==================================================================== CERT-Renater Note d'Information No. 2017/VULN381 _____________________________________________________________________ DATE : 07/12/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): tvOS versions prior to 11.2. ===================================================================== https://support.apple.com/fr-fr/HT208327 _____________________________________________________________________ APPLE-SA-2017-12-6-4 tvOS 11.2 tvOS 11.2 addresses the following: IOSurface Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13861: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13862: Apple CVE-2017-13876: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2017-13833: Brandon Azad Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A type confusion issue was addressed with improved memory handling. CVE-2017-13855: Jann Horn of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13867: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-13865: Ian Beer of Google Project Zero CVE-2017-13868: Brandon Azad CVE-2017-13869: Jann Horn of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Released for Apple TV 4K in tvOS 11.1. Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================