===================================================================== CERT-Renater Note d'Information No. 2021/VULN563 _____________________________________________________________________ DATE : 27/10/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): watchOS versions prior to 8.1. ===================================================================== https://lists.apple.com/archives/security-announce/2021/Oct/msg00006.html https://lists.apple.com/archives/security-announce/2021/Oct/msg00010.html _____________________________________________________________________ APPLE-SA-2021-10-26-6 watchOS 8.1 watchOS 8.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212874. Audio Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to elevate privileges Description: An integer overflow was addressed through improved input validation. CVE-2021-30907: Zweig of Kunlun Lab ColorSync Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero CoreAudio Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted file may disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro CoreGraphics Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2021-30919 FileProvider Available for: Apple Watch Series 3 and later Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution Description: An input validation issue was addressed with improved memory handling. CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab of Qihoo 360 Game Center Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to access information about a user's contacts Description: A logic issue was addressed with improved restrictions. CVE-2021-30895: Denis Tokarev Game Center Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to read user's gameplay data Description: A logic issue was addressed with improved restrictions. CVE-2021-30896: Denis Tokarev iCloud Available for: Apple Watch Series 3 and later Impact: A local attacker may be able to elevate their privileges Description: This issue was addressed with improved checks. CVE-2021-30906: Cees Elzinga IOMobileFrameBuffer Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30883: an anonymous researcher Kernel Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2021-30886: @0xalsr Kernel Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30909: Zweig of Kunlun Lab UIKit Available for: Apple Watch Series 3 and later Impact: A person with physical access to an iOS device may be able to determine characteristics of a user's password in a secure text entry field Description: A logic issue was addressed with improved state management. CVE-2021-30915: Kostas Angelopoulos WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy Description: A logic issue was addressed with improved restrictions. CVE-2021-30887: Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd. WebKit Available for: Apple Watch Series 3 and later Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior Description: An information leakage issue was addressed. CVE-2021-30888: Prakash (@1lastBr3ath) WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2021-30889: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2021-30890: an anonymous researcher Additional recognition iCloud We would like to acknowledge Ryan Pickren (ryanpickren.com) for their assistance. Mail We would like to acknowledge Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences for their assistance. WebKit We would like to acknowledge Ivan Fratric of Google Project Zero, Pavel Gromadchuk, an anonymous researcher for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ _____________________________________________________________________ APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8 watchOS 8 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212819. Accessory Manager Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory consumption issue was addressed with improved memory handling. CVE-2021-30837: an anonymous researcher AppleMobileFileIntegrity Available for: Apple Watch Series 3 and later Impact: A local attacker may be able to read sensitive information Description: This issue was addressed with improved checks. CVE-2021-30811: an anonymous researcher working with Compartir bootp Available for: Apple Watch Series 3 and later Impact: A device may be passively tracked by its WiFi MAC address Description: A user privacy issue was addressed by removing the broadcast MAC address. CVE-2021-30866: Fabien Duchêne of UCLouvain (Belgium) Entry added October 25, 2021 CoreAudio Available for: Apple Watch Series 3 and later Impact: Processing a malicious audio file may result in unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2021-30834: JunDong Xie of Ant Security Light-Year Lab Entry added October 25, 2021 FaceTime Available for: Apple Watch Series 3 and later Impact: An application with microphone permission may unexpectedly access microphone input during a FaceTime call Description: A logic issue was addressed with improved validation. CVE-2021-30882: Adam Bellard and Spencer Reitman of Airtime Entry added October 25, 2021 FontParser Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30831: Xingwei Lin of Ant Security Light-Year Lab Entry added October 25, 2021 FontParser Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted dfont file may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30840: Xingwei Lin of Ant Security Light-Year Lab Entry added October 25, 2021 FontParser Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted dfont file may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30841: Xingwei Lin of Ant Security Light-Year Lab CVE-2021-30842: Xingwei Lin of Ant Security Light-Year Lab CVE-2021-30843: Xingwei Lin of Ant Security Light-Year Lab Foundation Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2021-30852: Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab Entry added October 25, 2021 ImageIO Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2021-30814: hjy79425575 Entry added October 25, 2021 ImageIO Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30835: Ye Zhang of Baidu Security CVE-2021-30847: Mike Zhang of Pangu Lab Kernel Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2021-30857: Zweig of Kunlun Lab libexpat Available for: Apple Watch Series 3 and later Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed by updating expat to version 2.4.1. CVE-2013-0340: an anonymous researcher Preferences Available for: Apple Watch Series 3 and later Impact: An application may be able to access restricted files Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2021-30855: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com) Preferences Available for: Apple Watch Series 3 and later Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved state management. CVE-2021-30854: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com) Sandbox Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to modify protected parts of the file system Description: This issue was addressed with improved checks. CVE-2021-30808: Csaba Fitzl (@theevilbit) of Offensive Security Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: Visiting a maliciously crafted website may reveal a user's browsing history Description: The issue was resolved with additional restrictions on CSS compositing. CVE-2021-30884: an anonymous researcher Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved state handling. CVE-2021-30818: Amar Menezes (@amarekano) of Zon8Research Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: An attacker in a privileged network position may be able to bypass HSTS Description: A logic issue was addressed with improved restrictions. CVE-2021-30823: David Gullasch of Recurity Labs Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted audio file may disclose restricted memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30836: Peter Nguyen Vu Hoang of STAR Labs Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-30809: an anonymous researcher Entry added October 25, 2021 WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30846: Sergei Glazunov of Google Project Zero WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2021-30849: Sergei Glazunov of Google Project Zero WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to code execution Description: A memory corruption vulnerability was addressed with improved locking. CVE-2021-30851: Samuel Groß of Google Project Zero Wi-Fi Available for: Apple Watch Series 3 and later Impact: An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup Description: An authorization issue was addressed with improved state management. CVE-2021-30810: an anonymous researcher Additional recognition Sandbox We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. UIKit We would like to acknowledge an anonymous researcher for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================