Apple Updates Everything. Again.
After a rushed release of iOS 11.2 over the weekend to fix a "December 2nd Crash" bug, and last weeks special update to fix the passwordless root authentication bypass in macOS, Apple today released its official set of security updates. With this, we also received details about the security issues patched in iOS this weekend. Apple's different operating systems share a lot of code with each other, and as a result, they also share some vulnerabilities. I am trying to organize the details in a table below (starting with macOS. Others will be added soon)
Apple's security updates can be found here: https://support.apple.com/en-us/HT201222
Overview
Component | CVE | MacOS, OS X | iOS | tvOS | watchOS |
---|---|---|---|---|---|
Mail Drafts | CVE-2017-13860 | X | X | ||
IOKit | CVE-2017-13847 | X | X | ||
Kernel | CVE-2017-13862 | X | X | X | X |
Kernel | CVE-2017-13876 | X | X | X | X |
Kernel | CVE-2017-13867 | X | X | X | X |
Kernel | CVE-2017-13869 | X | X | X | X |
OpenSSL | CVE-2017-3735 | X | |||
Kernel | CVE-2017-13868 | X | X | X | X |
CVE-2017-13874 | X | ||||
Kernel | CVE-2017-13833 | X | X | X | X |
Wi-Fi | CVE-2017-13080 | X | X | X | |
Kernel | CVE-2017-13865 | X | X | X | X |
IOKit | CVE-2017-13858 | X | |||
IOAcceleratorFamily | CVE-2017-13844 | X | |||
Intel Graphics Driver | CVE-2017-13883 | X | |||
Kernel | CVE-2017-13855 | X | X | X | X |
curl | CVE-2017-1000254 | X | |||
Intel Graphics Driver | CVE-2017-13878 | X | |||
Directory Utility | CVE-2017-13872 | X | |||
Intel Graphics Driver | CVE-2017-13875 | X | |||
IOKit | CVE-2017-13848 | X | |||
CVE-2017-13871 | X | ||||
IOMobileFrameBuffer | CVE-2017-13879 | X | |||
apache | CVE-2017-9798 | X | |||
IOSurface | CVE-2017-13861 | X | X | X | |
Screen Sharing Server | CVE-2017-13826 | X |
MacOS / OS X
Component | High Sierra | Sierra | El Capitan | Impact | Description | CVE |
---|---|---|---|---|---|---|
Apache | x | x | x | Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory | Multiple issues were addressed by updating to version 2.4.28. | CVE-2017-9798 |
cURL | x | x | x | Malicious FTP servers may be able to cause the client to read out-of-bounds memory | An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking. | CVE-2017-1000254 |
Directory Utility | x | An attacker may be able to bypass administrator authentication without supplying the administrator’s password |
A logic error existed in the validation of credentials. This was addressed with improved credential validation. |
CVE-2017-13872 | ||
Intel Graphics Driver | x | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13883 | ||
Intel Graphics Driver | x | A local user may be able to cause unexpected system termination or read kernel memory | An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. | CVE-2017-13878 | ||
Intel Graphics Driver | x | An application may be able to execute arbitrary code with system privileges | An out-of-bounds read was addressed through improved bounds checking. | CVE-2017-13875 | ||
IOAcceleratorFamily | x | x | x | An application may be able to execute arbitrary code with system privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13844 |
IOKit | x | An application may be able to execute arbitrary code with system privileges | An input validation issue existed in the kernel. This issue was addressed through improved input validation. | CVE-2017-13848,CVE-2017-13858 | ||
IOKit | x | x | x | An application may be able to execute arbitrary code with system privileges | Multiple memory corruption issues were addressed through improved state management. | CVE-2017-13847 |
Kernel | x | x | x | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13862 |
Kernel | x | x | x | An application may be able to read restricted memory | An out-of-bounds read was addressed with improved bounds checking. | CVE-2017-13833 |
Kernel | x | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13876 | ||
Kernel | x | x | x | An application may be able to read restricted memory | A type confusion issue was addressed with improved memory handling. | CVE-2017-13855 |
Kernel | x | x | x | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13867 |
Kernel | x | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2017-13865 | ||
Kernel | x | x | x | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2017-13868,CVE-2017-13869 |
x | A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed | An inconsistent user interface issue was addressed with improved state management. | CVE-2017-13871 | |||
Mail Drafts | x | An attacker with a privileged network position may be able to intercept mail | An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control. | CVE-2017-13860 | ||
OpenSSL | x | x | x | An application may be able to read restricted memory | An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking. | CVE-2017-3735 |
iOS
Component | Affected Models | Impact | Description | CVE |
---|---|---|---|---|
IOKit | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to execute arbitrary code with system privileges | Multiple memory corruption issues were addressed through improved state management. | CVE-2017-13847 |
IOMobileFrameBuffer | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to execute arbitrary code with kernel privilege | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13879 |
IOSurface | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13861 |
Kernel | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13862,CVE-2017-13876 |
Kernel | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to read restricted memory | An out-of-bounds read was addressed with improved bounds checking. | CVE-2017-13833 |
Kernel | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to read restricted memory | A type confusion issue was addressed with improved memory handling. | CVE-2017-13855 |
Kernel | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13867 |
Kernel | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An application may be able to read restricted memory | Multiple validation issues were addressed with improved input sanitization. | CVE-2017-13865,CVE-2017-13868,CVE-2017-13869 |
iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | Incorrect certificate is used for encryption | A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate. | CVE-2017-13874 | |
Mail Drafts | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | An attacker with a privileged network position may be able to intercept mail | An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control. | CVE-2017-13860 |
Wi-Fi | iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1. |
