Backup file without encryption vulnerability is found in Hitachi ABB Power Grids System Data Manager – SDM600 allows attacker to gain access to sensitive information. This issue affects: Hitachi ABB Power Grids System Data Manager – SDM600 1.2 versions prior to FP2 HF6 (Build Nr. 1.2.14002.257).

%PDF-1.7 %���� 2 0 obj << /Lang (de-CH) /MarkInfo << /Marked true >> /Metadata 4 0 R /Outlines 5 0 R /Pages 6 0 R /StructTreeRoot 7 0 R /Type /Catalog /ViewerPreferences 8 0 R >> endobj 4 0 obj << /Length 3363 /Subtype /XML /Type /Metadata >> stream Microsoft® Word for Microsoft 365 Storage of Sensitive Information Vulnerability in Hitachi ABB Power Grids SDM600 Product PG-SIRT Cybersecurity Advisory Microsoft® Word for Microsoft 365 2021-08-25T07:29:52+02:00 2021-08-30T22:40:35+02:00 uuid:8B962337-F841-475E-A4FA-5F3C76CAA03A uuid:8B962337-F841-475E-A4FA-5F3C76CAA03A endstream endobj 18 0 obj << /Filter /FlateDecode /Length 3157 >> stream x��\[Ko�8����^�2ߤ���;��;�x1���O6���Y�a���QE�$J�t�� �n�ɪb=�\*���\_\_>���񥹹�^��<|���o�/���\_~���ߗ��>}~zx���t���| Mo~{��Z5��m���3ֲ��9���N�R4N���������i���6��g�;ޘ�3����g�e���:��t��?�\[o>p�|�����n9ܾ9?��1�WW\\%\\�ҡ��+��W��6�k�.��|�q~�mL��T:�կ��\_���<�?��}#�b�'����K<\]4�����M���T�F�A�,d���hwAx}!��S�+\*mx(^\]�������� ;Gk֯��,M�r�vu�:���r��$|��5\*�m��g��hY��̌�K����Y~�.,�����3����E�Ah��މ�O�۟��9��f=AqLœqN���m�(Yx��G2�S�twy~\]�4�|�}��4�e��������W�|��\\����V�Jr�p����Op��PA+� �H!NZ�M��-�����Gϯ��}�(��ҁ"&�S����f �"��BM�N(^�Qt��8 ����2�{J����$��\]��6��ڢ���ݻms=�7�//�L�����ˡ(��#(����\]kE#���wp-��=\_C��"\_x

CVE-2021-35526

A vulnerability in Base Software for SoftControl allows an attacker to insert and run arbitrary code in a computer running the affected product. This issue affects: .

%PDF-1.4 %����� 47 0 obj << /Filter /FlateDecode /Length 48 0 R /Length1 754 /Length2 1730 /Length3 533 >> stream x��Ry<���Fc�^Y~�mf��!L�DFd�n����3�1�ұ��8B$KH�e4�F E�B�pGhQͩ3ǹ�ֽ��s���������y���}�﫮��J��F�\]����X�X\[�X�#�:��\* �:��t�\*�uu ފR���'���A0�D���t�����w4����@�/m�b�T 9��nU�� �����l���U?�I��I މD�� ��0�{��fA ���u�"\`�a.kJ ��'Q}C$��Ѱ�@p�!�H<��h��J��a��@�A�a�\\%��Of �0�u\`��^;Xh0���n ��:0\`8\*�;� �#���7���é�\`G@�?ܮ�0�7��Y()��6 2�a��蜰��>w�\\Èo��Ӹ~�p�@p������o��ҒD��\`�!@�b����\_1�D�q��T���C��yt�|QW���l�ɾ�')��L��Q�a���� z�%ӷ��mc�>R{��r�)�l��efs'�M���ѧmn��KsdY�d�L @󝮪yJ�I�v�v� >g�����7k��v?=�9J�u����o��Ϡ� J��ԋEw@�\]��<��V��^ؓ�h$ۢ뜞��0�\\��ʗY�g �����Z<ޡƏ��jO�֜@)}�u�\]�eSO�6�����\*�����W{w�I��/\_�W ���am�\_�{D����܀R�t��\`Y��b�ז�J�(�3k��{����y&q�oU�G����$�ᚼZ��r�\\ɦ��ږ�� n��=��Z�Ą\]����OD�<+N�l�!��䥩�\]����>�'w\\�Cv���tw�u@颋G �S�4c�ləA���'L7|��5�t���\[��n.�4�m�����ۉ�ˋМ�aSso�U����ؾ�6����慓�Y :F��T�-Ƴ���o�=�@C�Q��y(9Ͼ��fSQ�hܦ�)�y� �!�솳|C�3�"hBf5��?)�YoZ�P.��3�ǄN|�k��lz46��=O�Е�\[ʍmϖ�£��;Lۜ)�g��$$�ЙH\]�}����D7;|\*����E�"�)q��6��8.U/�\[:ӼW+r�J��w�T�Oϼґ ����I��f��H����#!�7�����TʡeĠ>��޶+��c���D�V��v��.I���!1�l\_���.�f�R|�~/���hS�)�D�0�I#������#�E,5F��s�V^�h�iH��z��=�"� ):�M��O�;�Ŕ&\]��slP�N�����mT�����C��G!�xloL45k�Y�b�\`�'?щY����D��,ڞ^�Y�\*�8b'Ub7)f�R��{���{�{�G�g\]���Gȭ|�3˧f2�6�s �Z\[o:z~��D��$��{���TA� �����S����,�@�4���o~&�����$5�CT��'F���p���Fa/�9�,0�d�r�O�9:\\5#S��i�~��U�>�\[ʳ/ ��� �m�~eL2��5e3DN�B����}�\`2��ʱ˸g�STh����~C��p�y ���e���v����4ޭb��\]��bN��ZF4�d���B�g0�K���{U�3$bm�,�Lm�{��g\]���JV<#��jt��X!������O�°h;=k�3� ��-��P�PsA�\_�����qS�SK� 5���M9��#%��\_�e2H�������Ŗ�%��p������z\*�\\�\_Ω�cĸ�U�\\(�L,�+J�-��٪��W���g����@ؗ�\_��K��.N�\[��ԏ�/�I!��ͻ��������j���닕 ����Tsy��,�N-��^�8a�j߻%f@L�,a�����RQ������W8�7}Ш�L�-���(��+�����\_?��\\Y�~�B�oG\_?�3/��\]w3!(���GY�L�8�0'+��v"�w�>�g��\[�^��Z\[;���^��-i ��$�s�'g��1-��U�<����erauᕿ&J=Ǹ,�n%�y��(ú\*{��8����3�T�Ql�rvW��vUŅ��{�qd�ӵ��Zz-M��3G

CVE-2020-24672

In OPC Foundation Local Discovery Server (LDS) before 1.04.402.463, remote attackers can cause a denial of service (DoS) by sending carefully crafted messages that lead to Access of a Memory Location After the End of a Buffer.

%PDF-1.7 %���� 1 0 obj <>/Metadata 160 0 R/ViewerPreferences 161 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 20 0 R 23 0 R 24 0 R 25 0 R 26 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[�o�F~7����TqZs� ���9�m.N҇�����%W��濿�YRE.I�DX����f��������wޏ?^�:{s����O73�ˋ��/��<�a,�mzy�������W��'��ayy�A(� �-�LC��|��.��;���\_����� ��ds�\_�ÿ//^A����8\[ .3�X ��r4��H�A�at:�?\*�?���T@����|D���L�n��\`PH�R1\]\*J)h׳��J�Xw0�Q�k�d�ƿ�)\]GפJX����x�~�yޑ��'ڭ8�S ø�4ߛtË'���mo��M�m6�\*���M����8��")R���l'�TǳUh�ڥ���<�����d�|b���t�\_Q7�NB�H����܂��'#i�t̂Хa�\\�'Ε�b��ْ����gw�)�n2����\*��S\`i���jQ�s�Շ����?�0U'��A�4L��s���?��o��� �\_�@��E�g���@3ه�g�����V���P��i��'S�S�� ��Ѣ���h1����-OrC���x�"\`�o���p��I�6�L��&�H�H4�쫿�9ZծȾ���\`��A�xH���������\*�.M��0O$B����5��i(��>˽ܮ��/&1b��{^p�I�ҒO8G\_��j¥��t��Z�x��W"Z���t�|��l��wXJ����A ����~L�(\`�V� ��{�D��&+���,�8Ӗ�tKD�B�R�-�d��7x����+��� f2�d��(��e:~�@7�.q̕�(�xc�IA�%��!�6' QRMa���5T�\[���f�V�ӣ����4"Z�?�H�M�����\`�5R����:��#WF�m�ܭ�� ҺПo�e�.<��L6O�Ҝ�V�1�d�B�\`����>���;���#���n�^��{ :������?�lSl��3�w����O�1É������I�!%�I@{��G��zL ��'�4��x�!�"�{�� ݏ����6�37�툊�������� �P��^���4X��������V��.Z�i:Q.Z���z�nEϯHH�\[�zh��ۻ��=)8\_�D����u��50޳��#��2�L��^ a��::N�Y���%Ai+����r�&'C?L\`5�

CVE-2021-40142

This issue was addressed with improved checks. This issue is fixed in iOS 14.8.1 and iPadOS 14.8.1, iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1. A local attacker may be able to cause unexpected application termination or arbitrary code execution.

