ID
CVE-2015-5842 : beist of grayhash
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to cause a system denial of service
Description: An issue existed in HFS drive mounting. This was
addressed by additional validation checks.
CVE-ID
CVE-2015-5748 : Maxime Villard of m00nbsd
libc
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse
Corporation
libpthread
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
Mail
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker can send an email that appears to come from a
contact in the recipient's address book
Description: An issue existed in the handling of the sender's
address. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5857 : Emre Saglam of salesforce.com
Multipeer Connectivity
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local attacker may be able to observe unprotected
multipeer data
Description: An issue existed in convenience initializer handling in
which encryption could be actively downgraded to a non-encrypted
session. This issue was addressed by changing the convenience
initializer to require encryption.
CVE-ID
CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An uninitialized memory issue in the kernel led to the
disclosure of kernel memory content. This issue was addressed through
memory initialization.
CVE-ID
CVE-2015-5831 : Maxime Villard of m00nbsd
OpenSSL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in OpenSSL
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-0286
CVE-2015-0287
PluginKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious enterprise application can install extensions
before the application has been trusted
Description: An issue existed in the validation of extensions during
installation. This was addressed through improved app verification.
CVE-ID
CVE-2015-5837 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei of
FireEye, Inc.
removefile
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing malicious data may lead to unexpected application
termination
Description: An overflow fault existed in the checkint division
routines. This issue was addressed with improved division routines.
CVE-ID
CVE-2015-5840 : an anonymous researcher
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to read Safari bookmarks on a
locked iOS device without a passcode
Description: Safari bookmark data was encrypted with a key protected
only by the hardware UID. This issue was addressed by encrypting the
Safari bookmark data with a key protected by the hardware UID and the
user's passcode.
CVE-ID
CVE-2015-5903 : Jonathan Zdziarski
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: An issue may have allowed a website to display content
with a URL from a different website. This issue was addressed through
improved URL handling.
CVE-ID
CVE-2015-5904 : Erling Ellingsen of Facebook, Lukasz Pilorz
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Navigating to a malicious website with a malformed
window opener may have allowed the display of arbitrary URLs. This
issue was addressed through improved handling of window openers.
CVE-ID
CVE-2015-5905 : Keita Haga of keitahaga.com
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users may be tracked by malicious websites using client
certificates
Description: An issue existed in Safari's client certificate
matching for SSL authentication. This issue was addressed through
improved matching of valid client certificates.
CVE-ID
CVE-2015-1129 : Stefan Kraus of fluid Operations AG, Sylvain Munaut
of Whatever s.a.
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Multiple user interface inconsistencies may have
allowed a malicious website to display an arbitrary URL. These issues
were addressed through improved URL display logic.
CVE-ID
CVE-2015-5764 : Antonio Sanso (@asanso) of Adobe
CVE-2015-5765 : Ron Masas
CVE-2015-5767 : Krystian Kloskowski via Secunia, Masato Kinugawa
Safari Safe Browsing
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Navigating to the IP address of a known malicious website
may not trigger a security warning
Description: Safari's Safe Browsing feature did not warn users when
visiting known malicious websites by their IP addresses. The issue
was addressed through improved malicious site detection.
Rahul M of TagsDoc
Security
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious app may be able to intercept communication
between apps
Description: An issue existed that allowed a malicious app to
intercept URL scheme communication between apps. This was mitigated
by displaying a dialog when a URL scheme is used for the first time.
CVE-ID
CVE-2015-5835 : Teun van Run of FiftyTwoDegreesNorth B.V.; XiaoFeng
Wang of Indiana University, Luyi Xing of Indiana University, Tongxin
Li of Peking University, Tongxin Li of Peking University, Xiaolong
Bai of Tsinghua University
Siri
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device may be able
to use Siri to read notifications of content that is set not to be
displayed at the lock screen
Description: When a request was made to Siri, client side
restrictions were not being checked by the server. This issue was
addressed through improved restriction checking.
CVE-ID
CVE-2015-5892 : Robert S Mozayeni, Joshua Donvito
SpringBoard
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A person with physical access to an iOS device can reply to
an audio message from the lock screen when message previews from the
lock screen are disabled
Description: A lock screen issue allowed users to reply to audio
messages when message previews were disabled. This issue was
addressed through improved state management.
CVE-ID
CVE-2015-5861 : Daniel Miedema of Meridian Apps
SpringBoard
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to spoof another
application's dialog windows
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-ID
CVE-2015-5838 : Min (Spark) Zheng, Hui Xue, Tao (Lenx) Wei, John C.S.
Lui
SQLite
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in SQLite v3.8.5
Description: Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.
CVE-ID
CVE-2015-5895
tidy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A memory corruption issue existed in Tidy. This issues
was addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Object references may be leaked between isolated origins on
custom events, message events and pop state events
Description: An object leak issue broke the isolation boundary
between origins. This issue was addressed through improved isolation
between origins.
CVE-ID
CVE-2015-5827 : Gildas
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Memory corruption issues existed in WebKit. These
issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5792 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to unintended dialing
Description: An issue existed in handling of tel://, facetime://,
and facetime-audio:// URLs. This issue was addressed through improved
URL handling.
CVE-ID
CVE-2015-5820 : Andrei Neculaesei, Guillaume Ross
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType may learn the last character of a password in a
filled-in web form
Description: An issue existed in WebKit's handling of password input
context. This issue was addressed through improved input context
handling.
CVE-ID
CVE-2015-5906 : Louis Romero of Google Inc.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may be able to
redirect to a malicious domain
Description: An issue existed in the handling of resource caches on
sites with invalid certificates. The issue was addressed by rejecting
the application cache of domains with invalid certificates.
CVE-ID
CVE-2015-5907 : Yaoqi Jia of National University of Singapore (NUS)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may exfiltrate data cross-origin
Description: Safari allowed cross-origin stylesheets to be loaded
with non-CSS MIME types which could be used for cross-origin data
exfiltration. This issue was addressed by limiting MIME types for
cross-origin stylesheets.
CVE-ID
CVE-2015-5826 : filedescriptor, Chris Evans
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: The Performance API may allow a malicious website to leak
browsing history, network activity, and mouse movements
Description: WebKit's Performance API could have allowed a malicious
website to leak browsing history, network activity, and mouse
movements by measuring time. This issue was addressed by limiting
time resolution.
CVE-ID
CVE-2015-5825 : Yossi Oren et al. of Columbia University's Network
Security Lab
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: An issue existed with Content-Disposition headers
containing type attachment. This issue was addressed by disallowing
some functionality for type attachment pages.
CVE-ID
CVE-2015-5921 : Mickey Shkatov of the Intel(r) Advanced Threat
Research Team, Daoyuan Wu of Singapore Management University, Rocky
K. C. Chang of Hong Kong Polytechnic University, Lukasz Pilorz,
superhei of www.knownsec.com
WebKit Canvas
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may disclose image data from
another website
Description: A cross-origin issue existed with "canvas" element
images in WebKit. This was addressed through improved tracking of
security origins.
CVE-ID
CVE-2015-5788 : Apple
WebKit Page Loading
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: WebSockets may bypass mixed content policy enforcement
Description: An insufficient policy enforcement issue allowed
WebSockets to load mixed content. This issue was addressed by
extending mixed content policy enforcement to WebSockets.
