### Impact

When source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

### Patches

This vulnerability was fixed in source-controller **v1.2.5**.

### Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). 

### Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

### References

https://github.com/fluxcd/source-controller/pull/1430

### For more information

If you have any questions or comments about this advisory:

- Open an issue in the source-controller repository.
- Contact us at the CNCF Flux Channel.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31216

**source-controller leaks Azure Storage SAS token into logs**

Moderate severity GitHub Reviewed Published May 15, 2024 in fluxcd/source-controller • Updated May 15, 2024

**Package**

gomod github.com/fluxcd/source-controller (Go)

**Affected versions**

< 1.2.5

**Impact**

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

**Patches**

This vulnerability was fixed in source-controller **v1.2.5**.

**Workarounds**

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

**Credits**

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

**References**

fluxcd/source-controller#1430

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in the source-controller repository.
*   Contact us at the CNCF Flux Channel.

**References**

*   GHSA-v554-xwgw-hc3w
*   fluxcd/source-controller#1430
*   fluxcd/source-controller@915d1a0

Published to the GitHub Advisory Database

May 15, 2024

Last updated

May 15, 2024

GHSA-v554-xwgw-hc3w: source-controller leaks Azure Storage SAS token into logs

Cacti versions 1.2.26 and below suffer from a remote code execution execution vulnerability in import.php.

    ----------------------------------------------------------------Cacti <= 1.2.26 (import.php) Remote Code Execution Vulnerability----------------------------------------------------------------[-] Software Link:https://cacti.net[-] Affected Versions:Version 1.2.26 and prior versions.[-] Vulnerability Description:The vulnerability is located within the "import_package()" functiondefined into the /lib/import.php script. This function blindly truststhe filename and file content provided within the uploaded XML data,and writes such files into the Cacti base path (or even outside, sincePath Traversal sequences are not filtered). This can be exploited towrite or overwrite arbitrary files on the web server, leading toexecution of arbitrary PHP code or other security impacts.Successful exploitation of this vulnerability requires an user accounthaving the "Import Templates" permission.[-] Solution:Upgrade to version 1.2.27 or later.[-] Disclosure Timeline:[17/01/2024] - Vendor notified through GitHub[12/05/2024] - Version 1.2.27 released[13/05/2024] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2024-25641 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88[-] Original Advisory:https://karmainsecurity.com/KIS-2024-04

Cacti 1.2.26 Remote Code Execution

SAP Cloud Connector versions 2.15.0 through 2.16.1 were found to happily accept self-signed TLS certificates between SCC and SAP BTP.

SEC Consult Vulnerability Lab Security Advisory < 20240513-0 >  
=======================================================================  
               title: Tolerating Self-Signed Certificates  
             product: SAP® Cloud Connector  
  vulnerable version: 2.15.0 - 2.16.1 (Portable and Installer)  
       fixed version: 2.16.2 (Portable and Installer)  
          CVE number: CVE-2024-25642  
              impact: high  
            homepage: https://www.sap.com/about.html  
               found: 2023-11-13  
                  by: Mingshuo Li (Office Munich)  
                      Fabian Hagg  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The Cloud Connector is an optional on-premise component that is needed to  
integrate on-demand applications with customer backend services and is the  
counterpart of SAP Connectivity service."

Source: https://tools.hana.ondemand.com/#cloud

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3424610, where the  
documented issue is fixed in version 2.16.2 according to the vendor. We  
advise installing the correction as a matter of priority to keep  
business-critical data secured.

Source: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html

Vulnerability overview/description:  
-----------------------------------  
1) Tolerating Self-Signed Certificates (CVE-2024-25642)  
As per vendor documentation, the authentication between SCC and SAP BTP is guaranteed  
mutually:

"The tunnel itself is using TLS with strong encryption of the communication,  
and mutual authentication of both communication sides, the client side  
(Cloud Connector) and the server side (SAP BTP)."

