var-202010-1231
Vulnerability from variot
Multiple issues were addressed with improved logic. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A security vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple Safari prior to 13.1.2; iOS prior to 13.6; iPadOS prior to 13.6; tvOS prior to 13.4.8; watchOS prior to 6.2.8; Windows-based iTunes prior to 12.10.8. Apple Safari could allow a local authenticated malicious user to bypass security restrictions, caused by an issue in the WebKit component.
Alternatively, on your watch, select "My Watch > General > About". PAC and JIT Hardening Bypass in WebKit on iOS
As per discussions with product-security@apple.com, Apple would like to treat the PAC bypass described here as a security vulnerability by itself. The bypass was initially reported without a deadline on May 6. After receiving the reply that they will treat it as a separate vulnerability, this issue has been created to start the 90-day deadline (from today).
On macOS, gaining shellcode execution from arbitrary memory read/write in a WebKit renderer only requires finding and writing to the JIT region. However, on iOS a combination of APRR [1] and PAC [2] protect the JIT region from an attacker with arbitrary read/write.
WebKit has support for in-process signal handling. This is for example used by some JIT optimizations in JSC [3]. The main signal handler is catch_mach_exception_raise_state in Signals.cpp [4], which will traverse a linked list of handlers and call each one of them. If any of the handlers returns success, the signal is treated as handled and the thread will continue.
This enables the following attack:
- The linked list of handlers is turned into a cycle, causing
catch_mach_exception_raise_stateto loop infinitely upon catching a signal - A crash is triggered in another thread, for example in a WebWorker. A GCD thread is now \"stuck\" in
catch_mach_exception_raise_state - The main thread searches the stacks for the stackframe of
catch_mach_exception_raise_state. Once found, it has access to the reply mach message ofcatch_mach_exception_raise_stateand with that to the context (registers + stack) of the crashed thread. It can modify them arbitrarily except for PC which is protected by PAC. After modifying the state and marking the exception as property handled in the reply message, it fixes the linked list of handlers, causingcatch_mach_exception_raise_statein the other thread to finish - The crashed thread now resumes execution with attacker-controlled registers and/or stack content
It should also be possible to catch multiple signals following each other by first making a copy of the handlers list/cycle, then swapping the \"active\" and \"inactive\" exception hander lists before repairing the now inactive handler list. The current exception handler will then return, but if a new exception is immediately raised, the handling thread will again be stuck in catch_mach_exception_raise_state as it uses the other list which is still a cycle. It is also worth noting that it should be possible to modify the global activeExceptions variable in Signals.cpp prior to the installation of signal handlers, thus allowing the attacker to control which exceptions are handled.
This \"debugger\" now immediately allows brute-forcing PACs as PAC mostly relies on conventional access violations when failing. Moreover, it allows PAC to be bypassed trivially for some pointers, namely in cases where the authentication and use are two separate instructions, with the second instruction triggering a crash. The PoC demonstrates this by bypassing the PAC protecting a TypedArray's backing storage pointer: first, a TypedArray's backing storage pointer in a worker is corrupted, then accessed. This will cause the AUTDB instruction to fail, leaving the pointer clobbered and causing a crash when the pointer is subsequently accessed. Next, this crash is \"handled\" with the debugger and the register containing the clobbered pointer is replaced with an arbitrary pointer. The worker then continues and re-executes the access instruction which now succeeds and thus accesses an address of the attacker's choosing.
With this, it should now be possible to achieve arbitrary native code execution (i.e. bypassing the JIT hardening). Possible ideas for that are: - Corrupt the AssemblerBuffer so arbitrary instructions are copied into the JIT region by the LinkBuffer. This will cause the computed hashes to mismatch and the linker to crash, but that only happens after the instructions have been copied and the crash can then simply be caught - Crash during one of the writes into the JIT region in LinkBuffer::copyCompactAndLinkCode (by corrupting the destination pointer prior to that) and change the content of the source register so that an arbitrary instruction is written into the JIT region while the original instruction is used for the hash computation - Crash during LinkBuffer::copyCompactAndLinkCode and resume execution somewhere else. This should leave the JIT region writable (although not executable) for that thread - Brute-force a PAC code (e.g. by repeatedly accessing, crashing, and then changing a PAC protected pointer), then JOP into one of the functions into which performJITMemcpy is inlined
[1] https://siguza.github.io/APRR/ [2] https://github.com/apple/llvm-project/blob/apple/master/clang/docs/PointerAuthentication.rst [3] https://github.com/WebKit/webkit/blob/015fb86d51851fc3e13f05898c85d62d0b1bae8f/Source/JavaScriptCore/runtime/OptionsList.h#L466 [4] https://github.com/WebKit/webkit/blob/4ceb36e525b55b9d49aed0b400507d522953e025/Source/WTF/wtf/threads/Signals.cpp#L137
This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-08-13. Disclosure at an earlier date is possible if agreed upon by all parties.
