SB2020052808 - Multiple vulnerabilities in Apple macOS
Published: May 28, 2020 Updated: June 1, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 46 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-9842)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can use a malicious application to interact with system processes, access private information and perform privileged actions.
2) Input validation error (CVE-ID: CVE-2020-9826)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the AirDrop functionality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Improper Authentication (CVE-ID: CVE-2020-9772)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a sandboxed process may be able to circumvent sandbox restrictions. A remote attacker can bypass authentication process and gain unauthorized access to the application.
4) Input validation error (CVE-ID: CVE-2020-9827)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the Accounts fearure. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2020-9839)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a lack of proper locking when performing operations on an object within the handling of file permissions. An local user can gain elevated privileges on the target system.
6) Out-of-bounds read (CVE-ID: CVE-2020-9791)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the AudioToolboxCore module. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
7) Out-of-bounds write (CVE-ID: CVE-2020-9816)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the parsing of font files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
8) Out-of-bounds write (CVE-ID: CVE-2020-9815)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the AudioToolbox framework. A remote attacker can create a specially crafted CAF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
9) Integer overflow (CVE-ID: CVE-2020-9841)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the SkyLight module. A local user can pass specially crafted data to the application, trigger integer overflow, escalate privileges and execute arbitrary code in the context of WindowServer.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Heap-based buffer overflow (CVE-ID: CVE-2020-9856)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the handling of Core Virtual Machine Service caches. A local user can pass specially crafted data to the applicatoin, trigger heap-based buffer overflow and execute arbitrary code on the target system with elevated privileges.
11) Out-of-bounds read (CVE-ID: CVE-2020-9812)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in Kernel. A local attacker can trigger out-of-bounds read error and read contents of memory on the system.
12) Out-of-bounds read (CVE-ID: CVE-2020-9811)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in Kernel. A local attacker can trigger out-of-bounds read error and read contents of memory on the system.
13) Buffer overflow (CVE-ID: CVE-2020-9808)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the Kernel. A remote attacker can use a specially crafted application to trigger memory corruption and cause unexpected system termination or write kernel memory.
14) Use-after-free (CVE-ID: CVE-2020-9795)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Kernel. A remote attacker can execute arbitrary code on the target system with kernel privileges.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
15) Integer overflow (CVE-ID: CVE-2020-9852)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the Kernel. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Information disclosure (CVE-ID: CVE-2020-9797)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within the Kernel. A remote attacker can use a malicious application to determine another application's memory layout.
17) Buffer overflow (CVE-ID: CVE-2020-9821)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Kernel. A remote attacker can use a specially crafted application to trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Out-of-bounds read (CVE-ID: CVE-2020-9837)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the IPSec functionality. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
19) Out-of-bounds write (CVE-ID: CVE-2020-9822)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the Intel Graphics Driver. A remote attacker can use a specially crafted application to trigger out-of-bounds write and execute arbitrary code on the target system.
20) Out-of-bounds write (CVE-ID: CVE-2020-9790)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the ImageIO functionality. A remote attacker can use a specially crafted image to trigger out-of-bounds write and execute arbitrary code on the target system.
21) Out-of-bounds write (CVE-ID: CVE-2020-9789)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the ImageIO functionality. A remote attacker can use a specially crafted image to trigger out-of-bounds write and execute arbitrary code on the target system.
22) UNIX symbolic link following (CVE-ID: CVE-2020-9855)
The vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to a symlink following issue within the Find My functionality. A local attacker can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Successful exploitation of this vulnerability may result in privilege escalation.
23) Out-of-bounds read (CVE-ID: CVE-2020-9847)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the DiskArbitration functionality. A remote attacker can use a malicious application to trigger out-of-bounds read error and read contents of memory on the system.
24) Out-of-bounds read (CVE-ID: CVE-2020-9828)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the CoreBluetooth functionality. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
25) Information disclosure (CVE-ID: CVE-2020-3882)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within the Calendar module. A remote attacker can import a maliciously crafted calendar invitation and gain unauthorized access to sensitive information on the system.
26) Out-of-bounds read (CVE-ID: CVE-2020-9831)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Bluetooth functionality. A remote attacker can use a specially crafted application to trigger out-of-bounds read error and read contents of memory on the system.
27) Input validation error (CVE-ID: CVE-2020-9804)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the AppleUSBNetworking functionality. An attacker with physical access can insert a malicious USB device that sends invalid messages and may cause a kernel panic.
28) Out-of-bounds write (CVE-ID: CVE-2020-3878)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the ImageIO functionality. A remote attacker can create a specially crafted image, trigger out-of-bounds write and execute arbitrary code on the target system.
29) Out-of-bounds read (CVE-ID: CVE-2020-9832)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Wi-Fi component. A remote attacker can use a specially crafted application to trigger out-of-bounds read error and read contents of memory on the system.
30) Out-of-bounds read (CVE-ID: CVE-2020-9833)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Wi-Fi component. A local user can trigger out-of-bounds read error and read contents of memory on the system.
31) Buffer overflow (CVE-ID: CVE-2020-9834)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Wi-Fi component. A remote attacker can trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
32) Buffer overflow (CVE-ID: CVE-2020-9830)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Wi-Fi component. A remote attacker can trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Double Free (CVE-ID: CVE-2020-9844)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the Wi-Fi component. A remote attacker can pass specially crafted data to the application, trigger double free error and cause unexpected system termination or corrupt kernel memory.
34) Input validation error (CVE-ID: CVE-2020-9792)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the USB Audio component. An attacker with physical access can use a malicious USB device and perform a denial of service (DoS) attack.
35) Out-of-bounds read (CVE-ID: CVE-2020-9794)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack or gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the SQLite functionality. A remote attacker can use a specially crafted application to trigger out-of-bounds read error and read contents of memory on the system or cause a denial of service condition.
36) Improper access control (CVE-ID: CVE-2020-9824)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the SIP functionality. A remote authenticated attacker can bypass implemented security restrictions and modify restricted network settings.
37) Input validation error (CVE-ID: CVE-2020-9788)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists within the Security module due to a file may be incorrectly rendered to execute JavaScript. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
38) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-9771)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions within the Sandbox functionality. A remote user can gain access to protected parts of the file system.
39) Improper access control (CVE-ID: CVE-2020-9825)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the Sandbox functionality. A remote attacker can use a specially crafted application to bypass Privacy preferences.
40) Out-of-bounds write (CVE-ID: CVE-2020-9793)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the Python. A remote attacker can trigger out-of-bounds write and execute arbitrary code on the target system.
41) Improper access control (CVE-ID: CVE-2020-9851)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the PackageKit functionality. A remote attacker can use a malicious application to modify protected parts of the file system.
42) Creation of Temporary File With Insecure Permissions (CVE-ID: CVE-2020-9817)
The vulnerability allows a local user to escalate privileges on the system.
The
vulnerability exists due to macOS Installer creates a world-readable temp directory that files are extracted into during installation within the PackageKit functionality. A local user
can gain root privileges on the target system.
43) Information disclosure (CVE-ID: CVE-2020-9857)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within the NSURL. A remote attacker can use a malicious website to exfiltrate autofilled data in Safari.
44) Out-of-bounds read (CVE-ID: CVE-2020-9809)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Kernel. A remote attacker can use a specially crafted application to trigger out-of-bounds read error and read contents of memory on the system.
45) Buffer overflow (CVE-ID: CVE-2020-9814)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Kernel. A remote attacker can use a specially crafted application to trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
46) Buffer overflow (CVE-ID: CVE-2020-9813)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Kernel. A remote attacker can use a specially crafted application to trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://support.apple.com/en-gb/HT211170
- https://www.zerodayinitiative.com/advisories/ZDI-20-681/
- https://www.zerodayinitiative.com/advisories/ZDI-20-671/
- https://www.zerodayinitiative.com/advisories/ZDI-20-673/
- https://www.zerodayinitiative.com/advisories/ZDI-20-674/
- https://www.zerodayinitiative.com/advisories/ZDI-20-683/
- https://www.zerodayinitiative.com/advisories/ZDI-20-680/
- http://seclists.org/fulldisclosure/2020/May/49
- http://seclists.org/fulldisclosure/2020/May/53
- http://seclists.org/fulldisclosure/2020/May/54
- http://seclists.org/fulldisclosure/2020/May/55
- http://seclists.org/fulldisclosure/2020/May/56
- http://seclists.org/fulldisclosure/2020/May/57
- http://seclists.org/fulldisclosure/2020/May/59
- https://support.apple.com/HT210918
- https://support.apple.com/HT210919
- https://support.apple.com/HT210920
- https://support.apple.com/HT210921
- https://support.apple.com/kb/HT211168
- https://support.apple.com/kb/HT211170
- https://support.apple.com/kb/HT211171
- https://support.apple.com/kb/HT211175
- https://support.apple.com/kb/HT211178
- https://support.apple.com/kb/HT211179
- https://support.apple.com/kb/HT211181
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-mac-priv-esc-VqST2nrT
- https://research.nccgroup.com/2020/07/02/technical-advisory-macos-installer-local-root-privilege-escalation-cve-2020-9817/