Kevin G Jones of Higher Logic
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "9".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV+avFAAoJEBcWfLTuOo7tAOsQAKVBs+YG3HuMy0mc0rnpbRtU
+bjdnzwBeQE6C6Fp/SlZroyYtutnPw9QoFbUpY9Kkcer08uPap6kUAcF72fD51tG
UYmIe5WvDSMWD98pKsgDGUVfGdU1h135KpSfDgoiQrZK2GAPe2xCDupD42jIPLk2
3qSyrYnVzfrCZ8uBk9j4gqoF5Ki6JSP/3Qm7hiPfhQXcMyQyIQ+2tJyQcSyGf5OM
RgkmHwjIjkEb8jwwQ6h4LPMNuvqq8Kv6P4wQQeUl7RdtLJfafmFg+mV7bSmV/b28
Hk5EHQrQJ5fVl9jBFxti6aZrhrNr5yRL9yAdrpNB0rWfDN0z9emyGRrW2vli+Zv+
0xXBZfAiNVAP53ou4gyVkLDZ+zx5lsWSADU1QWbIR2DY+WXUIN5QJ/ayFkNN9gqD
WrFGHOc/l+Rq82uQi4ND0jTcYqhBG0MyooJf29orPA2tZeKvrcA4/6w12w6eJ7qA
aW5J+BByErqWft42I/JT3CbnK+GBEDHnj4GAeSMHuNolPNsoH5cv0G4yKigW0zLS
81AzADTcBtKtaSD9aBAPAL6TTGUySmupF8flhHTMcpZh1MbAqo+bObMXUMvCrmST
yq+5/R0gVuMN0BQ7adwI0akYApuqrNi/Mp9zT+JlU2wiSfaHm58Ugf8YAmc+sfjT
rHWi1bvzskkrxRfuQ4mX
=MnPh
-----END PGP SIGNATURE-----
| VAR-201504-0111 | CVE-2015-1095 | plural Apple Product IOHIDFamily Vulnerable to arbitrary code execution |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HID device. Apple TV/Mac OS X/iOS are prone to multiple security vulnerabilities.
Attackers can exploit these issues to bypass security restrictions, obtain sensitive information, execute arbitrary code, gain elevated privileges, conduct phishing attacks and perform other attacks. Failed attacks may cause denial-of-service conditions. The following products and versions are affected: Apple iOS 8.2 and earlier, Apple OS X 10.10.2 and earlier, Apple TV 7.1 and earlier. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0110 | CVE-2015-1094 | Apple iOS and Apple TV of IOAcceleratorFamily Vulnerability in obtaining important information about kernel memory |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
IOAcceleratorFamily in Apple iOS before 8.3 and Apple TV before 7.2 allows attackers to obtain sensitive information about kernel memory via a crafted app. Apple iOS and TV are prone to multiple information-disclosure vulnerabilities.
An attacker can exploit these issues to obtain sensitive information that may lead to further attacks.
These issues are fixed in:
Apple iOS 8.3
Apple TV 7.2. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0112 | CVE-2015-1096 | plural Apple Product IOHIDFamily Vulnerability in obtaining important information about kernel memory |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to obtain sensitive information about kernel memory via a crafted app. Apple TV/Mac OS X/iOS are prone to multiple security vulnerabilities.
Attackers can exploit these issues to bypass security restrictions, obtain sensitive information, execute arbitrary code, gain elevated privileges, conduct phishing attacks and perform other attacks. Failed attacks may cause denial-of-service conditions. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0108 | CVE-2015-1092 | Apple iOS and Apple TV of Foundation Inside NSXMLParser Vulnerable to reading arbitrary files |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
An attacker can exploit these issues to obtain sensitive information that may lead to further attacks. NSXMLParser is one of the components that uses the sax method to parse xml files. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-04-08-3 iOS 8.3
iOS 8.3 is now available and addresses the following:
AppleKeyStore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to guess the user's
passcode
Description: iOS allowed access to an interface which allowed
attempts to confirm the user's passcode. This issue was addressed
with improved entitlement checking.
CVE-ID
CVE-2015-1085
Audio Drivers
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOKit objects used by an
audio driver. This issue was addressed through improved validation of
metadata.
CVE-ID
CVE-2015-1086
Backup
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to use the backup system to access
restricted areas of the file system
Description: An issue existed in the relative path evaluation logic
of the backup system. This issues was addressed through improved path
evaluation.
CVE-ID
CVE-2015-1087 : TaiG Jailbreak Team
Certificate Trust Policy
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204132
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Cookies belonging to one origin may be sent to another
origin
Description: A cross-domain cookie issue existed in redirect
handling. Cookies set in a redirect response could be passed on to a
redirect target belonging to another origin. The issue was address
through improved handling of redirects.
CVE-ID
CVE-2015-1089 : Niklas Keller
CFNetwork
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear saved HTTP
Strict Transport Security state. The issue was addressed through
improved data deletion.
CVE-ID
CVE-2015-1090
CFNetwork Session
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Authentication credentials may be sent to a server on
another origin
Description: A cross-domain HTTP request headers issue existed in
redirect handling. HTTP request headers sent in a redirect response
could be passed on to another origin. The issue was addressed through
improved handling of redirects.
CVE-ID
CVE-2015-1091 : Diego Torres (http://dtorres.me)
CFURL
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-1088
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious HID device may be able to cause arbitrary code
execution
Description: A memory corruption issue existed in an IOHIDFamily
API. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1095 : Andrew Church
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive
IOMobileFramebuffer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in MobileFrameBuffer that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1097 : Barak Gabai of the IBM X-Force Application Security
Research Team
iWork Viewer
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted iWork file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
iWork files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-1098 : Christopher Hickstein
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause a system denial
of service
Description: A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description: setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to cause unexpected
system termination or read kernel memory
Description: A out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to cause a denial of service
Description: A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description: ICMP redirects were enabled by default on iOS. This
issue was addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to bypass network filters
Description: The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' passcodes
Description: When using Bluetooth keyboards, QuickType could learn
users' passcodes. This issue was addressed by preventing QuickType
from being displayed on the lockscreen.
CVE-ID
CVE-2015-1106 : Jarrod Dwenger, Steve Favorito, Paul Reedy of
ConocoPhillips, Pedro Tavares of Molecular Biophysics at
UCIBIO/FCT/UNL, De Paul Sunny, Christian Still of Evolve Media,
Canada
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted configuration profile may
lead to unexpected application termination
Description: A memory corruption issue existed in the handling of
configuration profiles. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of
FireEye, Inc.
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may prevent erasing
the device after failed passcode attempts
Description: In some circumstances, a device might not erase itself
after failed passcode attempts. This issue was addressed through
additional enforcement of erasure.
CVE-ID
CVE-2015-1107 : Brent Erickson, Stuart Ryan of University of
Technology, Sydney
Lock Screen
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may exceed the maximum
number of failed passcode attempts
Description: In some circumstances, the failed passcode attempt
limit was not enforced. This issue was addressed through additional
enforcement of this limit.
CVE-ID
CVE-2015-1108
NetworkExtension
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in possession of a device may be able to recover
VPN credentials
Description: An issue existed in the handling of VPN configuration
logs. This issue was addressed by removing logging of credentials.
CVE-ID
CVE-2015-1109 : Josh Tway of IPVanish
Podcasts
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Unnecessary information may be sent to external servers when
downloading podcast assets
Description: When downloading assets for podcast a user was
subscribed to, unique identifiers were sent to external servers. This
issue was resolved by removing these identifiers.
