[FD] VMware ESXi: Multiple vulnerabilities [CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3960]
Overview === We identified several security issues in the ESIx virtual machine monitor (VMM): a use-after-free (UAF) vulnerability in PVNVRAM, a missing return value check in EHCI USB controller leading to private heap information disclosure, and several OOB reads. All issues have been fixed by the vendor. Links to the patches are provided below. ESXi PVNVRAM Use After Free [CVE-2020-3963] == The paravirtualized NVRAM device supports read / write / find-next operations on variables stored in its variables store. The find-next operation (opcode 0xD2) allows guest firmware to enumerate all variables in the store by querying for the next variable in the store. PVNVRAM stores a raw pointer to the last returned variable. In most places that update the variable store, this pointer is properly cleared, however, in the write operation (opcode 0xD3), there’s a flow that updates / deletes an existing variable, where this last_search_value pointer is not cleared. This leads to a situation where the dangling pointer is used in subsequent find-next operations. We were able to trigger this UAF from the guest, and confirmed (using gdb) that the dangling pointer is indeed used after free. https://www.vmware.com/security/advisories/VMSA-2020-0015.html ESXi EHCI qTD data leak [CVE-2020-3964] = The EHCI USB controller processes queue element transfer descriptors (qTD), as described in section 3.5 of the EHCI specification. We found that the implementation in this case processes guest-controlled qTDs. Each descriptor has up to 5 buffer pointers that together hold the USB request block (URB): +-Queue Element Transfer Descriptor Block+ |Next qTD pointer| 0 | T | |Alternate Next qTD Pointer | 0 | T | | Total Bytes to Transfer | C_Page | Cerr | Status | | Buffer Pointer (page 0) | Current Offset | | Buffer Pointer (page 1) | Reserved| | Buffer Pointer (page 2) | Reserved| | Buffer Pointer (page 3) | Reserved| | Buffer Pointer (page 4) | Reserved| ++ The function EhciReadTDBuffer() (name identified from log string) reads the URB contents into a heap allocated buffer. Unfortunately, the return value of ReadBytes is not checked. A guest can cause this function to fail by passing a GPA value of zero (or, in the 64bit addressing case, a non-canonical address >= 0x8000’'). This leads to a case where an attached USB device processes a URB with uninitialized heap data. We successfully exploited this to leak VMM heap data by sending a SCSI WRITE command to a USB mass storage device. Writes to a USB mass storage device are encoded in two qTDs: the first holds the SCSI WRITE header, and the second holds the data to be written. For example, the following operations in the guest: $ perl -e "print 'a'x2000;" > $ sudo dd if= of=/dev/sdb1 bs=512 count=8 Result in the following qTDs: # # First qTD of size 0x1f: # "USBC" signature is the CBW packet header set by # usb_stor_Bulk_transport() in drivers/usb/storage/transport.c. # # 0x2A is SCSI WRITE (10) command in the CDB buffer. # 0x08 is the transfer length in sectors (8 * 0x200 = 0x1000). # Thread 1 hit Breakpoint 1, in ?? () EhciReadTDBuffer, buffer pointer 1 = 34a89000, size = 1f Thread 1 hit Breakpoint 2, in ?? () => 0x65f38a8: 0x550x530x420x430x5f0x030x000x00 0x65f38b0: 0x000x100x000x000x000x000x0a0x2a 0x65f38b8: 0x000x000x000x000x200x000x000x08 0x65f38c0: 0x000x000x000x000x000x000x000x00 # # Second qTD of size 0x1000 holds the "aa" data: # Thread 1 hit Breakpoint 1, in ?? () EhciReadTDBuffer, buffer pointer 1 = 33a82000, size = 1000 Thread 1 hit Breakpoint 2, in ?? () => 0x65e1728: 0x610x610x610x610x610x610x610x61 0x65e1730: 0x610x610x610x610x610x610x610x61 0x65e1738: 0x610x610x610x610x610x610x610x61 0x65e1740: 0x610x610x610x610x610x610x610x61 By failing ReadBytes() in the second qTD, we write previous heap data to the disk. We verified VUsb_NewUrb() mallocs the URB buffer, and doesn’t memset the data buffer to zeros. We confirmed that by reading back the disk contents, the hypervisor was leaking uninitialized heap data. https://www.vmware.com/security/advisories/VMSA-2020-0015.html ESXi XHCI OOB read access [CVE-2020-3965] XHCI USB controller reads the DCBs from the guest by mapping a guest page and iterating over values in it based on a bit field value. There was insufficient validation on the bit field value: the map size may be out of sync with the loop counter. A guest can supply a size value of 0x4