Released October 26, 2021

**Audio**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2021-30907: Zweig of Kunlun Lab

**ColorSync**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue in the processing of ICC profiles was addressed with improved input validation.

CVE-2021-30926: Jeremy Brown

Entry added May 25, 2022

**ColorSync**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.

CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero

**Continuity Camera**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An uncontrolled format string issue was addressed with improved input validation.

CVE-2021-30903: Gongyu Ma of Hangzhou Dianzi University

Entry updated May 25, 2022

**CoreGraphics**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-30919

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30900: Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab

**IOMobileFrameBuffer**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30883: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30909: Zweig of Kunlun Lab

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30916: Zweig of Kunlun Lab

**Sidecar**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2021-30903: an anonymous researcher

**Status Bar**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to view restricted content from the Lock Screen

Description: A Lock Screen issue was addressed with improved state management.

CVE-2021-30918: videosdebarraquito

**Voice Control**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30902: 08Tc3wBB of ZecOps Mobile EDR Team

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior 

Description: An information leakage issue was addressed.

CVE-2021-30888: Prakash (@1lastBr3ath)

CVE-2021-30903: About the security content of iOS 14.8.1 and iPadOS 14.8.1

The issue was addressed with improved permissions logic. This issue is fixed in macOS Monterey 12.0.1, macOS Big Sur 11.6.1. An unprivileged application may be able to edit NVRAM variables.

CVE-2021-30913: About the security content of macOS Monterey 12.0.1

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.1. A malicious application may be able to execute arbitrary code with kernel privileges.

Released October 25, 2021

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30876: Jeremy Brown, hjy79425575

CVE-2021-30879: Jeremy Brown, hjy79425575

CVE-2021-30877: Jeremy Brown

CVE-2021-30880: Jeremy Brown

**Audio**

Available for: macOS Big Sur

Impact: A malicious application may be able to elevate privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2021-30907: Zweig of Kunlun Lab

**Bluetooth**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2021-30899: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

**ColorSync**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue in the processing of ICC profiles was addressed with improved input validation.

CVE-2021-30926: Jeremy Brown

Entry added May 25, 2022

**ColorSync**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.

CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero

**Continuity Camera**

Available for: macOS Big Sur

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An uncontrolled format string issue was addressed with improved input validation.

CVE-2021-30903: Gongyu Ma of Hangzhou Dianzi University

Entry added January 19, 2022, updated May 25, 2022

**CoreAudio**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro

Entry added January 19, 2022

**CoreGraphics**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-30919

**FileProvider**

Available for: macOS Big Sur

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

Description: An input validation issue was addressed with improved memory handling.

CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab of Qihoo 360

**GPU Drivers**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30900: Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab

Entry added January 19, 2022

**iCloud**

Available for: macOS Big Sur

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed with improved checks.

CVE-2021-30906: Cees Elzinga

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30824: Antonio Zekic (@antoniozekic) of Diverto

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2021-30901: Zuozhi Fan (@pattern\_F\_) of Ant Security TianQiong Lab, Jack Dates of RET2 Systems, Inc., Liu Long of Ant Security Light-Year Lab, Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab

CVE-2021-30922: Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1)

Entry updated January 19, 2022, updated May 25, 2022

**IOGraphics**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30821: Tim Michaud (@TimGMichaud) of Zoom Video Communications

**IOMobileFrameBuffer**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30883: an anonymous researcher

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30909: Zweig of Kunlun Lab

**Kernel**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30916: Zweig of Kunlun Lab

**Model I/O**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30910: Mickey Jin (@patch1t) of Trend Micro

**Model I/O**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30911: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

**SMB**

Available for: macOS Big Sur

Impact: A remote attacker may be able to leak memory

Description: A logic issue was addressed with improved state management.