CVE-ID
CVE-2015-1110 : Alex Selivanov
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A user may be unable to fully delete browsing history
Description: Clearing Safari's history did not clear "Recently
closed tabs". The issue was addressed through improved data deletion.
CVE-ID
CVE-2015-1111 : Frode Moe of LastFriday.no
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Users' browsing history may not be completely purged
Description: A state management issue existed in Safari that
resulted in users' browsing history not being purged from
history.plist. This issue was addressed by improved state management.
CVE-ID
CVE-2015-1112 : William Breuer, The Netherlands
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access phone numbers
or email addresses of recent contacts
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1113 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
Sandbox Profiles
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Hardware identifiers may be accessible by third-party apps
Description: An information disclosure issue existed in the third-
party app sandbox. This issue was addressed by improving the sandbox
profile.
CVE-ID
CVE-2015-1114
Telephony
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to access restricted
telephony functions
Description: An access control issue existed in the telephony
subsystem. Sandboxed apps could access restricted telephony
functions. This issue was addressed with improved entitlement
checking.
CVE-ID
CVE-2015-1115 : Andreas Kurtz of NESO Security Labs, Markus TroBbach
of Heilbronn University
UIKit View
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Sensitive data may be exposed in application snapshots
presented in the Task Switcher
Description: An issue existed in UIKit, which did not blur
application snapshots containing sensitive data in the Task Switcher.
This issue was addressed by correctly blurring the snapshot.
CVE-ID
CVE-2015-1116 : The mobile app team at HP Security Voltage, Aaron
Rogers of Mint.com, David Edwards of Tech4Tomorrow, David Zhang of
Dropbox
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Inconsistent user interface may prevent users from
discerning a phishing attack
Description: A user interface inconsistency existed in Safari that
allowed an attacker to misrepresent the URL. This issue was addressed
through improved user interface consistency checks.
CVE-ID
CVE-2015-1084 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1068 : Apple
CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative
CVE-2015-1070 : Apple
CVE-2015-1071 : Apple
CVE-2015-1072
CVE-2015-1073 : Apple
CVE-2015-1074 : Apple
CVE-2015-1076
CVE-2015-1077 : Apple
CVE-2015-1078 : Apple
CVE-2015-1079 : Apple
CVE-2015-1080 : Apple
CVE-2015-1081 : Apple
CVE-2015-1082 : Apple
CVE-2015-1083 : Apple
CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung
Electronics
CVE-2015-1120 : Apple
CVE-2015-1121 : Apple
CVE-2015-1122 : Apple
CVE-2015-1123 : Randy Luecke and Anoop Menon of Google Inc.
CVE-2015-1124 : Apple
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a user
invoking a click on another website
Description: An issue existed when handling touch events. A tap
could propagate to another website. The issue was addressed through
improved event handling.
CVE-ID
CVE-2015-1125 : Phillip Moon and Matt Weston of www.sandfield.co.nz
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to resources
of another origin being accessed
Description: An issue existed in WebKit when handling credentials in
FTP URLs. This issue was address through improved decoding.
CVE-ID
CVE-2015-1126 : Jouko Pynnonen of Klikki Oy
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.3".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVJKl9AAoJEBcWfLTuOo7tJSQQAISlSqHZbMZOKrc6qCQ3E+Yn
ROyg7duvjIiaOHEiromwOpXjINbRTlhV5I6cseJrZOa7oLhgtIFes7wCo2rj/IjK
pTv3GMc84r7gPY38JE6//rU6Ni9YCuSKt69iOpF2RmKCLrrhjyP/igY/IKro3ujS
YyDgEEtmBtekU/QbUcZb8qfQ+/E0O6ZwZqvmzlmbcmeqM0/xy/lb8MmPcPwSTCTc
oQUj3xF+2OBIyudzQX6PmTFIDQjKYUg2dXEapYhzUhVkaZkdhRsJDaNJR7rlOYhK
Zea99fN+wnRr6F6IklXRTUdf4Lwegjs+kBA0HqrsxTX/LORQu98LWWXJ5vcl7OvE
moZRu46Jw7+AEwC2V3t7Bl6HbeHf3/jtQTV8q7ALdRhOcwgJdQUubRyMl1ZIG0NE
N3M6lxSxlkn5CuPggQcONc1SwkCfplIntxJ8ECDTW/mVc/GrmSN5BH19Lzd3gWFR
vRD5soYzZrTfWaULp+VzepiWz0FpJsJPn/sDQxvZfOzSzIsFKCX3OO671lXC7fV+
Qgl5vPXleUGxgScn0jQEDPrXAj6U85xqfXc+aZn8jKpfMthfukKXM8Tazlz2Ywyj
g2EaerJBFCavTPpQpuq0MOL6RYo2PhlC6tkwT25NaG01v/wEfzs75Dgc2Z15QtaH
ceXrdFVQDQ9LSl38/qPo
=ifj1
-----END PGP SIGNATURE-----
| VAR-201504-0082 | CVE-2015-1131 | Apple OS X of Apple Type Services of fontd Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. This vulnerability CVE-2015-1132 , CVE-2015-1133 , CVE-2015-1134 and CVE-2015-1135 Is a different vulnerability.Authority may be obtained by local users. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004.
The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components.
Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks.
These issues affect Mac OS X prior to 10.10.3. The following versions are affected: Apple OS X 10.8.5 and earlier, 10.9.5 and earlier, 10.10.2 and earlier
| VAR-201504-0361 | CVE-2015-1798 | NTP Project ntpd reference implementation contains multiple vulnerabilities |
CVSS V2: 1.8 CVSS V3: - Severity: LOW |
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. http://cwe.mitre.org/data/definitions/17.htmlMan-in-the-middle attacks (man-in-the-middle attack) By MAC The packet may be spoofed by being deleted.
Successful exploits may allow the attacker to cause a denial-of-service condition. NTP is prone to a security-bypass vulnerability.
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: NTP: Multiple vulnerablities
Date: September 24, 2015
Bugs: #545836, #553682
ID: 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could lead to arbitrary code execution.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8_p3 >= 4.2.8_p3
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p3"
References
==========
[ 1 ] CVE-2015-1798
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1798
[ 2 ] CVE-2015-1799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1799
[ 3 ] CVE-2015-5146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5146
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-01
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz: Upgraded.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p2-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p2-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p2-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p2-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p2-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p2-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
570bb3e4bb7b065101fa4963e757d7e7 ntp-4.2.8p2-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
e6add42a70a66496be2d4978370c2799 ntp-4.2.8p2-x86_64-1_slack13.0.txz
Slackware 13.1 package:
99f1cfa5e23a256d840ed0a56b7f9400 ntp-4.2.8p2-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
0a6622196521e084d36cda13fc6da824 ntp-4.2.8p2-x86_64-1_slack13.1.txz
Slackware 13.37 package:
28cfe042c585cf036582ce5f0c2daadf ntp-4.2.8p2-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
c436da55cd2d113142410a9d982c5ac5 ntp-4.2.8p2-x86_64-1_slack13.37.txz
Slackware 14.0 package:
cf69f8ecb5e4c1902dfb22d0f9685278 ntp-4.2.8p2-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
9c8344ec56d5d2335fd7370e2f9cf639 ntp-4.2.8p2-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9dcf0eafa851ad018f8341c2fb9307b5 ntp-4.2.8p2-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
e0c063f4e46a72ec86012a46299a46df ntp-4.2.8p2-x86_64-1_slack14.1.txz
Slackware -current package:
5f72de16e3bb6cd216e7694a49671cee n/ntp-4.2.8p2-i486-1.txz
Slackware x86_64 -current package:
1ba531770e4a2ae6e8e7116aaa26523e n/ntp-4.2.8p2-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8p2-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:07.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2015-04-07
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. Problem Description
The vallen packet value is not validated in several code paths in
ntp_crypto.c. [CVE-2015-1798]
NTP state variables are updated prior to validating the received packets.
[CVE-2015-1799]
III. [CVE-2015-1798]
An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can periodically send a specially crafted or
replayed packet which will break the synchronization between the two
peers due to transmit timestamp mismatch, preventing the two nodes from
synchronizing with each other, even when authentication is enabled.
[CVE-2015-1799]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. ============================================================================
Ubuntu Security Notice USN-2567-1
April 13, 2015
ntp vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in NTP. (CVE-2015-1798)
Miroslav Lichvar discovered that NTP incorrectly handled certain invalid
packets. This issue could either cause ntp-keygen to hang, or
could result in non-random keys. (CVE number pending)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.10.3
Ubuntu 14.04 LTS:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.3
Ubuntu 12.04 LTS:
ntp 1:4.2.6.p3+dfsg-1ubuntu3.4
In general, a standard system update will make all the necessary changes. 7) - noarch, x86_64
3. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold.
Additionally, it was discovered that generating MD5 keys using ntp-keygen
on big endian machines would either trigger an endless loop, or generate
non-random keys.
For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7.
We recommend that you upgrade your ntp packages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ntp security, bug fix, and enhancement update
Advisory ID: RHSA-2015:1459-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1459.html
Issue date: 2015-07-22
Updated on: 2015-02-25
CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2015-1798
CVE-2015-1799 CVE-2015-3405
=====================================================================
1. Summary:
Updated ntp packages that fix multiple security issues, several bugs, and
add two enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send malicious
control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. When an NTP client decrypted a secret received from an NTP
server, it could cause that client to crash. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd daemon truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. The maximum length of keys has now
been changed to 32 bytes. (BZ#1053551)
* The ntp-keygen utility used the exponent of 3 when generating RSA keys,
and generating RSA keys failed when FIPS mode was enabled. ntp-keygen has
been modified to use the exponent of 65537, and generating keys in FIPS
mode now works as expected. (BZ#1184421)
* The ntpd daemon included a root delay when calculating its root
dispersion. Consequently, the NTP server reported larger root dispersion
than it should have and clients could reject the source when its distance
reached the maximum synchronization distance (1.5 seconds by default).
Calculation of root dispersion has been fixed, the root dispersion is now
reported correctly, and clients no longer reject the server due to a large
synchronization distance. (BZ#1045376)
* The ntpd daemon dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). Clients behind Network Address Translation
(NAT) were unable to synchronize with the server if their source port was
translated to ports below 123. With this update, ntpd no longer checks the
source port number. (BZ#1171630)
Enhancements:
* This update introduces configurable access of memory segments used for
Shared Memory Driver (SHM) reference clocks. Previously, only the first two
memory segments were created with owner-only access, allowing just two SHM
reference clocks to be used securely on a system. Now, the owner-only
access to SHM is configurable with the "mode" option, and it is therefore
possible to use more SHM reference clocks securely. (BZ#1122015)
* Support for nanosecond resolution has been added to the SHM reference
clock. Prior to this update, when a Precision Time Protocol (PTP) hardware
clock was used as a time source to synchronize the system clock (for
example, with the timemaster service from the linuxptp package), the
accuracy of the synchronization was limited due to the microsecond
resolution of the SHM protocol. The nanosecond extension in the SHM
protocol now enables sub-microsecond synchronization of the system clock.
(BZ#1117704)
4. Solution:
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. After installing the update, the ntpd daemon will
restart automatically.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
995134 - ntp package doesn't build with net-snmp-devel
1045376 - Fix root distance and root dispersion calculations. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ntp-4.2.6p5-5.el6.src.rpm
i386:
ntp-4.2.6p5-5.el6.i686.rpm
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntpdate-4.2.6p5-5.el6.i686.rpm
x86_64:
ntp-4.2.6p5-5.el6.x86_64.rpm
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntpdate-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntp-perl-4.2.6p5-5.el6.i686.rpm
noarch:
ntp-doc-4.2.6p5-5.el6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntp-perl-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ntp-4.2.6p5-5.el6.src.rpm
x86_64:
ntp-4.2.6p5-5.el6.x86_64.rpm
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntpdate-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch:
ntp-doc-4.2.6p5-5.el6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntp-perl-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ntp-4.2.6p5-5.el6.src.rpm
i386:
ntp-4.2.6p5-5.el6.i686.rpm
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntpdate-4.2.6p5-5.el6.i686.rpm
ppc64:
ntp-4.2.6p5-5.el6.ppc64.rpm
ntp-debuginfo-4.2.6p5-5.el6.ppc64.rpm
ntpdate-4.2.6p5-5.el6.ppc64.rpm
s390x:
ntp-4.2.6p5-5.el6.s390x.rpm
ntp-debuginfo-4.2.6p5-5.el6.s390x.rpm
ntpdate-4.2.6p5-5.el6.s390x.rpm
x86_64:
ntp-4.2.6p5-5.el6.x86_64.rpm
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntpdate-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntp-perl-4.2.6p5-5.el6.i686.rpm
noarch:
ntp-doc-4.2.6p5-5.el6.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-5.el6.ppc64.rpm
ntp-perl-4.2.6p5-5.el6.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-5.el6.s390x.rpm
ntp-perl-4.2.6p5-5.el6.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntp-perl-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ntp-4.2.6p5-5.el6.src.rpm
i386:
ntp-4.2.6p5-5.el6.i686.rpm
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntpdate-4.2.6p5-5.el6.i686.rpm
x86_64:
ntp-4.2.6p5-5.el6.x86_64.rpm
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntpdate-4.2.6p5-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-5.el6.i686.rpm
ntp-perl-4.2.6p5-5.el6.i686.rpm
noarch:
ntp-doc-4.2.6p5-5.el6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-5.el6.x86_64.rpm
ntp-perl-4.2.6p5-5.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9297
https://access.redhat.com/security/cve/CVE-2014-9298
https://access.redhat.com/security/cve/CVE-2015-1798
https://access.redhat.com/security/cve/CVE-2015-1799
https://access.redhat.com/security/cve/CVE-2015-3405
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVrzhmXlSAg2UNWIIRAm99AJ48H4E3oVeZOC1QZtZHqK2Kqtyz4QCfQQtv
N7izaJnwt/eplpxx4DE0HoY=
=6lW5
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201504-0362 | CVE-2015-1799 | NTP Project ntpd reference implementation contains multiple vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks. NTP of ntpd of ntp_proto.c Inside receive of symmetric-key The function is used even when a specific invalid packet is received. state variable Service operation disruption to perform update ( Sync failure ) There are vulnerabilities that are put into a state. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. http://cwe.mitre.org/data/definitions/17.htmlMan-in-the-middle attacks (man-in-the-middle attack) By the source of the peer IP Denial of service by spoofing addresses ( Sync failure ) There is a possibility of being put into a state. NTP is prone to a denial-of-service vulnerability.
Successful exploits may allow the attacker to cause a denial-of-service condition. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: NTP: Multiple vulnerablities
Date: September 24, 2015
Bugs: #545836, #553682
ID: 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could lead to arbitrary code execution.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8_p3 >= 4.2.8_p3
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p3"
References
==========
[ 1 ] CVE-2015-1798
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1798
[ 2 ] CVE-2015-1799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1799
[ 3 ] CVE-2015-5146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5146
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-01
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz: Upgraded.
* Authentication doesn't protect symmetric associations against DoS attacks.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p2-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p2-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p2-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p2-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p2-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p2-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
570bb3e4bb7b065101fa4963e757d7e7 ntp-4.2.8p2-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
e6add42a70a66496be2d4978370c2799 ntp-4.2.8p2-x86_64-1_slack13.0.txz
Slackware 13.1 package:
99f1cfa5e23a256d840ed0a56b7f9400 ntp-4.2.8p2-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
0a6622196521e084d36cda13fc6da824 ntp-4.2.8p2-x86_64-1_slack13.1.txz
Slackware 13.37 package:
28cfe042c585cf036582ce5f0c2daadf ntp-4.2.8p2-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
c436da55cd2d113142410a9d982c5ac5 ntp-4.2.8p2-x86_64-1_slack13.37.txz
Slackware 14.0 package:
cf69f8ecb5e4c1902dfb22d0f9685278 ntp-4.2.8p2-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
9c8344ec56d5d2335fd7370e2f9cf639 ntp-4.2.8p2-x86_64-1_slack14.0.txz
Slackware 14.1 package:
9dcf0eafa851ad018f8341c2fb9307b5 ntp-4.2.8p2-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
e0c063f4e46a72ec86012a46299a46df ntp-4.2.8p2-x86_64-1_slack14.1.txz
Slackware -current package:
5f72de16e3bb6cd216e7694a49671cee n/ntp-4.2.8p2-i486-1.txz
Slackware x86_64 -current package:
1ba531770e4a2ae6e8e7116aaa26523e n/ntp-4.2.8p2-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8p2-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04679309
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04679309
Version: 1
HPSBUX03333 SSRT102029 rev.1 - HP-UX Running NTP, Remote Denial of Service
(DoS), or Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-05-19
Last Updated: 2015-05-19
Potential Security Impact: Remote Denial of Service (DoS), or other
vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
NTP. These could be exploited remotely to create a Denial of Service (DoS),
or other vulnerabilities.
References:
CVE-2015-1798 - Symmetric-Key feature allows MAC address spoofing (CWE-17)
CVE-2015-1799 - Symmetric-Key feature allows denial of service (CWE-17)
SSRT102029
CERT-VU#852879
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running NTP v4.x, specifically version C.4.2.6.5.0 or previous
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2015-1798 (AV:A/AC:H/Au:N/C:N/I:P/A:N) 1.8
CVE-2015-1799 (AV:A/AC:M/Au:N/C:N/I:P/A:P) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following solution for HP-UX B.11.31.
A new B.11.31 depot for HP-UX-NTP_C.4.2.6.6.0 is available here:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=HPUX-NTP
Reference: http://support.ntp.org/bin/view/Main/SecurityNotice
MANUAL ACTIONS: Yes - Update
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.31
==================
NTP.INETSVCS2-BOOT
NTP.NTP-AUX
NTP.NTP-RUN
action: install revision C.4.2.6.6.0 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 19 May 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:07.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2015-04-07
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
The vallen packet value is not validated in several code paths in
ntp_crypto.c. [CVE-2014-9297]
When ntpd(8) is configured to use a symmetric key to authenticate a remote
NTP server/peer, it checks if the NTP message authentication code (MAC)
in received packets is valid, but not that there actually is any MAC
included, and packets without a MAC are accepted as if they had a valid
MAC. [CVE-2015-1798]
NTP state variables are updated prior to validating the received packets.
[CVE-2015-1799]
III. Impact
A remote attacker who can send specifically crafted packets may be able
to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8)
is configured to use autokey. [CVE-2014-9297]
A man-in-the-middle (MITM) attacker can send specially forged packets
that would be accepted by the client/peer without having to know the
symmetric key. [CVE-2015-1798]
An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can periodically send a specially crafted or
replayed packet which will break the synchronization between the two
peers due to transmit timestamp mismatch, preventing the two nodes from
synchronizing with each other, even when authentication is enabled.
[CVE-2015-1799]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:07.ntp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn4doQAKwA67MgX6jiCS4dm1roREi+
G1moTCtqO8LXzH3nOOOk6R/MqFGOs6Jq8D+K/YmdD+4l3c/qCNR0qtv0YcVL0kE+
+xfaIYoGxTzlPjEfpWtceCM0wcAThaF8085hi0IAzG7ozhKPt+Inv33ISgos5c7h
zYcbTqBYgQqcJGWdftnYpZ1Nxvoa3wiOlxsOMa4qnNeUakeXcGLZ+1XB5pLjXMZF
dHfKhMS6KxcUdHoPgOj468D3bQE05puLk13Kjy+Ti38GhcgMROAsMZVOzgno3J7g
D7Hk4dR1dms+6xcSJ0BV4ej0ZfypGv0xiFmUiTk/p7AVbnqrChyjvGca+8reu+Gc
Ks/67oZjP5rc0glvRFgjJBmQV/xK2rUK805e4eAm8qBecRjDv6M3mUmPdw5BlgcA
7fcj4VdGkOzLB0Vj7uJFjf3p9cyT+x8yvMtknxehiYmrYnFDsM5d7lcv0+KnRzb2
3bt6maO40wqWIcLErFthcT/nLP+wi35aykNIbGh7PXvqL92gWX+h/xB6YY9Ouo4N
hb32W/F5O50MjL6BeY+k5J6usoFrk0EHWK+2Fxm2/AA/5K/JnryWN44F8PVPNzxE
f+Vb6CzxBvmflpa/29tF/wSD0oU78AhuShtVrnEVT5ZWJj+/PHBZtcLk2Z+s5hgd
hKFvV5Xqix0/U//+yGhj
=1fHm
-----END PGP SIGNATURE-----
.
Comware 7 (CW7) Products - all versions prior to the fixed versions in the
Resolution section below.