Related CVE Numbers: CVE-2020-9910
Found by: saelo@google.com
. CVE-2020-9862: Ophir Lojkine (@lovasoa)
Installation note:
Safari 13.1.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2020-07-15-1 iOS 13.6 and iPadOS 13.6
iOS 13.6 and iPadOS 13.6 are now available and address the following:
Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab
Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab
AVEVideoEncoder Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9907: an anonymous researcher
Bluetooth Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may cause an unexpected application termination Description: A denial of service issue was addressed with improved input validation. CVE-2020-9931: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab
CoreFoundation Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A local user may be able to view sensitive user information Description: An issue existed in the handling of environment variables. CVE-2020-9934: an anonymous researcher
Crash Reporter Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud
GeoServices Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to read sensitive location information Description: An authorization issue was addressed with improved state management. CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.
iAP Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: An input validation issue existed in Bluetooth. CVE-2020-9914: Andy Davis of NCC Group
ImageIO Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro
Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-9923: Proteas
Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall
Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9909: Brandon Azad of Google Project Zero
Mail Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service Description: An input validation issue was addressed. CVE-2019-19906
Messages Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A user that is removed from an iMessage group could rejoin the group Description: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification. CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha)
Model I/O Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security
Safari Login AutoFill Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain Description: A logic issue was addressed with improved restrictions. CVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
Safari Reader Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An issue in Safari Reader mode may allow a remote attacker to bypass the Same Origin Policy Description: A logic issue was addressed with improved restrictions. CVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative
WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: An access issue existed in Content Security Policy. CVE-2020-9915: an anonymous researcher
WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative CVE-2020-9895: Wen Xu of SSLab, Georgia Tech
WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-9925: an anonymous researcher
WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: Multiple issues were addressed with improved logic. CVE-2020-9910: Samuel Groß of Google Project Zero
WebKit Page Loading Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious attacker may be able to conceal the destination of a URL Description: A URL Unicode encoding issue was addressed with improved state management. CVE-2020-9916: Rakesh Mane (@RakeshMane10)
WebKit Web Inspector Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Copying a URL from Web Inspector may lead to command injection Description: A command injection issue existed in Web Inspector. CVE-2020-9862: Ophir Lojkine (@lovasoa)
Wi-Fi Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)
WiFi Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-9917: an anonymous researcher, Pradeep Deokate of Harman
Additional recognition
Bluetooth We would like to acknowledge Andy Davis of NCC Group for their assistance.
Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
USB Audio We would like to acknowledge Andy Davis of NCC Group for their assistance.
