Denial of service in Apple iMessage
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-8664 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
watchOS Operating systems & Components / Operating system Apple iOS Operating systems & Components / Operating system |
| Vendor | Apple Inc. |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU19059
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-8664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an issue with a "IMBalloonPluginDataSource individualPreviewSummary" method in IMCore, which can throw an NSException. A remote attacker can send a specially crafted IMessage to cause a denial of service condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionswatchOS: 2.0 - 5.1.3
Apple iOS: 2.0 - 12.1.4 16D57
External linkshttp://packetstormsecurity.com/files/download/153531/GS20190704143402.tgz
http://threatpost.com/apple-patches-imessage-bug/146277/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
