VARIoT IoT vulnerabilities database
| VAR-202002-0361 | CVE-2019-5142 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa
| VAR-202002-0355 | CVE-2019-5136 | Moxa AWK-3131A Access Control Error Vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A There is a permission management vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa
| VAR-202002-0366 | CVE-2019-5165 | Moxa AWK-3131A Authentication vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability. Moxa AWK-3131A There is an authentication vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa.
There is a security hole in the handling of host names in Moxa AWK-3131A using firmware 1.13
| VAR-202002-0365 | CVE-2019-5162 | Moxa AWK-3131A Privilege management vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A There is a permission management vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time
| VAR-202002-0363 | CVE-2019-5148 | Moxa AWK-3131A Integer underflow vulnerability in firmware |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An exploitable denial-of-service vulnerability exists in ServiceAgent functionality of the Moxa AWK-3131A, firmware version 1.13. A specially crafted packet can cause an integer underflow, triggering a large memcpy that will access unmapped or out-of-bounds memory. An attacker can send this packet while unauthenticated to trigger this vulnerability. Moxa AWK-3131A There is an integer underflow vulnerability in the firmware.Service operation interruption (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa.
Moxa AWK-3131A has a buffer overflow vulnerability. No detailed vulnerability details are provided at this time
| VAR-202002-0359 | CVE-2019-5140 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special elements in the process of constructing executable commands from external input data. An attacker could use this vulnerability to execute an illegal command
| VAR-202002-0362 | CVE-2019-5143 | Moxa AWK-3131A Format string vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable format string vulnerability exists in the iw_console conio_writestr functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless switch from Moxa
| VAR-202002-0364 | CVE-2019-5153 | Moxa AWK-3131A Classic buffer overflow vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable remote code execution vulnerability exists in the iw_webs configuration parsing functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A A classic buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. An attacker could use this vulnerability to execute code
| VAR-202002-0360 | CVE-2019-5141 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data
| VAR-202003-1707 | CVE-2020-9054 | ZyXEL pre-authentication command injection in weblogin.cgi |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. plural ZyXEL Included in the product weblogin.cgi Is vulnerable to the execution of arbitrary commands. OS Command injection (CWE-78) - CVE-2020-9054 ZyXEL In multiple products offered by CGI Executable file weblogin.cgi Authentication is done using. About this vulnerability ZyXEL Made NAS Exploit codes for products are available on the Internet. Zyxel Technology is a provider of network broadband systems and solutions for internationally renowned brands. main
Products include DSL central office and terminal equipment, router equipment, network security equipment, wireless local area communication equipment,
It also provides full-range broadband network application integration solutions for Chinese enterprises, such as network telephones and Ethernet switches.
Multiple ZyXEL network-attached storage (NAS) devices have security holes
| VAR-202002-0332 | CVE-2019-20044 | Zsh Vulnerability in improper checking for deleted privileges in |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). Zsh Is vulnerable to improper checking of removed privileges.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. An attacker can exploit this vulnerability to restore the original permissions. ==========================================================================
Ubuntu Security Notice USN-5325-1
March 14, 2022
zsh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Zsh.
Software Description:
- zsh: shell with lots of features
Details:
Sam Foxman discovered that Zsh incorrectly handled certain inputs.
(CVE-2019-20044)
It was discovered that Zsh incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-45444)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.10:
zsh 5.8-6ubuntu0.1
zsh-static 5.8-6ubuntu0.1
Ubuntu 20.04 LTS:
zsh 5.8-3ubuntu1.1
zsh-static 5.8-3ubuntu1.1
Ubuntu 18.04 LTS:
zsh 5.4.2-3ubuntu3.2
zsh-static 5.4.2-3ubuntu3.2
Ubuntu 16.04 ESM:
zsh 5.1.1-1ubuntu2.3+esm1
zsh-static 5.1.1-1ubuntu2.3+esm1
In general, a standard system update will make all the necessary changes.
CVE-2020-9842: Linus Henze (pinauten.de)
AppleUSBNetworking
Available for: macOS Catalina 10.15.4
Impact: Inserting a USB device that sends invalid messages may cause
a kernel panic
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9831: Yu Wang of Didi Research America
Calendar
Available for: macOS Catalina 10.15.4
Impact: Importing a maliciously crafted calendar invitation may
exfiltrate user information
Description: This issue was addressed with improved checks.
CVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team
Find My
Available for: macOS Catalina 10.15.4
Impact: A local attacker may be able to elevate their privileges
Description: A validation issue existed in the handling of symlinks.