Source: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/inbound-connectivity#tls-tunnel

It was however discovered that the SCC trusts self-signed X.509 server certificates  
for transport security to establish outbound connections with cloud-related  
endpoints. Thus, an attacker can impersonate the genuine servers to interact  
with the SCC, hence breaking the mutual authentication promise. Our analysis shows  
furthermore that the product does not implement Certificate Pinning for the  
trusted endpoints.

The security impact of this vulnerability is rated high due to the trust put  
into self-signed certificates, SCC is unable to distinguish between genuine and  
malicious SAP BTP endpoints, rendering trivial adversary-in-the-middle attacks  
possible.

Proof of concept:  
-----------------  
1) Tolerating Self-Signed Certificates (CVE-2024-25642)  
A "tunnel" established between a subaccount of SAP BTP and SCC represents a  
long-lived bi-directional WebSocket over TLS customized by the vendor.  
Such a tunnel is initiated by the SCC, known as reverse invoke approach,  
to give the administrator full control of the tunnel.

Two tunnels established by SCC are protected by TLS with respect to encrypted  
communication. However, SCC does not verify the authenticity of the  
certification authority, hence allowing an attacker to impersonate the target  
server, using self-signed certificates.

In particular, the attack is targeted at the following two endpoints, but not  
limited to the region host us10.

- connectivitynotification.cf.us10.hana.ondemand.com  
- connectivity.us10.trial.applicationstudio.cloud.sap

Note that the following endpoint, which is used for the initial certificate  
signing request by SCC and to receive the BTP subaccount credentials, is  
not susceptible to this issue.

- connectivitycertsigning.cf.us10.hana.ondemand.com

Nonetheless, it suffices to silently eavesdrop and manipulate network traffic  
between SCC and SAP BTP by impersonating the two vulnerable endpoints above.

Without loss of generality, the first endpoint is taken as example to  
demonstrate the issue by the following steps:

1. Add an entry in /etc/hosts of the SCC host as below to resolve the host name  
    to an attacker-controlled IP address:

    192.168.1.100       connectivitynotification.cf.us10.hana.ondemand.com

2. Generate a self-signed certificate with the spoofed hostname as common name

```  
$ openssl req -x509 -newkey rsa:4096 -keyout conn-noti-key.pem -out conn-noti-cert.pem -sha256 -days 3650 -nodes -subj "/C=DE/ST=Baden-Wuerttemberg/L=Walldorf/O=SAP   
SE/OU=ITSecurity/CN=connectivitynotification.cf.us10.hana.ondemand.com"  
```

3. Start an HTTPS server on the attacker machine to receive the connection from  
    SCC, using the self-signed certificate created in step 2

The following Python script can be used to start the HTTPS server:  
```  
$ cat https-dummy-server.py  
import http.server  
import ssl

server_address = ("192.168.1.100", 443)  
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)  
httpd.socket = ssl.wrap_socket(httpd.socket,  
     server_side=True,  
     certfile="self-signed-cert/conn-noti-cert.pem",  
     keyfile="self-signed-cert/conn-noti-key.pem",  
     ssl_version=ssl.PROTOCOL_TLS)  
httpd.serve_forever()  
```

4. Connect to a subaccount of BTP, for example US East AWS, in the SCC  
    Administration UI

As soon as the connection is launched, the dummy web server will receive the  
request as shown below:

```  
$ python3 https-dummy-server.py  
192.168.1.200 - - [10/Nov/2023 12:00:00] "GET /connectivity HTTP/1.1" 200 -  
```

This observation confirms that the TLS connection between SCC and the spoofed  
BTP endpoint operated on the attacker's machine has been successfully established  
although the server presented a self-signed certificate. No security warning  
message is being displayed in the Administration UI, making the attack  
surreptitious.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest versions available  
at the time of the test:

* SAP Cloud Connector Linux x86_64 Version 2.16.0  
* SAP Cloud Connector Linux (Portable) x86_64 Version 2.16.0

According to the vendor, the vulnerability is a regression and affects the  
versions 2.15.0 - 2.16.1.

