Headline
CVE-2017-13880: About the security content of watchOS 4.2
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 11.2, watchOS 4.2. An application may be able to execute arbitrary code with kernel privilege.
Released December 5, 2017
Auto Unlock
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2017-13905: Samuel Groß (@5aelo)
Entry added October 18, 2018
CFNetwork Session
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
CoreAnimation
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with elevated privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7171: 360 Security working with Trend Micro’s Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
CoreFoundation
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2017-7151: Samuel Groß (@5aelo)
Entry added October 18, 2018
IOKit
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro’s Zero Day Initiative
Entry added December 21, 2017, updated January 10, 2018
IOSurface
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13861: Ian Beer of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13904: Kevin Backhouse of Semmle Ltd.
Entry added February 14, 2018
Kernel
Available for: All Apple Watch models
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-7154: Jann Horn of Google Project Zero
Entry added January 10, 2018
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple
CVE-2017-13867: Ian Beer of Google Project Zero
CVE-2017-13876: Ian Beer of Google Project Zero
Entry updated December 21, 2017
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-7173: Brandon Azad
Entry updated August 1, 2018
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero
Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
Entry updated December 21, 2017
Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with kernel privilege
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13880: Apple
Entry added October 18, 2018
WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7165: 360 Security working with Trend Micro’s Zero Day Initiative
Entry updated January 22, 2017
WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13884: 360 Security working with Trend Micro’s Zero Day Initiative
Entry updated January 22, 2017
WebKit
Available for: All Apple Watch models
Impact: Visiting a malicious website may lead to user interface spoofing
Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.
CVE-2017-7153: Jerry Decime
Entry added January 11, 2018
Wi-Fi
Available for: Apple Watch (1st Generation) and Apple Watch Series 3
Released for Apple Watch Series 1 and Apple Watch Series 2 in watchOS 4.1.
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven