SB2019121836 - Multiple vulnerabilities in Apple tvOS

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2019-8593)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.3, tvOS 12.3, watchOS 5.2.1. An application may be able to execute arbitrary code with system privileges.

2) Use-after-free (CVE-ID: CVE-2019-8613)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.3, tvOS 12.3, watchOS 5.2.1. A remote attacker may be able to cause arbitrary code execution.

3) Information disclosure (CVE-ID: CVE-2019-8620)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A user privacy issue was addressed by removing the broadcast MAC address. This issue is fixed in iOS 12.3, tvOS 12.3, watchOS 5.2.1. A device may be passively tracked by its WiFi MAC address.

4) Input validation error (CVE-ID: CVE-2019-8637)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

An input validation issue was addressed with improved input validation. This issue is fixed in iOS 12.3, tvOS 12.3, watchOS 5.2.1. A malicious application may be able to gain root privileges.

Remediation

Install update from vendor's website.

References

• https://support.apple.com/HT210118
• https://support.apple.com/HT210120
• https://support.apple.com/HT210122