Ubuntu Security Notice 6553-1 - Nina Jensen discovered that Pydantic incorrectly handled user input in the date and datetime fields. An attacker could possibly use this issue to cause a denial of service via application crash.

    ==========================================================================Ubuntu Security Notice USN-6553-1December 12, 2023pydantic vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS (Available with Ubuntu Pro)Summary:Pydantic could be made to crash if it received specially craftedinput.Software Description:- pydantic: Data validation using Python type hints.Details:Nina Jensen discovered that Pydantic incorrectly handled user input in thedate and datetime fields. An attacker could possibly use this issue tocause a denial of service via application crash. (CVE-2021-29510)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS (Available with Ubuntu Pro):   python3-pydantic                1.2-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6553-1   CVE-2021-29510

Ubuntu Security Notice USN-6553-1

Ubuntu Security Notice 6554-1 - Zygmunt Krynicki discovered that GNOME Settings did not accurately reflect the SSH remote login status when the system was configured to use systemd socket activation for OpenSSH. Remote SSH access may be unknowingly enabled, contrary to expectation.

==========================================================================  
Ubuntu Security Notice USN-6554-1  
December 13, 2023

gnome-control-center vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GNOME Settings could allow unintended access to network services.

Software Description:  
- gnome-control-center: utilities to configure the GNOME desktop

Details:

Zygmunt Krynicki discovered that GNOME Settings did not accurately reflect  
the SSH remote login status when the system was configured to use systemd  
socket activation for OpenSSH. Remote SSH access may be unknowingly  
enabled, contrary to expectation.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  gnome-control-center            1:45.0-1ubuntu3.1

Ubuntu 23.04:  
  gnome-control-center            1:44.0-1ubuntu6.1

Ubuntu 22.04 LTS:  
  gnome-control-center            1:41.7-0ubuntu0.22.04.8

Ubuntu 20.04 LTS:  
  gnome-control-center            1:3.36.5-0ubuntu4.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6554-1  
  CVE-2023-5616

Package Information:  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:45.0-1ubuntu3.1  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:44.0-1ubuntu6.1  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:41.7-0ubuntu0.22.04.8  
  https://launchpad.net/ubuntu/+source/gnome-control-center/1:3.36.5-0ubuntu4.1

Ubuntu Security Notice USN-6554-1

Ubuntu Security Notice 6548-2 - It was discovered that Spectre-BHB mitigations were missing for Ampere processors. A local attacker could potentially use this to expose sensitive information. It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6548-2  
December 12, 2023

linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems  
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems

Details:

It was discovered that Spectre-BHB mitigations were missing for Ampere  
processors. A local attacker could potentially use this to expose sensitive  
information. (CVE-2023-3006)

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

It was discovered that the TLS subsystem in the Linux kernel did not  
properly perform cryptographic operations in some situations, leading to a  
null pointer dereference vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-6176)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1100-raspi    5.4.0-1100.112  
   linux-image-raspi               5.4.0.1100.130  
   linux-image-raspi2              5.4.0.1100.130

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   linux-image-5.4.0-1100-raspi    5.4.0-1100.112~18.04.1  
   linux-image-5.4.0-1115-oracle   5.4.0-1115.124~18.04.1  
   linux-image-oracle              5.4.0.1115.124~18.04.87  
   linux-image-raspi-hwe-18.04     5.4.0.1100.97

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6548-2  
   https://ubuntu.com/security/notices/USN-6548-1  
   CVE-2023-3006, CVE-2023-37453, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-5178,  
   CVE-2023-5717, CVE-2023-6176

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1100.112

Ubuntu Security Notice USN-6548-2

Apple Security Advisory 12-11-2023-5 - macOS Ventura 13.6.3 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-5 macOS Ventura 13.6.3

macOS Ventura 13.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214038.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Archive Utility  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

CoreServices  
Available for: macOS Ventura  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Ventura  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

