CIS CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-114

DATE(S) ISSUED:
09/16/2015
09/21/2015 - Updated

SUBJECT:
Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been discovered in Apple iOS and iTunes. Apple iOS is an operating system for iPhone, iPod touch, and iPad. Apple iTunes is used to play media files on Microsoft Windows and MAC OS X platforms. These vulnerabilities can be exploited if a user visits or is redirected to a specially crafted webpage or opens a specially crafted file, including an email attachment.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems  Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 21 - UPDATED OVERVIEW:

Multiple vulnerabilities have been discovered in Apple watchOS. Apple watchOS is the operating system used by the Apple Watch.

THREAT INTELLIGENCE

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apple iOS prior to 9.0

  • Apple iTunes prior to 12.3

September 21 - UPDATED SYSTEMS AFFECTED

  • Apple watchOS prior to 2

RISK:

Government:

  • Large and medium government entities: High

  • Small government entities: High

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in iOS and iTunes where the most severe of these could allow remote code execution. Details of these vulnerabilities are as follows:

  • Multiple vulnerabilities affect the 'Kernel' component, which could allow an attacker to execute arbitrary code. (CVE-2015-5868, CVE-2015-5896, CVE-2015-5903)

  • A memory-corruption vulnerability affects the 'CoreText' component when handling specially-crafted font files. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5874)

  • A memory-corruption vulnerability affects the 'Data Detectors Engine' component. Specifically, this issue occurs when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-5829)

  • A memory-corruption vulnerability affects the ‘Dev Tools’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5876)

  • A memory-corruption vulnerability affects the ‘Disk Images’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5847)

  • A memory-corruption vulnerability affects the ‘libc’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2014-8611)

  • A memory-corruption vulnerability affects the ‘libpthread’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5899)

  • memory-corruption vulnerability affects the ‘IOAcceleratorFamily’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5848)

  • A memory-corruption vulnerability affects the ‘IOHIDFamily’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5867)

  • Memory-corruption vulnerabilities affect the ‘IOKit’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5844, CVE-2015-5845, CVE-2015-5846)

  • A memory-corruption vulnerability affects the ‘IOMobileFrameBuffer’ component. An attacker can exploit this issue to execute arbitrary code. (CVE-2015-5843)

  • Memory-corruption vulnerabilities affect the ‘JavaScriptCore’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5791, CVE-2015-5793, CVE-2015-5814, CVE-2015-5816, CVE-2015-5822, CVE-2015-5823)

  • Memory-corruption vulnerabilities affect the ‘tidy’ component. An attacker can exploit these issues to execute arbitrary code. (CVE-2015-5522, CVE-2015-5523)

  • Webkit is prone multiple memory-corruption vulnerabilities, which could allow for arbitrary code execution. (CVE-2015-5789, CVE-2015-5790, CVE-2015-5792, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5821)

  • Terminals may retrieve limited transaction history from some cards using Apple Pay. (CVE-2015-5916)

  • Resetting failed passcode attempts utilizing an iOS backup. (CVE-2015-5850)

  • Malicious ITMS link may cause DoS when clicked. (CVE-2015-5856)

  • Malicious audio playback may cause unexpected app termination. (CVE-2015-5862)

  • Apple app cache data may be read with physical access to machine. (CVE-2015-5898)

  • User-activity can be tracked by attacker in privileged network position. (CVE-2015-5885)

  • Unintended cookie creation for websites. (CVE-2015-3801)

  • Client reconnaissance of other hosts using malicious ftp servers. (CVE-2015-5912)

  • Bypass of HTTP Strict Transport Security (HSTS) with a maliciously crafted URL to leak sensitive data. (CVE-2015-5858)

  • User-tracking safari private browsing mode with a malicious website. (CVE-2015-5860)

  • Assigning malicious cookies for a website by malicious websites. (CVE-2015-5841)

  • Interception of SSL/TLS connections by attacker from privileged network position. (CVE-2015-5824)

  • Sensitive user information leakage by malicious application. (CVE-2015-5880)

  • Bypass of dyld code signing. (CVE-2015-5839)

  • Access of player’s email address by malicious Game Center application. (CVE-2015-5855)

  • Multiple vulnerabilities in ICU. (CVE-2014-8146, CVE-2015-1205)

  • Determination of kernel address memory layout by malicious application. (CVE-2015-5834)

  • Memory reading by local attacker. (CVE-2015-5863)

  • AppleID credentials persisting after signing out. (CVE-2015-5832)

  • Stack cookie values controlled by attacker. (CVE-2013-3951)

  • Modification of other processes by a local process without entitlement checks. (CVE-2015-5882)

  • Ability to launch DoS attacks to TCP connections without sequence number. (CVE-2015-5879)

  • Disabling of IPv6 routing by attacker in local LAN segment. (CVE-2015-5869)

  • Determination of kernel memory layout by local user. (CVE-2015-5842)

  • System DoS by local user. (CVE-2015-5748)

  • Impersonation of recipient’s address book contact by email. (CVE-2015-5857)

  • Observation of unprotected multipeer data by local attacker. (CVE-2015-5851)

  • Determination of kernel memory layout by malicious application. (CVE-2015-5831)

  • OpenSSL vulnerabilities. (CVE-2015-0286, CVE-2015-0287)

  • Installation of extensions prior to trust. (CVE-2015-5837)

  • Unexpected application termination by malicious data processing. (CVE-2015-5840)

  • Access to Safari bookmarks on locked iOS device without use of passcode. (CVE-2015-5903)

  • User-interface spoofing from malicious website. (CVE-2015-5904, CVE-2015-5905, CVE-2015-5764, CVE-2015-5765, CVE-2015-5767)

  • User-tracking with client certificates by malicious websites. (CVE-2015-1129)

  • Interception of communications between apps by a malicious app. (CVE-2015-5835)

  • Access to notifications not to be displayed at lock screen available through usage of Siri with physical access to device. (CVE-2015-5892)

  • Audio message reply from lock screen when lock screen message preview is disabled with physical access to device. (CVE-2015-5861)

  • Spoof of other applications dialog windows by a malicious application. (CVE-2015-5838)

  • SQLite vulnerabilities. (CVE-2015-5895)

  • Object references leak in WebKit. (CVE-2015-5827)

  • Unintended dialing by visiting malicious website. (CVE-2015-5820)

  • Quicktype can access value of last character in password of a filled form. (CVE-2015-5906)

  • Redirection to malicious domain by attacker in privileged network position. (CVE-2015-5907)

  • Cross-origin data exfiltration vulnerability. (CVE-2015-5826)

  • Leakage of browsing history, mouse movements, and network activity by malicious website. (CVE-2015-5825)

  • Leakage of sensitive user information by attacker in privileged network position. (CVE-2015-5921)

  • Disclosure of image data from another site when visiting malicious website. (CVE-2015-5788)

  • Memory-corruption vulnerabilities affects iTunes. Specifically, these issues occur when processing a maliciously crafted text file. This may lead to arbitrary code execution. (CVE-2015-1157, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-5755, CVE-2015-5761)

  • Arbitrary code execution when opening a media file. (CVE-2010-3190)

  • MITM attack using iTunes store browsing can result in arbitrary code execution. (CVE-2015-1152, CVE-2015-1153, CVE-2015-3730, CVE-2015-3731, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-5798, CVE-2015-5808, CVE-2015-5815)

  • SMB credentials can be obtained by attacker in privileged network position. (CVE-2015-5920)

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, remote code execution within the context of the application, and the ability to bypass the security systems. Failed attacks may still cause a Denial of Service condition within the targeted delivery method. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 21 - UPDATED TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple watchOS where the most severe of these could allow remote code execution. Details of these vulnerabilities are as follows:

  • Two memory corruption issues exists in the kernel in Apple watchOS that could allow for local arbitrary code execution (CVE-2015-5918, CVE-2015-5919)

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Apple to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT205212

https://support.apple.com/en-us/HT205221

SecurityFocus:

http://www.securityfocus.com/advisories/36137

http://www.securityfocus.com/advisories/36139

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5916

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5850

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5856

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5862

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5898

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5885

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3801

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5912

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5858

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5860

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5841

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5824

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5880

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5874

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5829

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5876

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5839

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5847

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5855

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8146

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1205

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5834

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5848

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5867

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5844

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5845

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5846

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5843

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5863

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5832

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5791

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5868

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5896

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5903

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3951

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5882

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5879

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5869

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5842

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5748

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5899

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5857

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5851

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5831

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5837

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5840

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5904

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5905

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1129

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5764

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5765

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5767

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5835

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5892

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5861

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5838

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5895

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5522

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5523

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5827

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5789

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5790

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5792

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5796

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5802

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5821

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5820

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5906

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5907

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5826

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5825

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5921

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1157

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3686

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3687

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3688

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5798

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5808

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5920

September 21 - UPDATED REFERENCES:

Apple:

https://support.apple.com/en-us/HT205213

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5918

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5919