CVE-2021-30844: Peter Nguyen Vu Hoang of STAR Labs

Entry added May 25, 2022

**SMB**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2021-30868: Peter Nguyen Vu Hoang of STAR Labs

**SoftwareUpdate**

Available for: macOS Big Sur

Impact: An unprivileged application may be able to edit NVRAM variables

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30913: Kirin (@Pwnrin) and chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

Entry updated May 25, 2022

**SoftwareUpdate**

Available for: macOS Big Sur

Impact: A malicious application may gain access to a user's Keychain items

Description: The issue was addressed with improved permissions logic.

CVE-2021-30912: Kirin (@Pwnrin) and chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**UIKit**

Available for: macOS Big Sur

Impact: A person with physical access to a device may be able to determine characteristics of a user's password in a secure text entry field

Description: A logic issue was addressed with improved state management.

CVE-2021-30915: Kostas Angelopoulos

**Windows Server**

Available for: macOS Big Sur

Impact: A local attacker may be able to view the previous logged-in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2021-30908: ASentientBot

**xar**

Available for: macOS Big Sur

Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files

Description: This issue was addressed with improved checks.

CVE-2021-30833: Richard Warren of NCC Group

Entry added January 19, 2022

**zsh**

Available for: macOS Big Sur

Impact: A malicious application may be able to modify protected parts of the file system

Description: An inherited permissions issue was addressed with additional restrictions.

CVE-2021-30892: Jonathan Bar Or of Microsoft

CVE-2021-30922: About the security content of macOS Big Sur 11.6.1

This issue was addressed with improved checks. This issue is fixed in iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, tvOS 15.1, watchOS 8.1, macOS Big Sur 11.6.1. A local attacker may be able to elevate their privileges.

Released October 25, 2021

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to elevate privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2021-30907: Zweig of Kunlun Lab

**ColorSync**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.

CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero

**Continuity Camera**

Available for: Apple TV 4K and Apple TV HD

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An uncontrolled format string issue was addressed with improved input validation.

CVE-2021-30903: Gongyu Ma of Hangzhou Dianzi University

Entry added May 25, 2022

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro

**CoreGraphics**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-30919

**FileProvider**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to bypass Privacy preferences

Description: A permissions issue was addressed with improved validation.

CVE-2021-31007: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added March 31, 2022, updated May 25, 2022

**FileProvider**

Available for: Apple TV 4K and Apple TV HD

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

Description: An input validation issue was addressed with improved memory handling.

CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab of Qihoo 360

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to access information about a user's contacts

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30895: Denis Tokarev (@illusionofcha0s)

Entry updated May 25, 2022

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to read user's gameplay data

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30896: Denis Tokarev (@illusionofcha0s)

Entry updated May 25, 2022

**iCloud**

Available for: Apple TV 4K and Apple TV HD

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed with improved checks.

CVE-2021-30906: Cees Elzinga

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2021-30894: Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab

**IOMobileFrameBuffer**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30883: an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker can cause a device to unexpectedly restart

Description: A denial of service issue was addressed with improved state handling.

CVE-2021-30924: Elaman Iskakov (@darling\_x0r) of Effective and Alexey Katkov (@watman27)

Entry added January 19, 2022

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30886: @0xalsr

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30909: Zweig of Kunlun Lab

**Model I/O**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30910: Mickey Jin (@patch1t) of Trend Micro

**UIKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A person with physical access to a device may be able to determine characteristics of a user's password in a secure text entry field

Description: A logic issue was addressed with improved state management.

CVE-2021-30915: Kostas Angelopoulos

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2021-31008

Entry added March 31, 2022

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30887: Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior 

Description: An information leakage issue was addressed.

CVE-2021-30888: Prakash (@1lastBr3ath)

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30889: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2021-30890: an anonymous researcher

CVE-2021-30906: About the security content of tvOS 15.1

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of watchOS 7.6.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**watchOS 7.6.2**

Released September 13, 2021

**CoreGraphics**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30860: The Citizen Lab

**Core Telephony**

Available for: Apple Watch Series 3 and later

Impact: A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release.

Description: A deserialization issue was addressed through improved validation.

CVE-2021-31010: Citizen Lab and Google Project Zero

Entry added May 25, 2022

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 25, 2022

CVE-2021-30860: About the security content of watchOS 7.6.2

A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release..

Released September 23, 2021

**CoreGraphics**

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30860: The Citizen Lab

**Core Telephony**

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release.

Description: A deserialization issue was addressed through improved validation.

CVE-2021-31010: Citizen Lab and Google Project Zero

Entry added May 25, 2022

**WebKit**

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30858: an anonymous researcher

**XNU**

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A type confusion issue was addressed with improved state handling.