TCC  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Ventura  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

macOS Ventura 13.6.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qgoACgkQX+5d1TXa  
IvpDVg//XCF9zB8zPCD2GtLafeKaQG1RY1ywmunkYsqnfzyOqkYb5MnbwozHMDwa  
qypd87nhWD7ROenEAUKf4yCjk9Gf168PeUEE5pYT7Hz4/bAfCVadOouy00/WBTEQ  
smmVQs0dYrPIJ1FW/ppx4SgXnXgLh9sSibwnn0nwd0cwsP8fkfbv3LLgqa8Ac7dB  
wcQoulwdau7SCdMXqNdch4iX91cH1qhSl1B8M6JmZNgg6iqCtCwBT1igzBGAijrb  
wv80jtTsvDxNjXn81Z4OpwhhIvcat4ZcV/caisRyK56co5v2BWm2rmQJwB8MQLVq  
M3Rjh8FeSg31t1BOCeKZh27tbihPE+TF/PBDHMOFW4n5PbyYe45ipVSiZtCJTx/M  
BzJiNsNsb4ej7TJUucPiLFNb2qRMS9NNu9/tnhCYzoSnuWd3ifxYJnF+sVJweZcl  
mJbIqXAPpopd9hvLr+ZLaVszbwCgDpj2D3puZ718x94JenipTRVAiBLlIJNZo7MC  
RKtHp357of0yaGfj8Ak8hkbU+MGxh5/l0fWIGEjCnqz8UP9xJ32PCpNU9hVLjFPF  
DJO4TdF4XBnTncCfXZMXdGouwutyab8DZBtq9Y5Xlvy6qSs9ljc4xBPvpspFsyRV  
xKYkmdMsZPZ02HSPKNZLEljeUEuHirrdMKNT0E+Kb3s6gwI7nGQ=  
=pTTV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-5

Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214036.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Sonoma  
Impact: Secure text fields may be displayed via the Accessibility  
Keyboard when using a physical keyboard  
Description: This issue was addressed with improved state management.  
CVE-2023-42874: Don Clarke

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: Multiple memory corruption issues were addressed with  
improved input validation.  
CVE-2023-42901: Ivan Fratric of Google Project Zero  
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael  
DePlante (@izobashi) of Trend Micro Zero Day Initiative  
CVE-2023-42912: Ivan Fratric of Google Project Zero  
CVE-2023-42903: Ivan Fratric of Google Project Zero  
CVE-2023-42904: Ivan Fratric of Google Project Zero  
CVE-2023-42905: Ivan Fratric of Google Project Zero  
CVE-2023-42906: Ivan Fratric of Google Project Zero  
CVE-2023-42907: Ivan Fratric of Google Project Zero  
CVE-2023-42908: Ivan Fratric of Google Project Zero  
CVE-2023-42909: Ivan Fratric of Google Project Zero  
CVE-2023-42910: Ivan Fratric of Google Project Zero  
CVE-2023-42911: Ivan Fratric of Google Project Zero  
CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

Bluetooth  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to  
inject keystrokes by spoofing a keyboard  
Description: The issue was addressed with improved checks.  
CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices  
Available for: macOS Sonoma  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Sonoma  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

TCC  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Sonoma  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

Additional recognition

Memoji  
We would like to acknowledge Jerry Tenenbaum for their assistance.

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

macOS Sonoma 14.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qdUACgkQX+5d1TXa  
Ivp5JQ/9FhhIgATXMT6vd3gK4Bqn3JRODRK+rBcNBjb0zMKWh42fXqZA81K86Ksv  
FB6/OxqYmdo9NI2g7VMj0I7vS8cQf2ZE0sjSYObkuZ32As5y7Ov+xvNnrCjLuwV3  
vrDlBFRRS7KWNskNEV4ciT+ECHUYU6Jkrpt/TqpmR/B/fFxNfjE2Ibeuy56CSlGi  
FYCasHeyI5pC4kfetYG6Jo7RwcK1nCbNWHB3+zKQItvkkwV3nVBF+QjJGD/aEzz3  
X8Jp/hf3taYesK45lr6HWGcuuAGLAAYkjfxz8lLYDQ4AoQ5Xi9WCTjEX9shdKgoF  
oo1JQDCEuhLXK+1vOxoYEmUAKMRQMMlRMtZgft8hPh6Pce8gYcI0Rez3RT5+m2+U  
C7d0+97gnpssZkq2JRdyjogl5ACNHGD81jBHg33PppnjTptKNn8JSyXIZLBM3zK/  
jQRLmEAlJkl6MgnWKiy+pyzPxCsoFJnOJG481sLTEfQbiQONFIUV3YTesxbIv2a0  
8yAM0cFf5cqF6frS81zn8vYfdPJU6HJ3OQGmumLQ4UJAbWY7zg9XbyyZTFw2woGj  
0IvoSEBuP4e25JznB1/nchP7W4MJ9VfAzMe/MyBqOibHgomkY1UQqdvWz7olK3Bb  
5NkKt5PVTVjAH+R5wVnnXPlWq7Rgfg2m0Y9g3FwTm4WPrIUT5Us=  
=c6Yv  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-4

Atos Unify OpenScape Session Border Controller (SBC) versions before V10 R3.4.0, Branch versions before V10 R3.4.0, and BCF versions before V10 R10.12.00 and V10 R11.05.02 suffer from an argument injection vulnerability that can lead to unauthenticated remote code execution and authentication bypass.

SEC Consult Vulnerability Lab Security Advisory < 20231205-0 >  
=======================================================================  
               title: Argument injection leading to unauthenticated RCE and  
                      authentication bypass  
             product: Atos Unify OpenScape Session Border Controller (SBC)  
                      Atos Unify OpenScape Branch  
                      Atos Unify OpenScape BCF  
  vulnerable version: OpenScape SBC before V10 R3.4.0  
                      OpenScape Branch before V10 R3.4.0  
                      OpenScape BCF V10 before V10 R10.12.00 and V10 R11.05.02  
       fixed version: OpenScape SBC V10 R3.4.0 or higher  
                      OpenScape Branch V10 R3.4.0 or higher  
                      OpenScape BCF V10 R10.12.00 or higher, V10 R11.05.02  
          CVE number: CVE-2023-6269  
              impact: Critical  
            homepage: https://unify.com/  
               found: 2023-09-01  
                  by: Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Unify is is the Atos brand for communication and collaboration solutions  
Unify is the newest member of the Atos family, combining Atos’ knowledge and  
reputation in the IT services market with Unify’s expertise in unified  
communications and collaboration to provide customers with seamless services  
solutions for their entire digital portfolio. Within Atos, Unify continues to  
deliver a unique integrated proposition for unified communications and real  
time capabilities."

Source: https://unify.com/en/expert/unify

Business recommendation:  
------------------------  
SEC Consult recommends users of this solution to immediately install the latest  
patch from the vendor.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
The administrative web interface insufficiently escapes supplied login  
credentials before passing them to a user management application, leading to  
an unauthenticated attacker being able to gain root access to the appliance  
via SSH.

Another possibility to exploit this vulnerability is to append a special  
argument during logon to completely bypass the authentication of the web interface.  
A previously unauthenticated attacker can logon as administrator without any  
known credentials.

Proof of concept:  
-----------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
Example 1) Gaining unauthenticated SSH root access

The file receiving data from the login page is `auth.php`, here the  
user-provided credentials are passed on to the function  
`PasswordMgr::authPassword` after some checks on the supplied username.

```php  
// /srv/www/htdocs/auth.php  
// [...]  
     $ret=false;  
     $real_user='';  
     $error = '';  
     $local_user=strip_tags($_POST['username']);  
// [...]  
     if( !sessionLimitReached() )  
     {  
         // Authenticate user/password...  
         $privilege = PasswordMgr::getUserPrivilege($local_user);  
         if (($local_user == 'assistant') || ($local_user == 'cdr') || (!PasswordMgr::isUserEnabled($local_user))){  
             $ret = false;  
         }  
         else {  
             switch ($privilege) {  
                 case 'admin':  
                     $ret = PasswordMgr::authPassword($_POST["username"], $_POST["password"], $error, $real_user, $local_user, FALSE);  
                     break;  
                 // [...]  
             }  
         }  
         // [...]  
     }  
// [...]

