Security features bypass in watchOS

#VU48185 Security features bypass in watchOS

Published: 2020-11-06

Vulnerability identifier: #VU48185

Vulnerability risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9974

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
watchOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists within the OS kernel that allows a local user to run a specially crafted program and determine kernel memory layout. This vulnerability can be used to bypass implemented security restrictions and leverage exploitation of other vulnerabilities.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

watchOS: 7.0 18R382 - 7.0.3 18R410

External links
http://support.apple.com/en-us/HT211928

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apple macOS

Multiple vulnerabilities in Apple iOS and iPadOS

Multiple vulneabilities in Apple tvOS

Multiple vulnerabilities in Apple watchOS 7.x