Installation note:
This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
- Navigate to Settings
- Select General
- Select About. The version after applying this update will be "iOS 13.6 and iPadOS 13.6". -----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8POhUACgkQBz4uGe3y 0M3VAA/3ciev1rSP1w547PW3gsdGviEqUD6d5cNWfVKyIywIwqhXD24bNn471XPe ufoLyxB/SlH9yKcHjuNYmeL+tu+4Gqx+YvaNTrKkBlh0DP7bB7y1vKVDbHjTsSbx ecrPfDI3ZHXXux9+1fYZ47ISnJDakqVEI3bAw7JFtwL4DmQYdyk+xaUVTXTXksoV YwXin1usgQUZp921ygUNzP5kMwwdmbwenMS+U5s270TlSFPLflB61iykZCEOt7n4 sQqpv1A1GQPigTAPZOevl/TyfUAzRxXhOjXoBw6GSHXmfrLdkT72cw+VuIxZ2rpG 5VGkORd8S0PNDPndLYUb3VxKa4GucbuFd/f4YY4xhJuyZj1ANidPmSn1QkviqCjz 47pvdvWIQpRAQZv4yhlCfcZPYYwkHOPLsmSYbUdfKZvMHx+GneJp4T6ofZ5E7pvQ W354Asbg8fSFbx0jbmQpI0jJIgwLy8ydMVf1HsqToM/mSwTRQBjONNGQweHIdfXQ Z1PJ4cmOTutRmGLgDHIikVkq8mIu+1EOWBkLAXoZrn7d9pbosHZG/5OT3rpXpQU2 FykbSj7EkVyEJ978rAaynixaiuNbaw39osKaP4H5LcFhzyM8tF3paiR0gXKhizTB w57KB0YW0QrWBupRIdAd+yH2jt6iNviLfkq7fUAzZ3hb1iikVw== =Tlxk -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202010-1231",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.6"
},
{
"model": "safari",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.1.2"
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "6.2.8"
},
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.10.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.20"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "13.4.8"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.3"
},
{
"model": "icloud",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.1.2 \u672a\u6e80 (macos high sierra)"
},
{
"model": "icloud",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "7.20 \u672a\u6e80 (windows 7 \u4ee5\u964d)"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.6 \u672a\u6e80 (iphone 6s \u4ee5\u964d)"
},
{
"model": "ipados",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.6 \u672a\u6e80 (ipad mini 4 \u4ee5\u964d)"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.1.2 \u672a\u6e80 (macos mojave)"
},
{
"model": "icloud",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "11.3 \u672a\u6e80 (microsoft store \u304b\u3089\u5165\u624b\u3057\u305f windows 10 \u4ee5\u964d)"
},
{
"model": "watchos",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "6.2.8 \u672a\u6e80 (apple watch series 1 \u4ee5\u964d)"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.6 \u672a\u6e80 (ipod touch \u7b2c 7 \u4e16\u4ee3)"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.4.8 \u672a\u6e80 (apple tv hd)"
},
{
"model": "ipados",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.6 \u672a\u6e80 (ipad air 2 \u4ee5\u964d)"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.4.8 \u672a\u6e80 (apple tv 4k)"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 12.10.8 \u672a\u6e80 (windows 7 \u4ee5\u964d)"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "13.1.2 \u672a\u6e80 (macos catalina)"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.4.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionEndExcluding": "7.20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionEndExcluding": "11.3",
"versionStartIncluding": "11.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:itunes:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionEndExcluding": "12.10.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.2.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-9910"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "saelo, Google Security Research",
"sources": [
{
"db": "PACKETSTORM",
"id": "158870"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
],
"trust": 0.7
},
"cve": "CVE-2020-9910",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-009907",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-188035",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULMON",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2020-9910",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-009907",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-9910",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-009907",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202007-1141",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-188035",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-9910",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple issues were addressed with improved logic. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A security vulnerability exists in the WebKit component of several Apple products. The following products and versions are affected: Apple Safari prior to 13.1.2; iOS prior to 13.6; iPadOS prior to 13.6; tvOS prior to 13.4.8; watchOS prior to 6.2.8; Windows-based iTunes prior to 12.10.8. Apple Safari could allow a local authenticated malicious user to bypass security restrictions, caused by an issue in the WebKit component. \n\nAlternatively, on your watch, select \"My Watch \u003e General \u003e About\". PAC and JIT Hardening Bypass in WebKit on iOS\n\nAs per discussions with product-security@apple.com, Apple would like to treat the PAC bypass described here as a security vulnerability by itself. The bypass was initially reported without a deadline on May 6. After receiving the reply that they will treat it as a separate vulnerability, this issue has been created to start the 90-day deadline (from today). \n\nOn macOS, gaining shellcode execution from arbitrary memory read/write in a WebKit renderer only requires finding and writing to the JIT region. However, on iOS a combination of APRR [1] and PAC [2] protect the JIT region from an attacker with arbitrary read/write. \n\nWebKit has support for in-process signal handling. This is for example used by some JIT optimizations in JSC [3]. The main signal handler is `catch_mach_exception_raise_state` in Signals.cpp [4], which will traverse a linked list of handlers and call each one of them. If any of the handlers returns success, the signal is treated as handled and the thread will continue. \n\nThis enables the following attack:\n\n1. The linked list of handlers is turned into a cycle, causing `catch_mach_exception_raise_state` to loop infinitely upon catching a signal\n2. A crash is triggered in another thread, for example in a WebWorker. A GCD thread is now \\\"stuck\\\" in `catch_mach_exception_raise_state`\n3. The main thread searches the stacks for the stackframe of `catch_mach_exception_raise_state`. Once found, it has access to the reply mach message of `catch_mach_exception_raise_state` and with that to the context (registers + stack) of the crashed thread. It can modify them arbitrarily except for PC which is protected by PAC. After modifying the state and marking the exception as property handled in the reply message, it fixes the linked list of handlers, causing `catch_mach_exception_raise_state` in the other thread to finish\n4. The crashed thread now resumes execution with attacker-controlled registers and/or stack content\n\nIt should also be possible to catch multiple signals following each other by first making a copy of the handlers list/cycle, then swapping the \\\"active\\\" and \\\"inactive\\\" exception hander lists before repairing the now inactive handler list. The current exception handler will then return, but if a new exception is immediately raised, the handling thread will again be stuck in `catch_mach_exception_raise_state` as it uses the other list which is still a cycle. It is also worth noting that it should be possible to modify the global `activeExceptions` variable in Signals.cpp prior to the installation of signal handlers, thus allowing the attacker to control which exceptions are handled. \n\nThis \\\"debugger\\\" now immediately allows brute-forcing PACs as PAC mostly relies on conventional access violations when failing. Moreover, it allows PAC to be bypassed trivially for some pointers, namely in cases where the authentication and use are two separate instructions, with the second instruction triggering a crash. The PoC demonstrates this by bypassing the PAC protecting a TypedArray\u0027s backing storage pointer: first, a TypedArray\u0027s backing storage pointer in a worker is corrupted, then accessed. This will cause the AUTDB instruction to fail, leaving the pointer clobbered and causing a crash when the pointer is subsequently accessed. Next, this crash is \\\"handled\\\" with the debugger and the register containing the\nclobbered pointer is replaced with an arbitrary pointer. The worker then continues and re-executes the access instruction which now succeeds and thus accesses an address of the attacker\u0027s choosing. \n\nWith this, it should now be possible to achieve arbitrary native code execution (i.e. bypassing the JIT hardening). Possible ideas for that are:\n- Corrupt the AssemblerBuffer so arbitrary instructions are copied into the JIT region by the LinkBuffer. This will cause the computed hashes to mismatch and the linker to crash, but that only happens after the instructions have been copied and the crash can then simply be caught\n- Crash during one of the writes into the JIT region in LinkBuffer::copyCompactAndLinkCode (by corrupting the destination pointer prior to that) and change the content of the source register so that an arbitrary instruction is written into the JIT region while the original instruction is used for the hash computation\n- Crash during LinkBuffer::copyCompactAndLinkCode and resume execution somewhere else. This should leave the JIT region writable (although not executable) for that thread\n- Brute-force a PAC code (e.g. by repeatedly accessing, crashing, and then changing a PAC protected pointer), then JOP into one of the functions into which performJITMemcpy is inlined\n\n[1] https://siguza.github.io/APRR/\n[2] https://github.com/apple/llvm-project/blob/apple/master/clang/docs/PointerAuthentication.rst\n[3] https://github.com/WebKit/webkit/blob/015fb86d51851fc3e13f05898c85d62d0b1bae8f/Source/JavaScriptCore/runtime/OptionsList.h#L466\n[4] https://github.com/WebKit/webkit/blob/4ceb36e525b55b9d49aed0b400507d522953e025/Source/WTF/wtf/threads/Signals.cpp#L137\n\n\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse,\nthe bug report will become visible to the public. The scheduled disclosure\ndate is 2020-08-13. Disclosure at an earlier date is possible if\nagreed upon by all parties. \n\n\nRelated CVE Numbers: CVE-2020-9910\n\n\n\nFound by: saelo@google.com\n\n. \nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\nInstallation note:\n\nSafari 13.1.