```

The function `PasswordMgr::authPassword` in `core/PasswordMgr.php` is just a  
wrapper around `call_osbpasswd` in the same file.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function authPassword($username, $password, &$error, &$real_user, &$local_user, $local = FALSE)  
{  
     $error='';  
     if ( PasswordMgr::call_osbpasswd("auth", $username, $password, $error, $real_user, $local_user, $local ) )  
     {  
         $error='Current Password does not match user';  
         return false;  
     }  
     return true;  
}  
```

The function `call_osbpasswd` is responsible for anything related to user  
management, it does this by constructing shell arguments and supplying them to  
the executable `/osb/bin/osbpasswd` which is executed with root privileges via  
`cfgUtilExecSudo`. This executable handles the actual authentication, creation  
of users, and other tasks.  
In the case of authentication the arguments are written to a temporary file  
and read from there.  
Before that the supplied password is escaped using `escapeshellcmd` instead of  
`escapeshellarg`. This means that space characters (hex 0x20) in the password  
are left intact allowing for argument injection.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function call_osbpasswd( $method, $username, $password, &$output, &$real_user, &$local_user, $local, $extraArg = '' )  
{  
     // [...]  
     $curruser = 'GUI';  
     // [...]

     $params = "$method";  
     if ($local)          $params .= ' --local';  
     if ($username != '') $params .= " --user $username";  
     if ($curruser != '') $params .= " --curruser $curruser";  
     if ($extraArg != '') $params .= "$extraArg";

     $file = '';  
     // [...]  
     else {  
         $params .= " --password ";  
         $fakePar = $params."xxxxxx";  
         $params .= escapeshellcmd($password);  
         $params .= "\n";  
         $file = tempnam('/osb/var/tmp','osbpasswd.'.md5($params).'.');  
         /*E.g.: /opt/openbranch/var/tmp/osbpasswd.f9e2a9fcf29c6275830257316d560e27.CG4IcQ */  
         cfgUtilEcho( $params, $file );  
         $command = "/osb/bin/osbpasswd ".$fakePar." --file ".$file;  
     }

     $outArray = array();  
     $ret = cfgUtilExecSudo($command, $outArray, FALSE, TRUE);  
     // [...]  
     return $ret;  
}  
```

The function that is responsible for parsing command line arguments  
in the called application `/osb/bin/osbpasswd` iterates over arguments and  
sets global variables based on them. This is done in a loop and no check is  
done if that argument was already set. This means an attacker can override all  
parameters by specifying them again.

```C  
int parse_arguments(int argc, char **argv, int n)  
{  
   // [...]  
   while ( n < argc && argv[n] ) {  
     // [...]  
     else if ( !strcmp("--user", argv[n]) ) {  
         if ( ++n < argc )  
            arg_user = argv[n];  
     }  
     else if ( !strcmp("--shell", argv[n]) ) {  
         if ( ++n < argc )  
             arg_shell = argv[n];  
     }  
     // [...]  
     else if ( !strcmp("auth", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 1;  
     }  
     else if ( !strcmp("add", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 6;  
     }  
     // [...]  
     ++n;  
   }  
   return 0LL;  
}  
```

The combination of faulty escaping of the supplied password and overly  
permissive parsing of arguments in the called binary leads to an attacker being  
able to request arbitrary operations from the `/osb/bin/osbpasswd` binary with  
arbitrary arguments. An attacker could for example create a new user with SSH  
access and change the password of the root user leading to a complete  
compromise of the system.

To demonstrate the vulnerability, it is sufficient to [...]

[ Proof of concept removed ]

- this creates a new user with SSH access, the second one [...]

[ Proof of concept removed ]

which changes the password of the root user. The attacker can then login [...]  
to gain root access.

Example 2) Bypassing the web interface logon as administrator  
As described in example 1, the same vulnerability can also be exploited to  
bypass the logon for the web interface and immediately gain access as  
administrator because the arguments for the command-line tool are passed and  
evaluated.

By supplying the [...] following [...] string [...], it is possible to logon  
without known credentials:

[ Proof of concept removed ]

[...]  
Afterwards the attacker is logged on as administrator (or any other supplied  
user account).

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:

* Atos Unify OpenScape Session Border Controler (SBC) Firmware Version V10 R3.3.0

According to vendor, versions before V10 R3.3.0 are affected as well.