CVE-2020-9809: Benjamin Randazzo (@____benjamin)
ksh
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A local user may be able to execute arbitrary shell commands
Description: An issue existed in the handling of environment
variables.
CVE-2019-14868
NSURL
Available for: macOS Mojave 10.14.6
Impact: A malicious website may be able to exfiltrate autofilled data
in Safari
Description: An issue existed in the parsing of URLs.
CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)
Security
Available for: macOS Catalina 10.15.4
Impact: A file may be incorrectly rendered to execute JavaScript
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-9841: ABC Research s.r.o.
Installation note:
macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security
Update 2020-003 High Sierra may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64
iQIcBAEDCAAGBQJezZcfAAoJEAc+Lhnt8tDNIQYP/0YN+/T85WC7RJjAlRrUDduD
ZO0e76d2C1jNgZWsYmXnrEPwfRYAEPLcKgb/SxAlwlRNFqex9CNu2sD1aA3GZBIO
MaektARuncqh06rl8BjbakS4HQs675vUEjoJS9H2d0pq2dSEIjOtH1agJwtGIeNS
wHBFlUnQzI42hurYeq7fxRdiByf+Z3mKEBt6wlVtaWjqcMfG9sroj9H58RLiqSNm
VNfU4eZNPrG49kbTf4IC2JvvKg18hrUZqIcjbV/56+kPBl4+USIxh/5ECJHV/cDD
BEe64M2I1LiY0lq6neoOeHvBiiIvUq9EUW2PBnfcbo3V1D35mm6td+WnO3Buqo6f
EEkjfIwtq7fI10ZPYYjiUayrQyfqmM3x14JcxDsHzlerT6NNRTg3g2ls0seQK9Lt
8IDbkrseOR0JFukR1njC+cAk4RbDFue5cUJK6Js1nGvFwLN0kHFIhh9jFKgccgH7
bKSLDAdB+kSxBOshDDmYyNS+KRzXEWIsBU8ZbNAbRDANWqm4lcPffKWcG7zIdiMQ
JLUclRURf35AoFmJ0F1BZSRzFuHr1Dvh23SjNK7H9i/mD05+rY6esh5ZKco+6Yqe
pW/EOXEAs/J06xUytABH3SkFmQSzlIPuFrXa8qAskHhFp/E8yLehyefoY+AZJjal
sLrLBIOxQCTskSFoExP8
=2eah
-----END PGP SIGNATURE-----
. 6) - i386, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: zsh security update
Advisory ID: RHSA-2020:0853-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0853
Issue date: 2020-03-17
CVE Names: CVE-2019-20044
=====================================================================
1. Summary:
An update for zsh is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The zsh shell is a command interpreter usable as an interactive login shell
and as a shell script command processor. Zsh resembles the ksh shell (the
Korn shell), but includes many enhancements. Zsh supports command-line
editing, built-in spelling correction, programmable command completion,
shell functions (with autoloading), a history mechanism, and more.
Security Fix(es):
* zsh: insecure dropping of privileges when unsetting PRIVILEGED option
(CVE-2019-20044)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
zsh-5.0.2-34.el7_7.2.src.rpm
x86_64:
zsh-5.0.2-34.el7_7.2.x86_64.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
zsh-html-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
zsh-5.0.2-34.el7_7.2.src.rpm
x86_64:
zsh-5.0.2-34.el7_7.2.x86_64.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
zsh-html-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
zsh-5.0.2-34.el7_7.2.src.rpm
ppc64:
zsh-5.0.2-34.el7_7.2.ppc64.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.ppc64.rpm
ppc64le:
zsh-5.0.2-34.el7_7.2.ppc64le.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.ppc64le.rpm
s390x:
zsh-5.0.2-34.el7_7.2.s390x.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.s390x.rpm
x86_64:
zsh-5.0.2-34.el7_7.2.x86_64.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
zsh-debuginfo-5.0.2-34.el7_7.2.ppc64.rpm
zsh-html-5.0.2-34.el7_7.2.ppc64.rpm
ppc64le:
zsh-debuginfo-5.0.2-34.el7_7.2.ppc64le.rpm
zsh-html-5.0.2-34.el7_7.2.ppc64le.rpm
s390x:
zsh-debuginfo-5.0.2-34.el7_7.2.s390x.rpm
zsh-html-5.0.2-34.el7_7.2.s390x.rpm
x86_64:
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
zsh-html-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
zsh-5.0.2-34.el7_7.2.src.rpm
x86_64:
zsh-5.0.2-34.el7_7.2.x86_64.rpm
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
zsh-debuginfo-5.0.2-34.el7_7.2.x86_64.rpm
zsh-html-5.0.2-34.el7_7.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20044
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-05-26-1 iOS 13.5 and iPadOS 13.5
iOS 13.5 and iPadOS 13.5 address the following:
Accounts
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
input validation.
CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt
AirDrop
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
input validation.
CVE-2020-9826: Dor Hadad of Palo Alto Networks
AppleMobileFileIntegrity
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-9842: Linus Henze (pinauten.de)
Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero
Day Initiative
Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero
Day Initiative
Bluetooth
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An issue existed with the use of a PRNG with low
entropy. This issue was addressed with improved state management.
CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen
(@naehrdine) of Secure Mobile Networking Lab
Bluetooth
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9838: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure
Mobile Networking Lab
CoreText
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted text message may lead to
application denial of service
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an
anonymous researcher, Carlos S Tech, Sam Menzies of Sam’s Lounge,
Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan
Rathor of Arabic-Classroom.com
FaceTime
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A user’s video may not be paused in a FaceTime call if they
exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The
issue was resolved with improved logic.
CVE-2020-9835: Olivier Levesque (@olilevesque)
File System
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to modify the file system
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9820: Thijs Alkemade of Computest
FontParser
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend
Micro Zero Day Initiative
ImageIO
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3878: Samuel Groß of Google Project Zero
ImageIO
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9789: Wenchao Li of VARAS@IIE
CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab
IPSec
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9837: Thijs Alkemade of Computest
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to determine another
application's memory layout
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2020-9797: an anonymous researcher
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An integer overflow was addressed through improved input
validation.
CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A local user may be able to read kernel memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9811: Tielei Wang of Pangu Lab
CVE-2020-9812: Derrek (@derrekr6)
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A logic issue existed resulting in memory corruption.
This was addressed with improved state management.
CVE-2020-9813: Xinru Chi of Pangu Lab
CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9809: Benjamin Randazzo (@____benjamin)
Mail
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted mail message may lead to
heap corruption
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-9819: ZecOps.com
Mail
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted mail message may lead to
unexpected memory modification or application termination
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9818: ZecOps.com
Messages
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Users removed from an iMessage conversation may still be able
to alter state
Description: This issue was addressed with improved checks.
CVE-2020-9823: Suryansh Mansharamani, student of Community Middle
School, Plainsboro, New
Jersey
Notifications
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A person with physical access to an iOS device may be able to
view notification contents from the lockscreen
Description: An authorization issue was addressed with improved state
management.
CVE-2020-9848: Nima
Python
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-9793
Sandbox
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)
SQLite
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A malicious application may cause a denial of service or
potentially disclose memory contents
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9794
System Preferences
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with improved state
handling.
CVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Micro’s Zero Day Initiative
USB Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A USB device may be able to cause a denial of service
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-9792: Andy Davis of NCC Group
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9805: an anonymous researcher
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9802: Samuel Groß of Google Project Zero
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9850: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Micro’s Zero Day Initiative
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9843: Ryan Pickren (ryanpickren.com)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2020-9803: Wen Xu of SSLab at Georgia Tech
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9806: Wen Xu of SSLab at Georgia Tech
CVE-2020-9807: Wen Xu of SSLab at Georgia Tech
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro
Zero Day Initiative
WebRTC
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An access issue was addressed with improved memory
management.
CVE-2019-20503: Natalie Silvanovich of Google Project Zero
Wi-Fi
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: A double free issue was addressed with improved memory
management.
CVE-2020-9844: Ian Beer of Google Project Zero
zsh
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: A local attacker may be able to elevate their privileges
Description: An authorization issue was addressed with improved state
management.
CVE-2019-20044: Sam Foxman
Additional recognition
Bluetooth
We would like to acknowledge Maximilian von Tschitschnitz of
Technical University Munich and Ludwig Peuckert of Technical
University Munich for their assistance.
CoreText
We would like to acknowledge Jiska Classen (@naehrdine) and Dennis
Heinze (@ttdennis) of Secure Mobile Networking Lab for their
assistance.
Device Analytics
We would like to acknowledge Mohamed Ghannam (@_simo36) for their
assistance.
ImageIO
We would like to acknowledge Lei Sun for their assistance.
IOHIDFamily
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Safari
We would like to acknowledge Jeffball of GRIMM and Luke Walker of
Manchester Metropolitan University for their assistance.
WebKit
We would like to acknowledge Aidan Dunlap of UT Austin for their
assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 13.5 and iPadOS 13.5".
