Apple Security Advisory 2021-12-15-6 - watchOS 8.3 addresses buffer overflow, bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
16734459ccf5603b55ab6de1c466fe6ca194e99bee9e30add5c137663e2d5460
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-12-15-6 watchOS 8.3
watchOS 8.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212975.
Audio
Available for: Apple Watch Series 3 and later
Impact: Parsing a maliciously crafted audio file may lead to
disclosure of user information
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30960: JunDong Xie of Ant Security Light-Year Lab
CFNetwork Proxies
Available for: Apple Watch Series 3 and later
Impact: User traffic might unexpectedly be leaked to a proxy server
despite PAC configurations
Description: A logic issue was addressed with improved state
management.
CVE-2021-30966: Michal Rajcan of Jamf, Matt Vlasach of Jamf (Wandera)
ColorSync
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue in the processing of ICC
profiles was addressed with improved input validation.
CVE-2021-30926: Jeremy Brown
CVE-2021-30942: Mateusz Jurczyk of Google Project Zero
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30957: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab
Crash Reporter
Available for: Apple Watch Series 3 and later
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab, Mickey Jin (@patch1t) of Trend Micro
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30916: Zweig of Kunlun Lab
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2021-30937: Sergei Glazunov of Google Project Zero
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30927: Xinru Chi of Pangu Lab
CVE-2021-30980: Xinru Chi of Pangu Lab
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30949: Ian Beer of Google Project Zero
Kernel
Available for: Apple Watch Series 3 and later
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30993: OSS-Fuzz, Ned Williamson of Google Project Zero
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30955: Zweig of Kunlun Lab
Preferences
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to elevate privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin
(@patch1t)
Sandbox
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A validation issue related to hard link behavior was
addressed with improved sandbox restrictions.
CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30946: @gorelics
Sandbox
Available for: Apple Watch Series 3 and later
Impact: An application may be able to access a user's files
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2021-30947: Csaba Fitzl (@theevilbit) of Offensive Security
TCC
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to modify protected parts of the
file system
Description: A logic issue was addressed with improved state
management.
CVE-2021-30767: @gorelics
TCC
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An inherited permissions issue was addressed with
additional restrictions.
CVE-2021-30964: Andy Grant of Zoom Video Communications
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30934: Dani Biro
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30936: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
CVE-2021-30951: Pangu
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2021-30952: WeBin
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A race condition was addressed with improved state
handling.
CVE-2021-30984: Kunlun Lab
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30953: VRIJ
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2021-30954: Kunlun Lab
Additional recognition
Bluetooth
We would like to acknowledge Haram Park, Korea University for their
assistance.
ColorSync
We would like to acknowledge Mateusz Jurczyk of Google Project Zero
for their assistance.
Contacts
We would like to acknowledge Minchan Park (03stin) for their
assistance.
Kernel
We would like to acknowledge Amit Klein of Bar-Ilan University's
Center for Research in Applied Cryptography and Cyber Security for
their assistance.
WebKit
We would like to acknowledge Peter Snyder of Brave and Soroush Karami
for their assistance.
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmG6UnYACgkQeC9qKD1p
rhj6SQ//YijQ31LlBeSJC1QfKKY86KApE/FiGxuNG04YGeLBujsOxrfRw/xmd9Xn
wkBGmpHOrtguoNYjANNXwFBornC3wk7nse8kND8nEv7HYO8zxAa5lMDjGtuO1SY1
eG4mUeWVEAw6Avzt7Y/2sFi6nK5ft6PzWJaBKc6GU4pipGxptrdPLohow8KLu4Xh
TL60gUilkVWlvgEbVrI3AYmxeKdkdrJdAU+caGTZUUzWHJfzIOLkb4o1143OQfqj
t1vJrA6Hy43fQdU/ceJi1n/DR4N+Xg9kWyEXI6+06m0Ss41QcWfMwEks7dT/zIG+
wlLR+00WO7VdCwHt5x/bz09YzdGWgoOUz5xNicqI0idyHmELtxlnYhXez48+j2Xz
xnzdfOoCp9E7bXBOQa2bKZqffNmYMGK1hR1tcgF+3gsmz9Zz+huAG2VBNjVByYaS
rwfvG7WhhbNc9qzm3fykvgq8NF7Z1G7RKNKPPzhG7QIAC5s4S0wemw1voy53yvmj
FPisKbj/AT2+qUoOuYODNTMOJje0OcfnjoKdWrN63xIOPWShSfIx4bhjIHy3ASwj
zn94MyzNhrVGOwoRXC+uQu0f/cdSUGx8L7XdHLp0sjAPMsrqE3X+RuMOFYtds7aI
1TwxV/lhKMX5VzOcPeBASRRbXNWYs6mIXKAHBGTKcNkIR0djZOk=onN+
-----END PGP SIGNATURE-----