[FD] APPLE-SA-2020-07-15-1 iOS 13.6 and iPadOS 13.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2020-07-15-1 iOS 13.6 and iPadOS 13.6 iOS 13.6 and iPadOS 13.6 are now available and address the following: Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Audio Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab AVEVideoEncoder Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9907: an anonymous researcher Bluetooth Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker may cause an unexpected application termination Description: A denial of service issue was addressed with improved input validation. CVE-2020-9931: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab CoreFoundation Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A local user may be able to view sensitive user information Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation. CVE-2020-9934: an anonymous researcher Crash Reporter Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud GeoServices Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to read sensitive location information Description: An authorization issue was addressed with improved state management. CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. iAP Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2020-9914: Andy Davis of NCC Group ImageIO Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-9923: Proteas Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9909: Brandon Azad of Google Project Zero Mail Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service Description: An input validation issue was addressed. CVE-2019-19906 Messages Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later,
[FD] APPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra are now available and address the following: Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9884: Yu Zhou(@yuzhou) of 小鸡帮 working with Trend Micro Zero Day Initiative CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Clang Available for: macOS Catalina 10.15.5 Impact: Clang may generate machine code that does not correctly enforce pointer authentication codes Description: A logic issue was addressed with improved validation. CVE-2020-9870: Samuel Groß of Google Project Zero CoreAudio Available for: macOS High Sierra 10.13.6 Impact: A buffer overflow may result in arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2020-9866: Yu Zhou of 小鸡帮 and Jundong Xie of Ant-financial Light- Year Security Lab CoreFoundation Available for: macOS Catalina 10.15.5 Impact: A local user may be able to view sensitive user information Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation. CVE-2020-9934: an anonymous researcher Crash Reporter Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud Grpahics Drivers Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9799: ABC Research s.r.o. Heimdal Available for: macOS Catalina 10.15.5 Impact: A local user may be able to leak sensitive user information Description: This issue was addressed with improved data protection. CVE-2020-9913: Cody Thomas of SpecterOps ImageIO Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro Kernel Available for: macOS Catalina 10.15.5 Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Mail Available for: macOS Catalina 10.15.5 Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service Description: An input validation issue was addressed. CVE-2019-19906 Messages Available for: macOS Catalina 10.15.5 Impact: A user that is removed from an iMessage group could rejoin the group Description: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification. CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha) Model I/O Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security Security Available for: macOS Catalina 10.15.5 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved restrictions. CVE-2020-9864: Alexander Holodny Vim Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed with improved checks. CVE-2019-20807: Guilherme de Almeida Suckevicz Wi-Fi Available for: macOS Catalina 10.15.5 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360
[FD] APPLE-SA-2020-07-15-3 tvOS 13.4.8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2020-07-15-3 tvOS 13.4.8 tvOS 13.4.8 is now available and addresses the following: Audio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Audio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab AVEVideoEncoder Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9907: an anonymous researcher Crash Reporter Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud GeoServices Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to read sensitive location information Description: An authorization issue was addressed with improved state management. CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. iAP Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2020-9914: Andy Davis of NCC Group ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro Kernel Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Kernel Available for: Apple TV 4K and Apple TV HD Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9909: Brandon Azad of Google Project Zero WebKit Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions. CVE-2020-9915: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-9925: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative CVE-2020-9895: Wen Xu of SSLab, Georgia Tech WebKit Available for: Apple TV 4K and Apple TV HD Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: Multiple issues were addressed with improved logic. CVE-2020-9910: Samuel Groß of Google Project Zero WebKit Page Loading Available for: Apple TV 4K and Apple TV HD Impact: A malicious attacker may be able to conceal the destination of a URL Description: A URL Unicode encoding issue was addressed with improved state management. CVE-2020-9916: Rakesh Mane (@RakeshMane10) WebKit Web Inspector Available for: Apple TV 4K and Apple TV HD Impact: Copying a URL from Web Inspector may lead to command injection Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. CVE-2020-9862:
[FD] APPLE-SA-2020-07-15-4 watchOS 6.2.8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2020-07-15-4 watchOS 6.2.8 watchOS 6.2.8 is now available and addresses the following: Audio Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Audio Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab Crash Reporter Available for: Apple Watch Series 1 and later Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud GeoServices Available for: Apple Watch Series 1 and later Impact: A malicious application may be able to read sensitive location information Description: An authorization issue was addressed with improved state management. CVE-2020-9933: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. ImageIO Available for: Apple Watch Series 1 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro Kernel Available for: Apple Watch Series 1 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-9923: Proteas Kernel Available for: Apple Watch Series 1 and later Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9909: Brandon Azad of Google Project Zero Messages Available for: Apple Watch Series 1 and later Impact: A user that is removed from an iMessage group could rejoin the group Description: An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification. CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha) WebKit Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative WebKit Available for: Apple Watch Series 1 and later Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions. CVE-2020-9915: an anonymous researcher WebKit Available for: Apple Watch Series 1 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-9925: an anonymous researcher WebKit Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative CVE-2020-9895: Wen Xu of SSLab, Georgia Tech WebKit Available for: Apple Watch Series 1 and later Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: Multiple issues were addressed with improved logic. CVE-2020-9910: Samuel Groß of Google Project Zero WebKit Page Loading Available for: Apple Watch Series 1 and later Impact: A malicious attacker may be able to conceal the destination of a URL Description: A URL Unicode encoding issue was addressed with improved state management. CVE-2020-9916: Rakesh Mane (@RakeshMane10) WebKit Web Inspector Available for: Apple Watch Series 1 and later Impact: Copying a URL from Web Inspector may lead to command injection Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. CVE-2020-9862: Ophir Lojkine (@lovasoa) Wi-Fi Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: An out-of-bounds r
[FD] APPLE-SA-2020-07-15-5 Safari 13.1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2020-07-15-5 Safari 13.1.2 Safari 13.1.2 is now available and addresses the following: Safari Downloads Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker may be able to change the origin of a frame for a download in Safari Reader mode Description: A logic issue was addressed with improved restrictions. CVE-2020-9912: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) Safari Login AutoFill Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain Description: A logic issue was addressed with improved restrictions. CVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) Safari Reader Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: An issue in Safari Reader mode may allow a remote attacker to bypass the Same Origin Policy Description: A logic issue was addressed with improved restrictions. CVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions. CVE-2020-9915: an anonymous researcher WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-9925: an anonymous researcher WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative CVE-2020-9895: Wen Xu of SSLab, Georgia Tech WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: Multiple issues were addressed with improved logic. CVE-2020-9910: Samuel Groß of Google Project Zero WebKit Page Loading Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker may be able to conceal the destination of a URL Description: A URL Unicode encoding issue was addressed with improved state management. CVE-2020-9916: Rakesh Mane (@RakeshMane10) WebKit Web Inspector Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Copying a URL from Web Inspector may lead to command injection Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. CVE-2020-9862: Ophir Lojkine (@lovasoa) Installation note: Safari 13.1.2 may be obtained from the Mac App Store. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx4ACgkQBz4uGe3y 0M2+ZQ/7ByKUtmzMw18WfXzQZlxvfEulMz/QgCiHe1VvmHh1OuMspM9Et3AIVnZP wU1IfSeOKp9y62L8pPAU1mg/BnqXx2vNsoDrZq7dcPYIDTrfGsZQRrYy66E2VA9P TQyIeY8ZWXG8jKJ4kBczu/hmy+q+0HVNlZcU4Q4PsjkE0p53DzSSuPgBbqN5fXlr fbZthRYEa1jXfI/om7NLYAu9rLw/2ngXZjI1PR3m4iRbNBG4gqXXQ7Sl5xVz4oDv Nb6PbR8LTQCdmLaq8gXfc4koEnCsFK1k1194nXgYg88hlbT/zqO55Fiofw9y70aK NC0JJFznC3DT5wgZHE9j5/g1USrC34OTZNenipud4VWFm2gTamgGe7c0Bji3NLeG buHa13M7Z2PpGmB/fszdipj8iLvm3uRZjVJtHDOxmuztriTFwpytk2TwlzayW+/v l4knuEohMnHQljRsQgLC9jzs2/udAXWxW7lv7FNGlfnxHJVY+cC9vNl7PPeGNaed 4khxlLZUn2Bc5gog8GZv0ryuWLvmlo4XVkZSnrsOXHlP0oseSJntz9/GxcAgCRww PoFu8DOc9f6orbNsQEF3ZbCyXVG/EwSKOmQPtP1ihv+yjamDGw8yNd61/qqDvwIT db5tmKrslK49r8jkup7RuiKpgRgXI29dws+qwIV4808FNZQaYzU= =hpCf -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20200717-0 :: Multiple Vulnerabilities in WonderCMS
SEC Consult Vulnerability Lab Security Advisory < 20200717-0 > === title: Multiple Vulnerabilities product: WonderCMS vulnerable version: <=3.1.0 fixed version: - CVE number: - impact: High homepage: https://www.wondercms.com/ found: 2020-04-30 by: Calvin Phang (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "WonderCMS is a free simple website builder. Aimed to be extremely easy to install (1 step), light and simple to use.It's an open source flat file CMS (Content Management System), built with PHP and developed since 2008." Source: https://www.wondercms.com/ Business recommendation: The vendor did not respond to our communication attempts, hence no patch is available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1. Stored Cross Site Scripting via Filename (Authenticated user) This vulnerability allows an authenticated user (admin) to upload files with a malicious client side script as filename. It will be executed in the browser of a user if he visits the manipulated URL. 2. Directory Traversal (Authenticated user) This vulnerability allows an authenticated user (admin) to delete arbitrary files via directory traversal on the operating system with the access rights of the web server. 3. Upload of arbitrary files (Authenticated user) It was identified that an authenticated user (admin) can bypass file type checks and upload malicious files. In this specific case, arbitrary server side PHP code such as web shells can be uploaded. As a result the attacker can run arbitrary code on the server side with the privileges of the web server. This could lead to a full system compromise. Proof of concept: - 1. Stored Cross Site Scripting via Filename (Authenticated user) [ PoC has been removed as no patch is available and the vendor is unresponsive ] 2. Directory Traversal (Authenticated user) [ PoC has been removed as no patch is available and the vendor is unresponsive ] 3. Upload of arbitrary files (Authenticated user) [ PoC has been removed as no patch is available and the vendor is unresponsive ] Vulnerable / tested versions: - WonderCMS version 3.0.7 has been tested, which was the latest version available at the time of the test. Previous versions may also be affected. On 18-05-2020, the vendor released a newer version 3.1.0. However, the latest version are still vulnerable to the above vulnerabilities. Vendor contact timeline: 2020-05-06: Contacting vendor through rep...@wondercms.com; no response 2020-05-13: Follow-up with vendor; no response 2020-05-21: Follow-up with vendor; no response 2020-06-02: Follow-up with vendor; no response 2020-06-19: Follow-up with vendor; no response 2020-06-30: Tested the vulnerabilities in the latest version (3.1.0) that is available on vendor's webpage, still affected. 2020-07-17: Public release of security advisory Solution: - The vendor did not respond to our communication attempts, hence no patch is available. Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~ Mail: research at sec-consult