CVE-2021-30869: Erye Hernandez of Google Threat Analysis Group, Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero

CVE-2021-31010: About the security content of iOS 12.5.5

Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.

**Full Disclosure mailing list archives****SEC Consult SA-20210820-0 :: Multiple Vulnerabilities in NetModule Router Software**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Fri, 20 Aug 2021 13:44:26 +0200  

SEC Consult Vulnerability Lab Security Advisory < 20210820-0 >
=======================================================================
              title: Multiple Vulnerabilities in NetModule Router Software
            product: NetModule Router Software (NRSW)
 vulnerable version: Before 4.3.0.113, 4.4.0.111, 4.5.0.105
      fixed version: 4.3.0.113, 4.4.0.111, 4.5.0.105
         CVE number: CVE-2021-39289, CVE-2021-39290, CVE-2021-39291
             impact: High
           homepage: https://www.netmodule.com/en/
              found: 2021-05-05
                 by: SEC Consult Vulnerability Lab
                     These vulnerabilities were discovered during the research
                     cooperation initiative "OT Cyber Security Lab" between
                     Verbund AG and SEC Consult Group.
                     Gerhard Hechenberger (Office Vienna)
                     Steffen Robertz (Office Vienna)

                     An integrated part of SEC Consult, an Atos company
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"NetModule is a leading manufacturer of communication products for M2M and IoT.
One focus is on our solutions for applications in the fields of shipping, local
and long-distance public transit, and Industrial Internet. Future markets such
as Smart City, public safety, and sustainable energy and resource management
are further focus areas. The key technology here is 5G.

Our devices are certified and include the latest wireless technologies along
with multiple interfaces for applications where robust communication is
essential, such as information systems, driver communication, passenger WiFi,
remote maintenance, condition monitoring, and real-time data exchange."

Source: https://www.netmodule.com/en/about-netmodule/portrait

"Our Linux-based router software ensures reliable data connections with a wide
range of network functions and smart link management – stationary and mobile.
Configuration and update options for secure operation throughout the product
life cycle and over-the-air complete the package. As a special service, we
offer you free updates and support."

"The NetModule router software (NRSW) is our standard software and runs on all
our devices. This has the advantage of being able to use identical
configuration processes and functions for every router (unless technical
restrictions dictate otherwise). It is based on proven components such as
Embedded Linux and a powerful communication protocol suite."

Source: https://www.netmodule.com/en/products/software-overview/router-software

Business recommendation:
------------------------
The vendor provides patches, which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these
products conducted by security professionals to identify and resolve potential
further security issues.

We want to thank NetModule for the very professional response and great
cooperation.


Vulnerability overview/description:
-----------------------------------
1) Insecure Password Handling (CVE-2021-39289)
The device is storing passwords in an insecure way. For some of them, e.g.,
user accounts, password storage is an optional feature. For others, e.g., the
certificate password, configuration possibilities do not exist.
\* Storing and sending passwords as cleartext
\* Storing passwords symmetrically encrypted with a static key

2) Limited Session Fixation via Cookie (CVE-2021-39290)
An arbitrary session token cookie value can be used on the web interface. If
a session token with an arbitrary value is available, the device does not
create a new one during the login process. Also, after the logout, no new
session token will be issued. An attacker which is able to create cookies on
the victim's client (via potential HTTP Response Splitting, Malware, physical
access, ...) can use this to take over the session of the victim.

3) Insecure Feature (Web CLI) (CVE-2021-39291)
The interface supports an optional "CLI-PHP" feature, which is essentially a
PHP webshell. Authentication is needed and the credentials can be sent
as GET parameters. As GET parameters are part of the URL and URLs are
frequently stored, this may enable attackers with access to such logs to take
over the used account.


