Apple Watch Series 3: CVSS (Max): 5.5*

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.3563
                                watchOS 8.7
                               21 July 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Watch Series 3
Publisher:         Apple
Operating System:  Apple iOS
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-32857 CVE-2022-32847 CVE-2022-32845
                   CVE-2022-32844 CVE-2022-32841 CVE-2022-32840
                   CVE-2022-32839 CVE-2022-32832 CVE-2022-32826
                   CVE-2022-32825 CVE-2022-32824 CVE-2022-32823
                   CVE-2022-32821 CVE-2022-32820 CVE-2022-32819
                   CVE-2022-32817 CVE-2022-32816 CVE-2022-32815
                   CVE-2022-32814 CVE-2022-32813 CVE-2022-32810
                   CVE-2022-32793 CVE-2022-32792 CVE-2022-32788
                   CVE-2022-32787 CVE-2022-26981 

Original Bulletin: 
   https://support.apple.com/HT213340

Comment: CVSS (Max):  5.5* CVE-2022-26981 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-07-20-6 watchOS 8.7

watchOS 8.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213340.

APFS
Available for: Apple Watch Series 3 and later
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleAVD
Available for: Apple Watch Series 3 and later
Impact: A remote user may be able to cause kernel code execution
Description: A buffer overflow issue was addressed with improved
bounds checking.
CVE-2022-32788: Natalie Silvanovich of Google Project Zero

AppleAVD
Available for: Apple Watch Series 3 and later
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom
(@jaakerblom)

AppleMobileFileIntegrity
Available for: Apple Watch Series 3 and later
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state
management.
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine
Available for devices with Apple Neural Engine: Apple Watch Series 4
and later
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
CVE-2022-32845: Mohamed Ghannam (@_simo36)

Apple Neural Engine
Available for devices with Apple Neural Engine: Apple Watch Series 4
and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: This issue was addressed with improved checks.
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine
Available for devices with Apple Neural Engine: Apple Watch Series 4
and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Audio
Available for: Apple Watch Series 3 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2022-32820: an anonymous researcher

Audio
Available for: Apple Watch Series 3 and later
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2022-32825: John Aakerblom (@jaakerblom)

CoreText
Available for: Apple Watch Series 3 and later
Impact: A remote user may cause an unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved bounds checks.
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events
Available for: Apple Watch Series 3 and later
Impact: An app may be able to gain root privileges
Description: A logic issue was addressed with improved state
management.
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers
Available for: Apple Watch Series 3 and later
Impact: An app may be able to disclose kernel memory
Description: Multiple out-of-bounds write issues were addressed with
improved bounds checking.
CVE-2022-32793: an anonymous researcher

GPU Drivers
Available for: Apple Watch Series 3 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-32821: John Aakerblom (@jaakerblom)

ICU
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs
& DNSLab, Korea Univ.

ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2022-32841: hjy79425575

Kernel
Available for: Apple Watch Series 3 and later
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32813: Xinru Chi of Pangu Lab
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel
Available for: Apple Watch Series 3 and later
Impact: An app may be able to disclose kernel memory
Description: An out-of-bounds read issue was addressed with improved
bounds checking.
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel
Available for: Apple Watch Series 3 and later
Impact: An app with arbitrary kernel read and write capability may be
able to bypass Pointer Authentication
Description: A logic issue was addressed with improved state
management.
CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

Liblouis
Available for: Apple Watch Series 3 and later
Impact: An app may cause unexpected app termination or arbitrary code
execution
Description: This issue was addressed with improved checks.
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China
(nipc.org.cn)

libxml2
Available for: Apple Watch Series 3 and later
Impact: An app may be able to leak sensitive user information
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2022-32823

Multi-Touch
Available for: Apple Watch Series 3 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A type confusion issue was addressed with improved
checks.
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch
Available for: Apple Watch Series 3 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A type confusion issue was addressed with improved state
handling.
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Software Update
Available for: Apple Watch Series 3 and later
Impact: A user in a privileged network position can track a userâ\x{128}\x{153}s
activity
Description: This issue was addressed by using HTTPS when sending
information over the network.
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

WebKit
Available for: Apple Watch Series 3 and later
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 239316
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs
& DNSLab, Korea Univ.

WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
input validation.
WebKit Bugzilla: 240720
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero
Day Initiative

Wi-Fi
Available for: Apple Watch Series 3 and later
Impact: A remote user may be able to cause unexpected system
termination or corrupt kernel memory
Description: This issue was addressed with improved checks.
CVE-2022-32847: Wang Yu of Cyberserval

Additional recognition

AppleMobileFileIntegrity
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech ReguÃ…\x{130}a
(@_r3ggi) of SecuRing for their assistance.

configd
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech ReguÃ…\x{130}a
(@_r3ggi) of SecuRing for their assistance.

Instructions on how to update your Apple Watch software are available
at https://support.apple.com/kb/HT204641  To check the version on
your Apple Watch, open the Apple Watch app on your iPhone and select
"My Watch > General > About".  Alternatively, on your watch, select
"My Watch > General > About".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p
rhjSsg//XnukSPtKHk58IOSkcWaTk0WdrYv2+dGbdgkcPBgO2ehNQqk1xI3LDHLN
b6A5MMaoR4ityTEC+i4XFWxVJNfzXFa1SHMiht1uJDtaNCc2F+VIP+EZJx2KYe7H
O8F0g9lF33hQE3xDjrwtPe+7wYjfzgDX8iCbsfaNDPAWBq0BfNA8/4bv5GzPaPC4
qcP+W9IRb11yAzlnCEgJNhMB0SLwtzpcUYLKcJbPdilABeYe08CLIIVAw2vKI1Kk
J7sk/ZiGKnB1ZHa+fl17ahApKkLePnFtHR9rMseEpyRbPa7EvomZxUQoLvbaDf+Q
gRqtysAw8oxfhetorvDFwAem3eCRdgJ/T/0U6jC+4dfHzVnGxV27K/PgF3GWRDU5
trPVZ0cu8qdzgNAwSuRHTxTg923FN7cR14NL66TkGZ1d/VKfn1l0h1wctoPOhHPR
zWJi5P8WbprG1XVWNx+aJYW09VIMsujJrrGQSn78o6gXOR2salEDiCs2JixKZnqK
CV4+uGQIiE8bD0oA1B1uFQiPx3XtgOY92QQl8Jnn/7Xa6QQ0hq/3NmDN66RzO78S
I4pH4Vt/L0LNoArGMCrO4URpLiQx5Au0niH5+jbvHyWr1Bm3Y+dMRP1yds3aLQ0Q
16FIrWStzY+cnmOXQKczTIiaJYuSMjCOQicLuWx/q2ghfLCJ16E=
=6Uj+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYtj6T8kNZI30y1K9AQhF1A/+JvSQ81JC1VbjIHsIi5YMvFICDhR6AjDv
CCcd9YyXLsXz91M//7JdvSpyIRW4bjdt4p5tWgTEMBDE0GKWhEGCqAXhxQUUglOc
nfRNAtQ2sPoyUSqsVYXE9+4ktvTOIHD026Pe9qWIksY4TYTDNMWiI0gQ27a2cjY3
6xaQ0gof3uZa5YoT/RckE8qq8wFbptOPG86LNxyOWzlnjyf1jeJZI9t3Z4BLcN+d
6beDOM+VY0jO5CmGq8XFaDZ475fBzyVM3TAUQMjLKcyC5cHCGEwBYMhtuY4/XbxM
7dOCpst7B2SSHOj/kJzf2jV9PKJIREjvsgk+uy8sgiss88LXKgR4j07N7WQsscf6
1KxWUKUvnjZT5UZWkL1q1j7V7/GyzG1NVv+k8099HdhAE0i98rSXyxhdD3svnfi3
VIaRGuRpg7DfbcwBtf6qKfJYuUVBCqkyNCHsOhi0EvK7kTL3oyylPMtpuXMozvFY
K3xWxqYY/OL3q3tGMRkV0gYlS2f1G6cJZwsxXvZ7dyanVqwRJKGJumpHwIoPQ0Oq
7KAOYJzq+lN7CkRWTNu5yOBH3WEqP/Z5z3yyVawVjFlhJGNCCCOH7GWeeKv2otSB
+WIZ5bcVXrVMnXZOtst/3UIT/l6KFaxe7inEIlkXUvFklCubuWpn/2jQo4C6Xfah
iqqnoqApR68=
=77S9
-----END PGP SIGNATURE-----