The vendor confirmed that the following products are vulnerable:  
* Atos Unify OpenScape SBC V10 before V10 R3.4.0  
* Atos Unify OpenScape Branch V10 before V10 R3.4.0  
* Atos Unify OpenScape BCF V10 before V10R10.12.00 and V10R11.05.02

Vendor contact timeline:  
------------------------  
2023-09-13: Contacting vendor through email obso@atos.net; sending  
             encrypted advisory (S/MIME)  
2023-09-25: Call with vendor, patch has already been developed, available  
             internally for testing & QA since 22nd.  
2023-09-26: Preliminary vendor security advisory available, giving feedback  
             regarding recommendations. Vendor informs customers in advance  
             (TLP:AMBER), patch planned for 2023-09-27.  
2023-10-04: Vendor security advisory public release (TLP:WHITE).  
2023-10-06: Asking regarding next steps for affected product Atos Unify  
             OpenScape BCF.  
2023-10-10: Vendor confirms that OpenScape BCF is affected as well and added  
             it to their advisory.  
2023-11-27: Reserving CVE-2023-6269 and sending it to vendor, defining  
             release date of 5th December.  
2023-12-05: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch for the affected products:  
* Atos Unify OpenScape Session Border Controller Firmware Version V10 >=R3.4.0  
* Atos Unify OpenScape Branch version V10 >=R3.4.0  
* Atos Unify OpenScape BCF version V10 >=V10R10.12.00 and V10R11.05.02

The patches can be obtained for registered customers through the vendor's  
download server:  
https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via  
https://unify.com/en/partner/partnerportal  
https://unify.com/en/support/kunden-support-portal

Furthermore, the vendor has also released a security advisory which is  
available here:  
https://networks.unify.com/security/advisories/OBSO-2310-01.pdf

Workaround:  
-----------  
In addition to deploying the patch, limit access to the administrative  
web application and SSH ports to authorized personnel on the network level.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF A. Weihbold / @2023

Atos Unify OpenScape Authentication Bypass / Remote Code Execution

Silverpeas Core 6.3.1 and prior are vulnerable to Cross Site Scripting (XSS) via the message/notification feature.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-47324

**Cross-site Scripting in silverpeas**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

**Package**

maven org.silverpeas.core:silverpeas-core-api (Maven)

**Affected versions**

< 6.3.2

maven org.silverpeas.core:silverpeas-core-configuration (Maven)

maven org.silverpeas.core:silverpeas-core-war (Maven)

maven org.silverpeas.core:silverpeas-core-web (Maven)

**Description**

Published to the GitHub Advisory Database

Dec 13, 2023

Last updated

Dec 13, 2023

GHSA-wgrw-fj3v-fhc5: Cross-site Scripting in silverpeas

Anveo Mobile application version 10.0.0.359 and server version 11.0.0.5 suffer from missing certificate validation and user enumeration vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >  
=======================================================================  
               title: Missing Certificate Validation & User Enumeration  
             product: Anveo Mobile App and Server  
  vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5  
       fixed version: -  
          CVE number: -  
              impact: Medium  
            homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/  
               found: 2023-05-28  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Create your own individual Mobile App with Anveo. Our base, out of the box  
solutions offer many useful functions, and can be flexibly adapted to your  
requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App.  
You are looking for a mobile App for a different scenario? Not a problem with  
the Anveo Mobile App Builder! Thanks to the toolkit character of the solution,  
configuration of a completely new, custom App is simple."

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/

Business recommendation:  
------------------------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section further  
below.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Missing Certificate Validation  
The Windows application was tested which does not perform certificate validation  
and is therefore vulnerable to man-in-the-middle attacks which might allow an  
attacker to gain access to sensitive data.

2) User Enumeration  
The login is vulnerable to user enumeration because the error message for a  
non-existent user differs from the error message when a user exists. This allows  
an attacker to perform targeted brute-force attacks and potentially take over  
other user accounts.

Proof of concept:  
-----------------  
1) Missing Certificate Validation  
The application does not validate the server certificate. To verify this,  
a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server,  
a connection is attempted. Now a special string has to be sent from the netcat  
listener to the client.

As a response, the client tries to authenticate against the server with the  
username and password:

<img certificate_validation.png>

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with  
zlib which yields the following output:

[ POC removed ]

The "PW" Parameter contains the base64-encoded password, in this case "unknown".

