Vulnerabilities > CVE-2019-8647 - Use After Free vulnerability in Apple Tvos

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apple
CWE-416
critical
nessus
exploit available
NVD
Published: 2019-12-18
Updated: 2019-12-19

Summary

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.4, tvOS 12.4, watchOS 5.3. A remote attacker may be able to cause arbitrary code execution.

Vulnerable Configurations

Part Description Count
OS
Apple
298

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:47192
last seen2019-07-30
modified2019-07-30
published2019-07-30
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/47192
titleiMessage - NSArray Deserialization can Invoke Subclass that does not Retain References

Nessus

NASL familyMisc.
NASL idAPPLETV_12_4.NASL
descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 12.4. It is therefore affected by multiple vulnerabilities as described in HT210351.
last seen2020-06-01
modified2020-06-02
plugin id127048
published2019-07-26
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/127048
titleApple TV < 12.4 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(127048);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/03");

  script_cve_id(
    "CVE-2018-16860",
    "CVE-2019-8641",
    "CVE-2019-8644",
    "CVE-2019-8646",
    "CVE-2019-8647",
    "CVE-2019-8649",
    "CVE-2019-8657",
    "CVE-2019-8658",
    "CVE-2019-8660",
    "CVE-2019-8662",
    "CVE-2019-8666",
    "CVE-2019-8669",
    "CVE-2019-8671",
    "CVE-2019-8672",
    "CVE-2019-8673",
    "CVE-2019-8676",
    "CVE-2019-8677",
    "CVE-2019-8678",
    "CVE-2019-8679",
    "CVE-2019-8680",
    "CVE-2019-8681",
    "CVE-2019-8683",
    "CVE-2019-8684",
    "CVE-2019-8685",
    "CVE-2019-8686",
    "CVE-2019-8687",
    "CVE-2019-8688",
    "CVE-2019-8689",
    "CVE-2019-8690",
    "CVE-2019-8698",
    "CVE-2019-13118"
  );
  script_xref(name:"APPLE-SA", value:"HT210351");
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-07-17");

  script_name(english:"Apple TV < 12.4 Multiple Vulnerabilities");
  script_summary(english:"Checks the build number");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apple TV device is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of Apple TV on the remote
device is prior to 12.4. It is therefore affected by multiple
vulnerabilities as described in HT210351.");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT210351");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apple TV version 12.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8689");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("appletv_version.nasl");
  script_require_keys("AppleTV/Version", "AppleTV/Model", "AppleTV/URL", "AppleTV/Port");
  script_require_ports("Services/www", 7000);

  exit(0);
}

include('audit.inc');
include('appletv_func.inc');

url = get_kb_item('AppleTV/URL');
if (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');
port = get_kb_item('AppleTV/Port');
if (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');
build = get_kb_item('AppleTV/Version');
if (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');
model = get_kb_item('AppleTV/Model');
if (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');

fixed_build = '16M568';
tvos_ver = '12.4';

# determine gen from the model
gen = APPLETV_MODEL_GEN[model];

appletv_check_version(
  build          : build,
  fix            : fixed_build,
  affected_gen   : make_list(4, 5),
  fix_tvos_ver   : tvos_ver,
  model          : model,
  gen            : gen,
  port           : port,
  url            : url,
  severity       : SECURITY_HOLE
);

The Hacker News

idTHN:41F66983564CEDB5C54CCEB8BE4F793F
last seen2019-07-30
modified2019-07-30
published2019-07-30
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/07/apple-ios-vulnerabilities.html
titleGoogle Researchers Disclose PoCs for 4 Remotely Exploitable iOS Flaws

References