An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) | A logic issue existed in the handling of state transitions. This was addressed with improved state management. | CVE-2017-13080 |
Apple TV
Component | Affected Models | Impact | Description | CVE |
---|---|---|---|---|
IOSurface | Apple TV 4K and Apple TV (4th generation) | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13861 |
Kernel | Apple TV 4K and Apple TV (4th generation) | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13862,CVE-2017-13876 |
Kernel | Apple TV 4K and Apple TV (4th generation) | An application may be able to read restricted memory | An out-of-bounds read was addressed with improved bounds checking. | CVE-2017-13833 |
Kernel | Apple TV 4K and Apple TV (4th generation) | An application may be able to read restricted memory | A type confusion issue was addressed with improved memory handling. | CVE-2017-13855 |
Kernel | Apple TV 4K and Apple TV (4th generation) | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13867 |
Kernel | Apple TV 4K and Apple TV (4th generation) | An application may be able to read restricted memory | Multiple validation issues were addressed with improved input sanitization. | CVE-2017-13865,CVE-2017-13868,CVE-2017-13869 |
Wi-Fi | Apple TV (4th generation) | An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) | A logic issue existed in the handling of state transitions. This was addressed with improved state management. | CVE-2017-13080 |
Watch OS
Component | Affected Models | Impact | Description | CVE |
---|---|---|---|---|
IOSurface | All | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13861 |
Kernel | All | An application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13862,CVE-2017-13876 |
Kernel | All | An application may be able to read restricted memory | An out-of-bounds read was addressed with improved bounds checking. | CVE-2017-13833 |
Kernel | All | An application may be able to read restricted memory | A type confusion issue was addressed with improved memory handling. | CVE-2017-13855 |
Kernel | All | A memory corruption issue was addressed with improved memory handling. | CVE-2017-13867 | |
Kernel | All | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2017-13865,CVE-2017-13868,CVE-2017-13869 |
Wi-Fi | 1st Gen and Series 3 |
An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) | A logic issue existed in the handling of state transitions. This was addressed with improved state management. | CVE-2017-13080 |
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
PSA: Do not Trust Reverse DNS (and why does an address resolve to "localhost").
Odd reverse DNS entries keep coming up from time to time. So I think we are due for a quick public service announcement about reverse DNS.
Reverse DNS can be a valuable to find out more about an IP address. For example:
$ dig +short -x 73.53.237.51
c-73-53-237-51.hsd1.fl.comcast.net.
This tells me that the IP belongs to Comcast and is probably located in Florida.
$ dig +short -x 189.154.91.153
dsl-189-154-91-153-dyn.prod-infinitum.com.mx.
the "dyn" part usually indicates that this is a dynamic IP address. For example, mail servers will often mark e-mail received from them as spam. In particular spam filtering relies often on reverse DNS. In order to configure reverse DNS, you typically need to be assigned an IP address block from your ISP, and the ISP needs to make your DNS server authoritative for the block by adding respective NS (name server records). This can not be done for dynamic IPs and typically requires at least a /24 assignment (some ISPs allow updating reverse IP addresses via web applications to allow small business users with /29s or individual IPs to update reverse DNS records).
So what is the problem? Let's take a look at this IP that our reader John noted in his e-mail server logs:
$ dig +short -x 123.28.192.74
localhost.
That's right. This IP resolves to "localhost". This isn't exactly a new trick. Sometimes I think this is just done out of laziness. But the effect is that e-mail from this IP may slip past some spam filters, and it is a bit more difficult to find the actual owner of the IP. A quick sample suggests that all IPs in 123.28/16 resolve to localhost.
The problem with reverse DNS is that the owner of the IP address is in charge of reverse DNS, not the owner of the domain the IP resolves to. Anybody who has control over reverse DNS for an IP address block can make the address reverse resolve to "isc.sans.edu" (or localhost).
Some access control mechanisms use hostnames instead of IP addresses, and as a result, rely on reverse DNS for access control. This is BAD!
To trust reverse DNS, you need to at least make sure that forward and reverse DNS matches. This way, both the owner of the domain, as well as the owner of the IP address, have to enter matching configurations. For example, if you are adding form="*.example.com" to your ssh authorized_keys file, sshd will make sure forward and reverse resolution match. Same if you try to figure out if a particular IP address But even in this case, you are still using DNS, a not very robust protocol, for security decisions. This is fine as an additional constraint, for example in addition to an ssh key, or for spam filtering in which case you do not have to be perfect.
If you are using reverse DNS as part of your incident response process, then you also need to be aware that whoever operates the authoritative name server for that IP will likely learn of your requests. The attacker may be affiliated with the operator. This is mostly a concern for more sophisticated attackers, but overall it may be a good idea to at least use a more "anonymous" recursive name server like Google, OpenDNS or Quad9.
RFC1912 actually states that every IP should have a name (and with that, a PTR record). But note it says should, not must. I believe it is a good idea to configure reverse DNS. But keep in mind that it should not leak information. I like the system that most ISPs use, that essentially use something like [ipaddress].example.com. This way, a reverse lookup will still point to the right owner of the IP, but it will not leak any information beyond that. A "whois" lookup would give you the same information, but whois tends to be slower, more difficult to update, and more difficult to parse then DNS. Unless your system is a mail server, in which case you want to make sure that forward and reverse DNS matches to avoid spam filter problems.
And don't forget to make sure that you sanitize and properly encode reverse DNS results before using them. They should never be treated as "trusted".
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Comments