Proof of concept:
-----------------
1) Insecure Password Handling (CVE-2021-39289)
\* Storing and sending passwords as cleartext
The certificate settings are located at
SYSTEM -> Keys & Certificates -> Configuration. When visiting the following
URL, the certificate password will be included in cleartext in the response:
http://<IP-address>/admin/certificates.php?action=configure

Find the response below:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=ISO-8859-1
Connection: close
Date: Mon, 26 Apr 2021 07:20:26 GMT
Server: lighttpd/1.4.39
Content-Length: 25448

\[...\]
    <td class="c2\_left">Passphrase:</td>
    <td class="c2\_right">
      <input type="password" id="phrase" name="phrase" size=20 value="password12"
      >
    </td>
\[...\]
-------------------------------------------------------------------------------
Additionally, the password is stored in cleartext in the file
/etc/default/cert-settings on the device, the line reads:
PHRASE="password12"

\* Storing passwords symmetrically encrypted with a static key
The passwords are stored in the configuration file on the device, which can
also be downloaded at SYSTEM -> File Configuration -> Download. The downloaded
ZIP file will contain a \*.cfg file, which includes several encrypted passwords
(the values are prefixed with "\[enc\]", e.g.:
cer.settings.phrase=\[enc\]UauZghllTu7Jy7pF3mdkFA==
wwan.0.password=\[enc\]UauZghllTu7Jy7pF3mdkFA==
user.0.password=\[enc\]UauZghllTu7Jy7pF3mdkFA==
The used encryption is Blowfish CBC with a static key and initialization
vector, therefore, the passwords can easily be decrypted. This can be done with
the following script:
-------------------------------------------------------------------------------
#!/usr/bin/env python3

import sys
import base64
from Crypto.Cipher import Blowfish

data\_b64 = sys.argv\[1\]

key = b"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f"
iv = b"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
cipher = Blowfish.new(key, Blowfish.MODE\_CBC, iv)

data\_enc = base64.b64decode(data\_b64)
data\_pad = cipher.decrypt(data\_enc)
num\_pad = int(data\_pad\[-1\])
data = data\_pad\[:-num\_pad\]
print(data)
-------------------------------------------------------------------------------
The value in the configuration file can be decrypted as follows:
-------------------------------------------------------------------------------
$ ./netmodule\_config\_decrypt.py UauZghllTu7Jy7pF3mdkFA==
b'password12'
-------------------------------------------------------------------------------


2) Limited Session Fixation via Cookie (CVE-2021-39290)
The session token is stored as cookie named "PHPSESSID". To show the issue,
execute the following steps:
\* Set the "PHPSESSID" cookie in scope of the web interface to an arbitrary
  value while logged out.
\* Log in. Observe that the cookie remains unchanged.
\* Log out. Observe that the cookie remains unchanged.

3) Insecure Feature (Web CLI) (CVE-2021-39291)
The Web CLI can be enabled at SERVICES -> Web Server -> Enable CLI-PHP.
It is available and can be used at the following URL:
http://<IP-address>/cli.php?command=status&usr=admin&pwd=password12


Vulnerable / tested versions:
-----------------------------
The following firmware/device has been tested:
\* NetModule NB1600: Firmware version 4.3.0.110 LTS

According to the vendor, the following models with firmware versions before
4.3.0.113, 4.4.0.111 and 4.5.0.105 are affected:
\* NB800
\* NB1600
\* NB1601
\* NB1800
\* NB1810
\* NB2700
\* NB2710
\* NB2800
\* NB2810
\* NB3700
\* NB3701
\* NB3710
\* NB3711
\* NB3720
\* NB3800


Vendor contact timeline:
------------------------
2021-05-25: Contacting vendor through support () netmodule com, asking
            for security contact information. Set release date to
            2021-07-14. Received vendor response concerning further steps.
2021-05-26: Advisory was transmitted to head of PM and acknowledged.
2021-06-16: In a call, the vendor acknowledges the findings and ensures to
            keep us updated on the upcoming release of a fixed firmware
            version.
2021-07-23: The vendor provides information on the release of a fixed
            firmware version on 2021-07-04.
2021-08-10: The vendor was notified about the pending release.
2021-08-19: The vendor provides information on all supported and fixed
            major releases.
2021-08-20: Coordinated release of security advisory.

Solution:
---------
Update the affected devices to software version 4.3.0.113, 4.4.0.111 or
4.5.0.105. Additionally, do not use insecure features and pay close attention
to warning messages during the configuration.

For more information see vendor's release notes:
https://share.netmodule.com/public/system-software/4.3/4.3.0.113/NRSW-RN-4.3.0.113.pdf
https://share.netmodule.com/public/system-software/4.4/4.4.0.111/NRSW-RN-4.4.0.111.pdf
https://share.netmodule.com/public/system-software/4.5/4.5.0.105/NRSW-RN-4.5.0.105.pdf

Workaround:
-----------
None.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF Gerhard Hechenberger, Steffen Robertz / @2021

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20210820-0 :: Multiple Vulnerabilities in NetModule Router Software** _SEC Consult Vulnerability Lab (Aug 20)_

Tag

#pdf