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2020-07-15-1 iOS 13.6 and iPadOS 13.6\n\niOS 13.6 and iPadOS 13.6 are now available and address the following:\n\nAudio\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing a maliciously crafted audio file may lead to\narbitrary code execution\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\nCVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\nCVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\n\nAudio\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing a maliciously crafted audio file may lead to\narbitrary code execution\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\n\nAVEVideoEncoder\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed by removing the\nvulnerable code. \nCVE-2020-9907: an anonymous researcher\n\nBluetooth\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker may cause an unexpected application\ntermination\nDescription: A denial of service issue was addressed with improved\ninput validation. \nCVE-2020-9931: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure\nMobile Networking Lab\n\nCoreFoundation\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A local user may be able to view sensitive user information\nDescription: An issue existed in the handling of environment\nvariables. \nCVE-2020-9934: an anonymous researcher\n\nCrash Reporter\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious application may be able to break out of its\nsandbox\nDescription: A memory corruption issue was addressed by removing the\nvulnerable code. \nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360\nBugCloud\n\nGeoServices\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious application may be able to read sensitive\nlocation information\nDescription: An authorization issue was addressed with improved state\nmanagement. \nCVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. \n\niAP\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: An attacker in a privileged network position may be able to\nexecute arbitrary code\nDescription: An input validation issue existed in Bluetooth. \nCVE-2020-9914: Andy Davis of NCC Group\n\nImageIO\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2020-9936: Mickey Jin of Trend Micro\n\nKernel\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2020-9923: Proteas\n\nKernel\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: An attacker in a privileged network position may be able to\ninject into active connections within a VPN tunnel\nDescription: A routing issue was addressed with improved\nrestrictions. \nCVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. \nCrandall\n\nKernel\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: An attacker that has already achieved kernel code execution\nmay be able to bypass kernel memory mitigations\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2020-9909: Brandon Azad of Google Project Zero\n\nMail\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker can cause a limited out-of-bounds write,\nresulting in a denial of service\nDescription: An input validation issue was addressed. \nCVE-2019-19906\n\nMessages\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A user that is removed from an iMessage group could rejoin\nthe group\nDescription: An issue existed in the handling of iMessage tapbacks. \nThe issue was resolved with additional verification. \nCVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP\nHigh School North (medium.com/@suryanshmansha)\n\nModel I/O\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing a maliciously crafted USD file may lead to\nunexpected application termination or arbitrary code execution\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security\n\nSafari Login AutoFill\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious attacker may cause Safari to suggest a password\nfor the wrong domain\nDescription: A logic issue was addressed with improved restrictions. \nCVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)\n\nSafari Reader\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: An issue in Safari Reader mode may allow a remote attacker to\nbypass the Same Origin Policy\nDescription: A logic issue was addressed with improved restrictions. \nCVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing maliciously crafted web content may prevent\nContent Security Policy from being enforced\nDescription: An access issue existed in Content Security Policy. \nCVE-2020-9915: an anonymous researcher\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative\nCVE-2020-9895: Wen Xu of SSLab, Georgia Tech\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Processing maliciously crafted web content may lead to\nuniversal cross site scripting\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2020-9925: an anonymous researcher\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious attacker with arbitrary read and write capability\nmay be able to bypass Pointer Authentication\nDescription: Multiple issues were addressed with improved logic. \nCVE-2020-9910: Samuel Gro\u00df of Google Project Zero\n\nWebKit Page Loading\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A malicious attacker may be able to conceal the destination\nof a URL\nDescription: A URL Unicode encoding issue was addressed with improved\nstate management. \nCVE-2020-9916: Rakesh Mane (@RakeshMane10)\n\nWebKit Web Inspector\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: Copying a URL from Web Inspector may lead to command\ninjection\nDescription: A command injection issue existed in Web Inspector. \nCVE-2020-9862: Ophir Lojkine (@lovasoa)\n\nWi-Fi\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker may be able to cause unexpected system\ntermination or corrupt kernel memory\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud\n(bugcloud.360.cn)\n\nWiFi\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4\nand later, and iPod touch 7th generation\nImpact: A remote attacker may be able to cause a denial of service\nDescription: This issue was addressed with improved checks. \nCVE-2020-9917: an anonymous researcher, Pradeep Deokate of Harman\n\nAdditional recognition\n\nBluetooth\nWe would like to acknowledge Andy Davis of NCC Group for their\nassistance. \n\nKernel\nWe would like to acknowledge Brandon Azad of Google Project Zero for\ntheir assistance. \n\nUSB Audio\nWe would like to acknowledge Andy Davis of NCC Group for their\nassistance. \n\nInstallation note:\n\nThis update is available through iTunes and Software Update on your\niOS device, and will not appear in your computer\u0027s Software Update\napplication, or in the Apple Downloads site. Make sure you have an\nInternet connection and have installed the latest version of iTunes\nfrom https://www.apple.com/itunes/\n\niTunes and Software Update on the device will automatically check\nApple\u0027s update server on its weekly schedule. When an update is\ndetected, it is downloaded and the option to be installed is\npresented to the user when the iOS device is docked. We recommend\napplying the update immediately if possible. Selecting Don\u0027t Install\nwill present the option the next time you connect your iOS device. \n\nThe automatic update process may take up to a week depending on the\nday that iTunes or the device checks for updates. You may manually\nobtain the update via the Check for Updates button within iTunes, or\nthe Software Update on your device. \n\nTo check that the iPhone, iPod touch, or iPad has been updated:\n\n* Navigate to Settings\n* Select General\n* Select About. The version after applying this update\nwill be \"iOS 13.6 and iPadOS 13.6\". \n-----BEGIN PGP SIGNATURE-----\n\niQIyBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8POhUACgkQBz4uGe3y\n0M3VAA/3ciev1rSP1w547PW3gsdGviEqUD6d5cNWfVKyIywIwqhXD24bNn471XPe\nufoLyxB/SlH9yKcHjuNYmeL+tu+4Gqx+YvaNTrKkBlh0DP7bB7y1vKVDbHjTsSbx\necrPfDI3ZHXXux9+1fYZ47ISnJDakqVEI3bAw7JFtwL4DmQYdyk+xaUVTXTXksoV\nYwXin1usgQUZp921ygUNzP5kMwwdmbwenMS+U5s270TlSFPLflB61iykZCEOt7n4\nsQqpv1A1GQPigTAPZOevl/TyfUAzRxXhOjXoBw6GSHXmfrLdkT72cw+VuIxZ2rpG\n5VGkORd8S0PNDPndLYUb3VxKa4GucbuFd/f4YY4xhJuyZj1ANidPmSn1QkviqCjz\n47pvdvWIQpRAQZv4yhlCfcZPYYwkHOPLsmSYbUdfKZvMHx+GneJp4T6ofZ5E7pvQ\nW354Asbg8fSFbx0jbmQpI0jJIgwLy8ydMVf1HsqToM/mSwTRQBjONNGQweHIdfXQ\nZ1PJ4cmOTutRmGLgDHIikVkq8mIu+1EOWBkLAXoZrn7d9pbosHZG/5OT3rpXpQU2\nFykbSj7EkVyEJ978rAaynixaiuNbaw39osKaP4H5LcFhzyM8tF3paiR0gXKhizTB\nw57KB0YW0QrWBupRIdAd+yH2jt6iNviLfkq7fUAzZ3hb1iikVw==\n=Tlxk\n-----END PGP SIGNATURE-----\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "PACKETSTORM",
"id": "158461"
},
{
"db": "PACKETSTORM",
"id": "158870"
},
{
"db": "PACKETSTORM",
"id": "158466"
},
{
"db": "PACKETSTORM",
"id": "158456"
},
{
"db": "PACKETSTORM",
"id": "158458"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-9910",
"trust": 3.1
},
{
"db": "PACKETSTORM",
"id": "158870",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU95491800",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU94090210",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158466",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2434",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "50225",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2020-49307",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-188035",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-9910",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158461",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158456",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158458",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "PACKETSTORM",
"id": "158461"
},
{
"db": "PACKETSTORM",
"id": "158870"
},
{
"db": "PACKETSTORM",
"id": "158466"
},
{
"db": "PACKETSTORM",
"id": "158456"
},
{
"db": "PACKETSTORM",
"id": "158458"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"id": "VAR-202010-1231",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-188035"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T10:53:32.878000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT211292",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211292"
},
{
"title": "HT211293",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211293"
},
{
"title": "HT211294",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211294"
},
{
"title": "HT211295",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"title": "HT211288",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211288"
},
{
"title": "HT211290",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211290"
},
{
"title": "HT211291",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"title": "HT211293",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211293"
},
{
"title": "HT211294",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211294"
},
{
"title": "HT211295",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211295"
},
{
"title": "HT211288",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211288"
},
{
"title": "HT211290",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211290"
},
{
"title": "HT211291",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211291"
},
{
"title": "HT211292",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht211292"
},
{
"title": "Multiple Apple product WebKit Fixes for component security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=124594"
},
{
"title": "Apple: iCloud for Windows 7.20",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=50e6b35a047c9702f4cdebdf81483b05"
},
{
"title": "Apple: iCloud for Windows 11.3",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=947a08401ec7e5f309d5ae26f5006f48"
},
{