+ **12500 (Comware 7) - Version: Fix in R7375**
* HP Network Products
- JC085A HP A12518 Switch Chassis
- JC086A HP A12508 Switch Chassis
- JC652A HP 12508 DC Switch Chassis
- JC653A HP 12518 DC Switch Chassis
- JC654A HP 12504 AC Switch Chassis
- JC655A HP 12504 DC Switch Chassis
- JF430A HP A12518 Switch Chassis
- JF430B HP 12518 Switch Chassis
- JF430C HP 12518 AC Switch Chassis
- JF431A HP A12508 Switch Chassis
- JF431B HP 12508 Switch Chassis
- JF431C HP 12508 AC Switch Chassis
- JC072B HP 12500 Main Processing Unit
- JG497A HP 12500 MPU w/Comware V7 OS
- JG782A HP FF 12508E AC Switch Chassis
- JG783A HP FF 12508E DC Switch Chassis
- JG784A HP FF 12518E AC Switch Chassis
- JG785A HP FF 12518E DC Switch Chassis
- JG802A HP FF 12500E MPU
- JG803A HP FlexFabric 12500E TAA-compliant Main Processing Unit
+ **10500 (Comware 7) - Version: Fix in R7169P01**
* HP Network Products
- JC611A HP 10508-V Switch Chassis
- JC612A HP 10508 Switch Chassis
- JC613A HP 10504 Switch Chassis
- JC748A HP 10512 Switch Chassis
- JG820A HP 10504 TAA Switch Chassis
- JG821A HP 10508 TAA Switch Chassis
- JG822A HP 10508-V TAA Switch Chassis
- JG823A HP 10512 TAA Switch Chassis
- JG496A HP 10500 Type A MPU w/Comware v7 OS
- JH198A HP 10500 Type D Main Processing Unit with Comware v7 Operating
System
- JH206A HP 10500 Type D TAA w/Comware v7 OS MPU
+ **12900 (Comware 7) - Version: Fix in R1137**
* HP Network Products
- JG619A HP FlexFabric 12910 Switch AC Chassis
- JG621A HP FlexFabric 12910 Main Processing Unit
- JG632A HP FlexFabric 12916 Switch AC Chassis
- JG634A HP FlexFabric 12916 Main Processing Unit
- JH104A HP FlexFabric 12900E Main Processing Unit
- JH114A HP FlexFabric 12910 TAA-compliant Main Processing Unit
- JH263A HP FlexFabric 12904E Main Processing Unit
- JH255A HP FlexFabric 12908E Switch Chassis
- JH262A HP FlexFabric 12904E Switch Chassis
- JH113A HP FlexFabric 12910 TAA-compliant Switch AC Chassis
- JH103A HP FlexFabric 12916E Switch Chassis
+ **5900 (Comware 7) - Version: Fix in R2422P01**
* HP Network Products
- JC772A HP 5900AF-48XG-4QSFP+ Switch
- JG336A HP 5900AF-48XGT-4QSFP+ Switch
- JG510A HP 5900AF-48G-4XG-2QSFP+ Switch
- JG554A HP 5900AF-48XG-4QSFP+ TAA Switch
- JG838A HP FF 5900CP-48XG-4QSFP+ Switch
- JH036A HP FlexFabric 5900CP 48XG 4QSFP+ TAA-Compliant
- JH037A HP 5900AF 48XGT 4QSFP+ TAA-Compliant Switch
- JH038A HP 5900AF 48G 4XG 2QSFP+ TAA-Compliant
- JG296A HP 5920AF-24XG Switch
- JG555A HP 5920AF-24XG TAA Switch
+ **MSR1000 (Comware 7) - Version: Fix in R0106P33**
* HP Network Products
- JG875A HP MSR1002-4 AC Router
- JH060A HP MSR1003-8S AC Router
+ **MSR2000 (Comware 7) - Version: Fix in R0106P33**
* HP Network Products
- JG411A HP MSR2003 AC Router
- JG734A HP MSR2004-24 AC Router
- JG735A HP MSR2004-48 Router
- JG866A HP MSR2003 TAA-compliant AC Router
+ **MSR3000 (Comware 7) - Version: Fix in R0106P33**
* HP Network Products
- JG404A HP MSR3064 Router
- JG405A HP MSR3044 Router
- JG406A HP MSR3024 AC Router
- JG407A HP MSR3024 DC Router
- JG408A HP MSR3024 PoE Router
- JG409A HP MSR3012 AC Router
- JG410A HP MSR3012 DC Router
- JG861A HP MSR3024 TAA-compliant AC Router
+ **MSR4000 (Comware 7) - Version: Fix in R0106P33**
* HP Network Products
- JG402A HP MSR4080 Router Chassis
- JG403A HP MSR4060 Router Chassis
- JG412A HP MSR4000 MPU-100 Main Processing Unit
- JG869A HP MSR4000 TAA-compliant MPU-100 Main Processing Unit
+ **5800 (Comware 7) - Version: Fix in R7006P15**
* HP Network Products
- JC099A HP 5800-24G-PoE Switch
- JC099B HP 5800-24G-PoE+ Switch
- JC100A HP 5800-24G Switch
- JC100B HP 5800-24G Switch
- JC101A HP 5800-48G Switch with 2 Slots
- JC101B HP 5800-48G-PoE+ Switch with 2 Interface Slots
- JC103A HP 5800-24G-SFP Switch
- JC103B HP 5800-24G-SFP Switch with 1 Interface Slot
- JC104A HP 5800-48G-PoE Switch
- JC104B HP 5800-48G-PoE+ Switch with 1 Interface Slot
- JC105A HP 5800-48G Switch
- JC105B HP 5800-48G Switch with 1 Interface Slot
- JG254A HP 5800-24G-PoE+ TAA-compliant Switch
- JG254B HP 5800-24G-PoE+ TAA-compliant Switch
- JG255A HP 5800-24G TAA-compliant Switch
- JG255B HP 5800-24G TAA-compliant Switch
- JG256A HP 5800-24G-SFP TAA-compliant Switch with 1 Interface
- JG256B HP 5800-24G-SFP TAA-compliant Switch with 1 Interface
- JG257A HP 5800-48G-PoE+ TAA-compliant Switch with 1 Interface
- JG257B HP 5800-48G-PoE+ TAA-compliant Switch with 1 Interface
- JG258A HP 5800-48G TAA-compliant Switch with 1 Interface Slot
- JG258B HP 5800-48G TAA-compliant Switch with 1 Interface Slot
- JG225A HP 5800AF-48G Switch
- JG225B HP 5800AF-48G Switch
- JG242A HP 5800-48G-PoE+ TAA-compliant Switch with 2 Interface
- JG242B HP 5800-48G-PoE+ TAA-compliant Switch with 2 Interface
- JG243A HP 5820-24XG-SFP+ TAA-compliant Switch
- JG243B HP 5820-24XG-SFP+ TAA-compliant Switch
- JG259A HP 5820X-14XG-SFP+ TAA-compliant Switch with 2 Interface Slots
& 1 OAA Slot
- JG259B HP 5820-14XG-SFP+ TAA-compliant Switch with 2 Interface Slots
and 1 OAA Slot
- JC106A HP 5820-14XG-SFP+ Switch with 2 Slots
- JC106B HP 5820-14XG-SFP+ Switch with 2 Interface Slots & 1 OAA Slot
- JG219A HP 5820AF-24XG Switch
- JG219B HP 5820AF-24XG Switch
- JC102A HP 5820-24XG-SFP+ Switch
- JC102B HP 5820-24XG-SFP+ Switch
+ **VSR (Comware 7) - Version: Fix in E0321**
* HP Network Products
- JG810AAE HP VSR1001 Virtual Services Router 60 Day Evaluation
Software
- JG811AAE HP VSR1001 Comware 7 Virtual Services Router
- JG812AAE HP VSR1004 Comware 7 Virtual Services Router
- JG813AAE HP VSR1008 Comware 7 Virtual Services Router
+ **7900 (Comware 7) - Version: Fix in R2137**
* HP Network Products
- JG682A HP FlexFabric 7904 Switch Chassis
- JG841A HP FlexFabric 7910 Switch Chassis
- JG842A HP FlexFabric 7910 7.2Tbps Fabric / Main Processing Unit
- JH001A HP FlexFabric 7910 2.4Tbps Fabric / Main Processing Unit
- JH122A HP FlexFabric 7904 TAA-compliant Switch Chassis
- JH123A HP FlexFabric 7910 TAA-compliant Switch Chassis
- JH124A HP FlexFabric 7910 7.2Tbps TAA-compliant Fabric/Main
Processing Unit
- JH125A HP FlexFabric 7910 2.4Tbps TAA-compliant Fabric/Main
Processing Unit
+ **5130 (Comware 7) - Version: Fix in R3109P05**
* HP Network Products
- JG932A HP 5130-24G-4SFP+ EI Switch
- JG933A HP 5130-24G-SFP-4SFP+ EI Switch
- JG934A HP 5130-48G-4SFP+ EI Switch
- JG936A HP 5130-24G-PoE+-4SFP+ (370W) EI Switch
- JG937A HP 5130-48G-PoE+-4SFP+ (370W) EI Switch
- JG975A HP 5130-24G-4SFP+ EI Brazil Switch
- JG976A HP 5130-48G-4SFP+ EI Brazil Switch
- JG977A HP 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch
- JG978A HP 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch
- JG938A HP 5130-24G-2SFP+-2XGT EI Switch
- JG939A HP 5130-48G-2SFP+-2XGT EI Switch
- JG940A HP 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch
- JG941A HP 5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch
+ **5700 (Comware 7) - Version: Fix in R2422P01**
* HP Network Products
- JG894A HP FlexFabric 5700-48G-4XG-2QSFP+ Switch
- JG895A HP FlexFabric 5700-48G-4XG-2QSFP+ TAA-compliant Switch
- JG896A HP FlexFabric 5700-40XG-2QSFP+ Switch
- JG897A HP FlexFabric 5700-40XG-2QSFP+ TAA-compliant Switch
- JG898A HP FlexFabric 5700-32XGT-8XG-2QSFP+ Switch
- JG899A HP FlexFabric 5700-32XGT-8XG-2QSFP+ TAA-compliant Switch
+ **5930 (Comware 7) - Version: Fix in R2422P01**
* HP Network Products
- JG726A HP FlexFabric 5930 32QSFP+ Switch