2) User Enumeration  
When a non-existent user tries to login, the error message shows "Cannot find  
user":

<img user_nonexistent.png>

When a valid username but a wrong password is submitted, the server responds  
with "Username or password is not correct":

<img user_exists.png>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether  
further versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-06-12: Contacting vendor through email info@AnveoGroup.com  
             Asking for security contact, no response  
2023-06-26: Contacting vendor through same email again, no response.  
2023-07-24: Contacting vendor through technical support email support@AnveoGroup.com  
             Asking for security contact again, no response.  
2023-09-15: Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com  
             and datenschutz@AnveoGroup.com. Ticket got automatically created, but no  
             response.  
2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a  
             few profile views from employees (Team Lead Anveo Mobile App, Social Media  
             Marketing, CEO) no response.  
             Our comment then got deleted by Anveo Group.  
             Comment:  
             "Hi Anveo Group, we have been trying to reach your company since June through  
             our responsible disclosure process as we have identified some security  
             issues in your products. We never received any response via multiple email  
             addresses (found on your website). Could you please get in touch with us and  
             provide us with a person responsible for security? Thank you!"  
2023-09-20: Contacting third party whether they received a patch; no response.  
2023-10-09: Contacting again; no response.  
2023-10-23: Contacting again; no response.  
2023-11-17: Final attempt, asked third party for info again, tried to contact  
             "support@anveogroup.com" through ticket again. No response from vendor, but  
             third party replied, that they also did not receive any response from Anveo.  
2023-11-28: Public release of security advisory.

Solution:  
---------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

Anveo Mobile User Enumeration / Missing Certificate Validation

Ubuntu Security Notice 6549-2 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-2  
December 12, 2023

linux-gkeop, linux-gkeop-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems  
- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1034-gkeop   5.15.0-1034.40  
   linux-image-gkeop               5.15.0.1034.33  
   linux-image-gkeop-5.15          5.15.0.1034.33

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1034-gkeop   5.15.0-1034.40~20.04.1  
   linux-image-gkeop-5.15          5.15.0.1034.40~20.04.30

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-2  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1034.40  
   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1034.40~20.04.1

Ubuntu Security Notice USN-6549-2

Apple Security Advisory 12-11-2023-3 - iOS 16.7.3 and iPadOS 16.7.3 addresses code execution and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-3 iOS 16.7.3 and iPadOS 16.7.3iOS 16.7.3 and iPadOS 16.7.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214034.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherFind MyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code execution.Apple is aware of a report that this issue may have been exploitedagainst versions of iOS before iOS 16.7.1.Description: A memory corruption vulnerability was addressed withimproved locking.WebKit Bugzilla: 265067CVE-2023-42917: Clément Lecigne of Google's Threat Analysis GroupWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive information. Appleis aware of a report that this issue may have been exploited againstversions of iOS before iOS 16.7.1.Description: An out-of-bounds read was addressed with improved inputvalidation.WebKit Bugzilla: 265041CVE-2023-42916: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.3 and iPadOS 16.7.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qXoACgkQX+5d1TXaIvoPShAAjPSR538Ul0j+LcQE0x90MRfNyylza/kJygxDUojXji7lvnUB0s7Ft3CfPAIOPSqfyR1wAVhBPjeAPut+xp5553BBg0lUqSFldKWbP0y68zFAhc7DRIxLhqEs2N3/Dy5UYu834IQ1CaIlkAgwR4lh7Eni1he5thOyXjPzCoGo6ucGXHCoZO7JrsR5zkUFXVfdbE+k8fZVxlROFX7nBw/j9k8bDvrLPqcx4wupvTWsJI8FctUHeYQebK+77G0gJwBfwkdrYbOOCnI4RcRNranAhrr3h+oVgxVgZu+lJOLeooMfwlN/fujjEvKVPfNO/7UAP3m6Qtv8ZogHedN3pKKgvN0xn/FG9gKf2Y+EwgUOnjvWr15IIAku5M4jESTagyfYz8y+Q4qbrSgV1lC3DSgDoJQPp2civp6bqcsNXajGF00F95iQysx0wHaaKMIJazVnoN0bjZ4yk1xiTjPkft3Jn+kfPd1cjWprGlGKn92XPYLDbwXcxvnCkagVa4eJ6GY7DQ8HJJLClawx4OQE1K+VULTPLDOoJnwI5BA2RdU9LRm1h+YOM31jc47zupr+YHdebroeLerLX/KNNT5GUtfs0p794FwVyoQzwsKOiQXHMxzug3lCGdkGdg5ErMHcIGwZXq+Ko2sUn59Gub+7MGetPjU7OlAwU2h3nFOf3JEt8ww==khhF-----END PGP SIGNATURE-----

Tag

#vulnerability