"title": "Apple: iOS 13.6 and iPadOS 13.6",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=a82d39d4c9a42fcf07757428b2f562b3"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-287",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9910"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211288"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211290"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211291"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211292"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211293"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211294"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht211295"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9910"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu94090210/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95491800/index.html"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211291"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2434/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apple-ios-multiple-vulnerabilities-32847"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158870/webkit-on-ios-pac-jit-hardening-bypass.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/50225"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht211295"
},
{
"trust": 0.6,
"url": "https://support.apple.com/kb/ht211294"
},
{
"trust": 0.6,
"url": "https://support.apple.com/kb/ht211293"
},
{
"trust": 0.6,
"url": "https://support.apple.com/kb/ht211292"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158466/apple-security-advisory-2020-07-15-5.html"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9915"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9925"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9894"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9916"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9895"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9893"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9862"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9918"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9889"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9909"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9933"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9888"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9891"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9890"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9865"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9923"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9885"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9936"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9911"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9903"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9914"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14899"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9907"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/185388"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht204641"
},
{
"trust": 0.1,
"url": "https://siguza.github.io/aprr/"
},
{
"trust": 0.1,
"url": "https://github.com/apple/llvm-project/blob/apple/master/clang/docs/pointerauthentication.rst"
},
{
"trust": 0.1,
"url": "https://github.com/webkit/webkit/blob/015fb86d51851fc3e13f05898c85d62d0b1bae8f/source/javascriptcore/runtime/optionslist.h#l466"
},
{
"trust": 0.1,
"url": "https://github.com/webkit/webkit/blob/4ceb36e525b55b9d49aed0b400507d522953e025/source/wtf/wtf/threads/signals.cpp#l137"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9912"
},
{
"trust": 0.1,
"url": "https://www.apple.com/itunes/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9878"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9931"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9917"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9934"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "PACKETSTORM",
"id": "158461"
},
{
"db": "PACKETSTORM",
"id": "158870"
},
{
"db": "PACKETSTORM",
"id": "158466"
},
{
"db": "PACKETSTORM",
"id": "158456"
},
{
"db": "PACKETSTORM",
"id": "158458"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-188035"
},
{
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"db": "PACKETSTORM",
"id": "158461"
},
{
"db": "PACKETSTORM",
"id": "158870"
},
{
"db": "PACKETSTORM",
"id": "158466"
},
{
"db": "PACKETSTORM",
"id": "158456"
},
{
"db": "PACKETSTORM",
"id": "158458"
},
{
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-10-16T00:00:00",
"db": "VULHUB",
"id": "VHN-188035"
},
{
"date": "2020-10-16T00:00:00",
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"date": "2020-12-11T05:02:15",
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"date": "2020-07-17T19:28:19",
"db": "PACKETSTORM",
"id": "158461"
},
{
"date": "2020-08-14T16:09:44",
"db": "PACKETSTORM",
"id": "158870"
},
{
"date": "2020-07-17T19:35:50",
"db": "PACKETSTORM",
"id": "158466"
},
{
"date": "2020-07-17T19:23:30",
"db": "PACKETSTORM",
"id": "158456"
},
{
"date": "2020-07-17T19:24:07",
"db": "PACKETSTORM",
"id": "158458"
},
{
"date": "2020-10-16T17:15:16.717000",
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"date": "2020-07-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-188035"
},
{
"date": "2020-10-20T00:00:00",
"db": "VULMON",
"id": "CVE-2020-9910"
},
{
"date": "2020-12-11T05:02:15",
"db": "JVNDB",
"id": "JVNDB-2020-009907"
},
{
"date": "2023-01-09T16:41:59.350000",
"db": "NVD",
"id": "CVE-2020-9910"
},
{
"date": "2023-01-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Apple Vulnerability in product that bypasses pointer authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-009907"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202007-1141"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.