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64
iQIcBAEDCAAGBQJezV7MAAoJEAc+Lhnt8tDNdWwP/2NnLRWvziY/ilvylDEczut+
xbSNg719ckFBtvkuXirQdsjfTmW3M/RJXUtjOmRDDEQB0IfmIRkrL49moDLeY0rB
tjrsoVQESwYwbnb0xNzC3Oqr0tP3hitxFUpkKd7L0opo5vWhshBwqzWEtLTPxI1X
T81DCpYiKDMB57bXgRV26QIFgQpHGXV/bMDCksVc12phempeEldP7t4dueDZy526
kWinK9jlwzViWwSmm5VK0t9IbemAZ56Ca829ZmrkT7XfLRyxw0rb+2f9VcQz/kNe
RziJ3RwF2WZTe7yJpz6LV5h3RMo+MoHdVbPCYmcYNPiaHGTMl1POZXkjDHBHCSBY
etboXOyZNOsnTMIVNwwXK/aGsKBz6kkfbWODS2omtz5oZjzGdZJLC/nFZC2GG13E
Pnb0E5ULmA95poi07gWTy31APilQXfAzGJEOebsvH5s2EZ9HcANqrwtonfHSjeOU
ZFH8xfnCTgO37ZgevrjdreD8SYRJR3QfEEf/DDNx2xXgr4wzydgvdyNCI1QpEz5s
PS3JQECoBM9SsgXv02mCkNlK1crEqoxYURjcN3UIPGx8GVxtyiWJoEByxAgTtqv8
RPSqKGvPrznR1SxVNrXB2o08X3LUqK0LREABpuD/wbp8Qj8ma2fo3hLpvdoc9+De
fSLSaEAmjBkF5c4r1O3P
=zOSS
-----END PGP SIGNATURE-----
| VAR-202002-0331 | CVE-2019-20481 | MIELE XGW 3000 ZigBee Gateway Vulnerability regarding inadequate protection of credentials in |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. MIELE XGW 3000 ZigBee Gateway Exists in an inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
| VAR-202002-1706 | No CVE | Zhejiang Univision Technology Network Video Recorder has file upload vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Zhejiang Yushi Technology Co., Ltd. is a global public safety and intelligent transportation solution provider.
A file upload vulnerability exists in the video recorder of Zhejiang Univision Technology Network. Attackers can use the vulnerability to obtain the administrator rights of the affected system.
| VAR-202002-1696 | No CVE | WECON PLC Editor has a buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
WECON PLC Editor is a programming software for Programmable Logic Controllers (PLC) from WECON Technologies.
WECON PLC Editor has a buffer overflow vulnerability, which can be exploited by an attacker to cause a denial of service or execute code with the permission of the application.
| VAR-202002-1369 | CVE-2020-8862 | D-Link DAP-2610 Authentication vulnerability in firmware |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the lack of proper password checking. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-10082. Zero Day Initiative To this vulnerability ZDI-CAN-10082 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DAP-2610 is a wireless AC1300 Wave 2 dual-band PoE access point
| VAR-202002-1368 | CVE-2020-8861 | D-Link DAP-1330 Authentication vulnerabilities in |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554. Zero Day Initiative To this vulnerability ZDI-CAN-9554 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DAP-1330 is a N300 Wi-Fi range extender
| VAR-202002-1705 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04564) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
Schneider M580 has a denial of service vulnerability. An attacker can use this vulnerability to send a carefully constructed 0x60 function code data message, which causes the PLC to enter a fatal failure mode. It can only return to normal after manual power cycle.
| VAR-202002-1697 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04561) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
There is a denial of service vulnerability in schneider M580, which can be exploited by an attacker to cause a denial of service.
| VAR-202002-1701 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04565) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
Schneider M580 has a denial-of-service vulnerability. An attacker can use this vulnerability to send a carefully constructed 0x29 function code data message, which causes the PLC to enter a fatal failure mode. It can only return to normal after manual power cycle.
| VAR-202002-1702 | No CVE | Logical Defect Vulnerability in Shijiazhuang Hejia Technology Co., Ltd. Computer Room Dynamic Monitoring System |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The equipment room moving ring monitoring system is a monitoring function of the equipment room's important environment and power equipment, including environmental equipment monitoring (temperature, humidity, smoke, flooding, precision air conditioning, ordinary air conditioning, new fans, etc.), power equipment monitoring (power distribution, Generator, UPS, battery, lightning arrester, etc.), security equipment monitoring (fire protection, access control, video, etc.), etc.
Shijiazhuang Hejia Technology Co., Ltd.'s computer room dynamic ring monitoring system has a logical flaw. An attacker can use this vulnerability to reset the administrator and other user passwords.