- JG727A HP FlexFabric 5930 32QSFP+ TAA-compliant Switch
- JH178A HP FlexFabric 5930 2QSFP+ 2-slot Switch
- JH179A HP FlexFabric 5930 4-slot Switch
- JH187A HP FlexFabric 5930 2QSFP+ 2-slot TAA-compliant Switch
- JH188A HP FlexFabric 5930 4-slot TAA-compliant Switch
HISTORY
Version:1 (rev.1) - 8 March 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
b0f98e6b8700e3e3413582fe28d1ba06 mbs1/x86_64/ntp-4.2.6p5-8.4.mbs1.x86_64.rpm
d864780718c95368bf9ec81643e35e5d mbs1/x86_64/ntp-client-4.2.6p5-8.4.mbs1.x86_64.rpm
6f457df52d46fb8e6b0fe44aead752eb mbs1/x86_64/ntp-doc-4.2.6p5-8.4.mbs1.x86_64.rpm
b4bff3de733ea6d2839a77a9211ce02b mbs1/SRPMS/ntp-4.2.6p5-8.4.mbs1.src.rpm
Mandriva Business Server 2/X86_64:
e9ac2f3465bcc50199aef8a4d553927f mbs2/x86_64/ntp-4.2.6p5-16.3.mbs2.x86_64.rpm
cf2970c3c56efbfa84f964532ad64544 mbs2/x86_64/ntp-client-4.2.6p5-16.3.mbs2.x86_64.rpm
1ae1b1d3c2e7bdea25c01c33652b6169 mbs2/x86_64/ntp-doc-4.2.6p5-16.3.mbs2.noarch.rpm
d250433009fd187361bda6338dc5eede mbs2/SRPMS/ntp-4.2.6p5-16.3.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update
2015-005
OS X Yosemite v10.10.4 and Security Update 2015-005 are now available
and address the following:
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A process may gain admin privileges without proper
authentication
Description: An issue existed when checking XPC entitlements. This
issue was addressed through improved entitlement checking.
CVE-ID
CVE-2015-3671 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A non-admin user may obtain admin rights
Description: An issue existed in the handling of user
authentication. This issue was addressed through improved error
checking.
CVE-ID
CVE-2015-3672 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may abuse Directory Utility to gain root
privileges
Description: Directory Utility was able to be moved and modified to
achieve code execution within an entitled process. This issue was
addressed by limiting the disk location that writeconfig clients may
be executed from.
CVE-ID
CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec
afpserver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the AFP server.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3674 : Dean Jerkovich of NCC Group
apache
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may be able to access directories that are
protected with HTTP authentication without knowing the correct
credentials
Description: The default Apache configuration did not include
mod_hfs_apple. If Apache was manually enabled and the configuration
was not changed, some files that should not be accessible might have
been accessible using a specially crafted URL. This issue was
addressed by enabling mod_hfs_apple.
CVE-ID
CVE-2015-3675 : Apple
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities exist in PHP, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.24 and 5.4.40. These were addressed by updating PHP to
versions 5.5.24 and 5.4.40.
CVE-ID
CVE-2015-0235
CVE-2015-0273
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-3676 : Chen Liang of KEEN Team
AppleFSCompression
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in LZVN compression that could have
led to the disclosure of kernel memory content. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3677 : an anonymous researcher working with HP's Zero Day
Initiative
AppleThunderboltEDMService
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the handling of
certain Thunderbolt commands from local processes. This issue was
addressed through improved memory handling.
CVE-ID
CVE-2015-3678 : Apple
ATS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in handling
of certain fonts. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-3679 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3680 : Pawel Wylecial working with HP's Zero Day Initiative
CVE-2015-3681 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3682 : Nuode Wei
Bluetooth
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in the Bluetooth HCI
interface. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3683 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may be able
to intercept network traffic
Description: An intermediate certificate was incorrectly issued by
the certificate authority CNNIC. This issue was addressed through the
addition of a mechanism to trust only a subset of certificates issued
prior to the mis-issuance of the intermediate. Further details are
available at https://support.apple.com/en-us/HT204938
Certificate Trust Policy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork HTTPAuthentication
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Following a maliciously crafted URL may lead to arbitrary
code execution
Description: A memory corruption issue existed in handling of
certain URL credentials. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3684 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-1157
CVE-2015-3685 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3689 : Apple
coreTLS
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: coreTLS accepted short ephemeral Diffie-Hellman (DH)
keys, as used in export-strength ephemeral DH cipher suites. This
issue, also known as Logjam, allowed an attacker with a privileged
network position to downgrade security to 512-bit DH if the server
supported an export-strength ephemeral DH cipher suite. The issue was
addressed by increasing the default minimum size allowed for DH
ephemeral keys to 768 bits.
CVE-ID
CVE-2015-4000 : The weakdh team at weakdh.org, Hanno Boeck
DiskImages
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-ID
CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative
Display Drivers
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the Monitor Control Command Set
kernel extension by which a userland process could control the value
of a function pointer within the kernel. The issue was addressed by
removing the affected interface.
CVE-ID
CVE-2015-3691 : Roberto Paleari and Aristide Fattori of Emaze
Networks
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application with root privileges may be able to
modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash
when resuming from sleep states. This issue was addressed through
improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah
and Corey Kallenberg of LegbaCore LLC, Pedro Vilaca
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may induce memory corruption to
escalate privileges
Description: A disturbance error, also known as Rowhammer, exists
with some DDR3 RAM that could have led to memory corruption. This
issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working
from original research by Yoongu Kim et al (2014)
FontParser
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3694 : John Villamil (@day6reak), Yahoo Pentest Team
Graphics Driver
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An out of bounds write issue existed in NVIDIA graphics
driver. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2015-3712 : Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple buffer overflow issues exist in the Intel graphics
driver, the most serious of which may lead to arbitrary code
execution with system privileges
Description: Multiple buffer overflow issues existed in the Intel
graphics driver. These were addressed through additional bounds
checks.
