Vulnerabilities > CVE-2019-8648 - Out-of-bounds Write vulnerability in Apple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. A remote attacker may be able to cause arbitrary code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family MacOS X Local Security Checks NASL id MACOS_10_14_6.NASL description The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution (CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8690, CVE-2019-8649, CVE-2019-8658) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system last seen 2020-06-01 modified 2020-06-02 plugin id 127054 published 2019-07-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127054 title macOS 10.14.x < 10.14.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(127054); script_version("1.5"); script_cvs_date("Date: 2020/01/03"); script_cve_id( "CVE-2018-16860", "CVE-2018-19860", "CVE-2019-8641", "CVE-2019-8644", "CVE-2019-8646", "CVE-2019-8648", "CVE-2019-8649", "CVE-2019-8656", "CVE-2019-8657", "CVE-2019-8658", "CVE-2019-8660", "CVE-2019-8661", "CVE-2019-8662", "CVE-2019-8663", "CVE-2019-8666", "CVE-2019-8667", "CVE-2019-8669", "CVE-2019-8670", "CVE-2019-8671", "CVE-2019-8672", "CVE-2019-8673", "CVE-2019-8676", "CVE-2019-8677", "CVE-2019-8678", "CVE-2019-8679", "CVE-2019-8680", "CVE-2019-8681", "CVE-2019-8683", "CVE-2019-8684", "CVE-2019-8685", "CVE-2019-8686", "CVE-2019-8687", "CVE-2019-8688", "CVE-2019-8689", "CVE-2019-8690", "CVE-2019-8691", "CVE-2019-8692", "CVE-2019-8693", "CVE-2019-8694", "CVE-2019-8695", "CVE-2019-8697", "CVE-2019-13118" ); script_xref(name:"APPLE-SA", value:"HT210348"); script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-07-17"); script_name(english:"macOS 10.14.x < 10.14.6 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Mac OS X / macOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS update that fixes multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution (CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8690, CVE-2019-8649, CVE-2019-8658) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT210348"); script_set_attribute(attribute:"solution", value: "Upgrade to macOS version 10.14.6 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8695"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); fix = "10.14.6"; minver = "10.14"; os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); matches = pregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os); if (empty_or_null(matches)) exit(1, "Failed to parse the macOS / Mac OS X version ('" + os + "')."); version = matches[1]; if (ver_compare(ver:version, minver:minver, fix:fix, strict:FALSE) == -1) { security_report_v4( port:0, severity:SECURITY_HOLE, extra: '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n' ); } else audit(AUDIT_INST_VER_NOT_VULN, "macOS / Mac OS X", version);NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2019-004.NASL description The remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution ( CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8649, CVE-2019-8658, CVE-2019-8690) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system last seen 2020-06-01 modified 2020-06-02 plugin id 127055 published 2019-07-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127055 title macOS Sierra / High Sierra Multiple Vulnerabilities (Security Update 2019-004) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(127055); script_version("1.6"); script_cvs_date("Date: 2020/01/03"); script_cve_id( "CVE-2018-16860", "CVE-2018-19860", "CVE-2019-8641", "CVE-2019-8644", "CVE-2019-8646", "CVE-2019-8648", "CVE-2019-8649", "CVE-2019-8656", "CVE-2019-8657", "CVE-2019-8658", "CVE-2019-8660", "CVE-2019-8661", "CVE-2019-8662", "CVE-2019-8663", "CVE-2019-8666", "CVE-2019-8667", "CVE-2019-8669", "CVE-2019-8670", "CVE-2019-8671", "CVE-2019-8672", "CVE-2019-8673", "CVE-2019-8676", "CVE-2019-8677", "CVE-2019-8678", "CVE-2019-8679", "CVE-2019-8680", "CVE-2019-8681", "CVE-2019-8683", "CVE-2019-8684", "CVE-2019-8685", "CVE-2019-8686", "CVE-2019-8687", "CVE-2019-8688", "CVE-2019-8689", "CVE-2019-8690", "CVE-2019-8691", "CVE-2019-8692", "CVE-2019-8693", "CVE-2019-8694", "CVE-2019-8695", "CVE-2019-8697", "CVE-2019-13118" ); script_xref(name:"APPLE-SA", value:"HT210348"); script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-07-17"); script_name(english:"macOS Sierra / High Sierra Multiple Vulnerabilities (Security Update 2019-004)"); script_summary(english:"Checks the presence of Security Update 2019-004."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS or Mac OS X security update that fixes multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution ( CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8649, CVE-2019-8658, CVE-2019-8690) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT210348"); script_set_attribute(attribute:"solution", value: "Install Security Update 2019-004 or later for 10.12.x or 10.13.x."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8695"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_ports("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Compare 2 patch numbers to determine if patch requirements are satisfied. # Return true if this patch or a later patch is applied # Return false otherwise function check_patch(year, number) { local_var p_split = split(patch, sep:"-"); local_var p_year = int( p_split[0]); local_var p_num = int( p_split[1]); if (year > p_year) return TRUE; else if (year < p_year) return FALSE; else if (number >= p_num) return TRUE; else return FALSE; } get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item_or_exit("Host/MacOSX/Version"); if (!preg(pattern:"Mac OS X 10\.1[2-3]\.", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.12.x / 10.13.x"); patch = '2019-004'; packages = get_kb_item_or_exit('Host/MacOSX/packages/boms', exit_code:1); sec_boms_report = pgrep( pattern:"^com\.apple\.pkg\.update\.(security\.|os\.SecUpd).*bom$", string:packages ); sec_boms = split(sec_boms_report, sep:'\n'); foreach package (sec_boms) { # Grab patch year and number matches = pregmatch(pattern:"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]", string:package); if (empty_or_null(matches)) continue; if (empty_or_null(matches[1]) || empty_or_null(matches[2])) continue; patch_found = check_patch(year:int(matches[1]), number:int(matches[2])); if (patch_found) exit(0, 'The host has Security Update ' + patch + ' or later installed and is therefore not affected.'); } report = '\n Missing security update : ' + patch; report += '\n Installed security BOMs : '; if (sec_boms_report) report += str_replace(find:'\n', replace:'\n ', string:sec_boms_report); else report += 'n/a'; report += '\n'; security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);