CVE-ID
CVE-2015-3695 : Ian Beer of Google Project Zero
CVE-2015-3696 : Ian Beer of Google Project Zero
CVE-2015-3697 : Ian Beer of Google Project Zero
CVE-2015-3698 : Ian Beer of Google Project Zero
CVE-2015-3699 : Ian Beer of Google Project Zero
CVE-2015-3700 : Ian Beer of Google Project Zero
CVE-2015-3701 : Ian Beer of Google Project Zero
CVE-2015-3702 : KEEN Team
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Multiple vulnerabilities existed in libtiff, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in libtiff versions
prior to 4.0.4. They were addressed by updating libtiff to version
4.0.4.
CVE-ID
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130
ImageIO
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted .tiff file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
.tiff files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-3703 : Apple
Install Framework Legacy
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Several issues existed in how Install.framework's
'runner' setuid binary dropped privileges. This was addressed by
properly dropping privileges.
CVE-ID
CVE-2015-3704 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOAcceleratorFamily. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-3705 : KEEN Team
CVE-2015-3706 : KEEN Team
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple null pointer dereference issues existed in the
FireWire driver. These issues were addressed through improved error
checking.
CVE-ID
CVE-2015-3707 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
APIs related to kernel extensions which could have led to the
disclosure of kernel memory layout. This issue was addressed through
improved memory management.
CVE-ID
CVE-2015-3720 : Stefan Esser
Kernel
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue existed in the handling of
HFS parameters which could have led to the disclosure of kernel
memory layout. This issue was addressed through improved memory
management.
CVE-ID
CVE-2015-3721 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: kextd followed symbolic links while creating a new
file. This issue was addressed through improved handling of symbolic
links.
CVE-ID
CVE-2015-3708 : Ian Beer of Google Project Zero
kext tools
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A local user may be able to load unsigned kernel extensions
Description: A time-of-check time-of-use (TOCTOU) race condition
condition existed while validating the paths of kernel extensions.
This issue was addressed through improved checks to validate the path
of the kernel extensions.
CVE-ID
CVE-2015-3709 : Ian Beer of Google Project Zero
Mail
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A maliciously crafted email can replace the message content
with an arbitrary webpage when the message is viewed
Description: An issue existed in the support for HTML email which
allowed message content to be refreshed with an arbitrary webpage.
The issue was addressed through restricted support for HTML content.
CVE-ID
CVE-2015-3710 : Aaron Sigel of vtty.com, Jan Soucek
ntfs
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in NTFS that could have led to the
disclosure of kernel memory content. This issue was addressed through
improved memory handling.
CVE-ID
CVE-2015-3711 : Peter Rutenbar working with HP's Zero Day Initiative
ntp
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: An attacker in a privileged position may be able to perform
a denial of service attack against two ntp clients
Description: Multiple issues existed in the authentication of ntp
packets being received by configured end-points. These issues were
addressed through improved connection state management.
CVE-ID
CVE-2015-1798
CVE-2015-1799
OpenSSL
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Multiple issues exist in OpenSSL, including one that may
allow an attacker to intercept connections to a server that supports
export-grade ciphers
Description: Multiple issues existed in OpenSSL 0.9.8zd which were
addressed by updating OpenSSL to version 0.9.8zf.
CVE-ID
CVE-2015-0209
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0293
QuickTime
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative
CVE-2015-3662 : kdot working with HP's Zero Day Initiative
CVE-2015-3663 : kdot working with HP's Zero Day Initiative
CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero
Day Initiative
CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai
Lu of Fortinet's FortiGuard Labs, Ryan Pentney, and Richard Johnson
of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs
CVE-2015-3713 : Apple
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework
code for parsing S/MIME e-mail and some other signed or encrypted
objects. This issue was addressed through improved validity checking.
CVE-ID
CVE-2013-1741
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Tampered applications may not be prevented from launching
Description: Apps using custom resource rules may have been
susceptible to tampering that would not have invalidated the
signature. This issue was addressed with improved resource
validation.
CVE-ID
CVE-2015-3714 : Joshua Pitts of Leviathan Security Group
Security
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A malicious application may be able to bypass code signing
checks
Description: An issue existed where code signing did not verify
libraries loaded outside the application bundle. This issue was
addressed with improved bundle verification.
CVE-ID
CVE-2015-3715 : Patrick Wardle of Synack
Spotlight
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: Searching for a malicious file with Spotlight may lead to
command injection
Description: A command injection vulnerability existed in the
handling of filenames of photos added to the local photo library.
This issue was addressed through improved input validation.
CVE-ID
CVE-2015-3716 : Apple
SQLite
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflows existed in SQLite's printf
implementation. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-3717 : Peter Rutenbar working with HP's Zero Day Initiative
System Stats
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: A malicious app may be able to compromise systemstatsd
Description: A type confusion issue existed in systemstatsd's
handling of interprocess communication. By sending a maliciously
formatted message to systemstatsd, it may have been possible to
execute arbitrary code as the systemstatsd process. The issue was
addressed through additional type checking.
CVE-ID
CVE-2015-3718 : Roberto Paleari and Aristide Fattori of Emaze
Networks
TrueTypeScaler
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3719 : John Villamil (@day6reak), Yahoo Pentest Team
zip
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: Extracting a maliciously crafted zip file using the unzip
tool may lead to an unexpected application termination or arbitrary
code execution
Description: Multiple memory corruption issues existed in the
handling of zip files. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2014-8139
CVE-2014-8140
CVE-2014-8141
OS X Yosemite 10.10.4 includes the security content of Safari 8.0.7.
https://support.apple.com/en-us/HT204950
OS X Yosemite 10.10.4 and Security Update 2015-005 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVksFmAAoJEBcWfLTuOo7tV1AQAIYpkOMpHp181b+70sgyZ/Ue
mFM527FFGDfLLuIW6LTcBsEFe9cfZxumB8eOFPirTNRK7krsVMo1W+faHXyWOnx7
kbWylHdhaoxnX+A6Gj0vP71V6TNNsTi9+2dmdmHUnwxZ7Ws5QCNKebumUG3MMXXo
EKxE5SNSNKyMSSYmliS26cdl8fWrmg9qTxiZQnxjOCrg/CNAolgVIRRfdMUL7i4w
aGAyrlJXOxFOuNkqdHX2luccuHFV7aW/dIXQ4MyjiRNl/bWrBQmQlneLLpPdFZlH
cMfGa2/baaNaCbU/GqhNKbO4fKYVaqQWzfUrtqX0+bRv2wmOq33ARy9KE23bYTvL
U4E9x9z87LsLXGAdjUi6MDe5g87DcmwIEigfF6/EHbDYa/2VvSdIa74XRv/JCN1+
aftHLotin76h4qV/dCAPf5J/Fr/1KFCM0IphhG7p+7fVTfyy7YDXNBiKCEZzLf8U
TUWLUCgQhobtakqwzQJ5qyF8u63xzVXj8oeTOw6iiY/BLlj9def5LMm/z6ZKGTyC
3c4+Sy5XvBHZoeiwdcndTVpnFbmmjZRdeqtdW/zX5mHnxXPa3lZiGoBDhHQgIg6J
1tTVtnO1JSLXVYDR6Evx1EH10Vgkt2wAGTLjljSLwtckoEqc78qMAT1G5U4nFffI
+gGm5FbAxjxElgA/gbaq
=KLda
-----END PGP SIGNATURE-----