Vendor contact timeline:  
------------------------  
2023-11-14: Contacting vendor through vulnerability submission web form  
2023-11-17: Vendor confirms receipt and assign SAP security incident numbers to  
             the four submitted findings: 2370150975, 2370150977, 2370150994, 2370151022  
2023-11-20: Vendor informs the reported issues be assigned the appropriate  
             development teams for analysis  
2023-12-05: Requesting status update  
2023-12-05: Vendor informs that 2370151022 be rejected  
2023-12-05: Issuing rebuttal for 2370151022  
2023-12-06: Vendor contemplates further analysis  
2023-12-14: Vendor decides not to take any action on 2370151022 and rejects  
             2370150977 and 2370150975 as well.  
2023-12-15: Vendor accepts 2370150994  
2024-01-05: Asked vendor to comment on the three rejected issues  
2024-01-10: Vendor gives detailed rationale for the rejection of 2370150975  
2024-01-12: Issuing rebuttal for 2370150975  
2024-01-15: Vendor insists on rejection of 2370150975 and closes the ticket.  
             Removing three rejected potential security issues from advisory.  
2024-02-13: Release of SAP Security Patch Day, security note #3424610  
2024-02-26: Asking for the disclosure guideline to publish finding 2370150994  
2024-02-26: Vendor confirms the three-month embargo  
2024-05-13: Coordinated release of SEC Consult advisory.

Solution:  
---------  
The vendor provides a patched version 2.16.2 which can be downloaded from their  
website:  
https://tools.hana.ondemand.com/#cloud

Also see the vendor's security note #3424610 for further details:  
https://me.sap.com/notes/3424610

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li, F. Hagg / @2024

SAP Cloud Connector 2.16.1 Missing Validation

Zope version 5.9 suffers from a command injection vulnerability in /utilities/mkwsgiinstance.py.

    # Vulnerability Report## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE### Description:A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which is maintained by the Zope Foundation. The script, mkwsgiinstance, facilitates the setup of new Zope WSGI application instances and involves specifying the Python interpreter among other parameters via command-line arguments. The flaw stems from insufficient validation of the Python interpreter path, allowing an attacker to execute arbitrary shell commands.### Affected Product:Product: Zope WSGI instance creation script (mkwsgiinstance)Version: All versions prior to the most recent update-Impact:This vulnerability permits an attacker with local access to the server to execute arbitrary commands with the privileges of the user running the mkwsgiinstance script. The potential impacts include unauthorized information disclosure### POC:```bash(env) root@lab:/opt/Zope# mkwsgiinstance -p "/usr/bin/mkdir" -d "/tmp/temp;"Please choose a username and password for the initial user.These will be the credentials you use to initially manageyour new Zope instance.Username: dPassword: Verify password: (env) root@lab:/opt/Zope# ls /tmp'temp;'```In this example, the attacker replaces the Python interpreter argument (-p) with the mkdir command, followed by an arbitrary directory path. Due to inadequate command-line argument sanitation, the script executes the mkdir command, thus illustrating arbitrary command execution.### Vulnerable Code Snippet:```pythonif opt in ("-p", "--python"):    python = os.path.abspath(os.path.expanduser(arg))    if not os.path.exists(python) and os.path.isfile(python):        usage(sys.stderr, "The Python interpreter does not exist.")        sys.exit(2)```This code snippet fails to adequately validate the python variable that influences subprocess commands directly, enabling potential command injection when malicious inputs are utilized.CVSS Calculated Vulnerability Score:https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H### Credits:This vulnerability was disclosed by Aymane MAZGUITI / Ilyase Dehy.

Zope 5.9 Command Injection

Apple Security Advisory 05-13-2024-8 - tvOS 17.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-8 tvOS 17.5

tvOS 17.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214102.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtmQACgkQX+5d1TXa  
IvpH5hAAtZjOJDsDvmKZhDYNv+q147EOgkWQL99zvmBReygAUqk+KoLQQkkfRLP7  
zTw53l3zvcH5Tar065NTIr/9jW3MDlZ9ipKU5pwy2R6tWRkh5zug6T7WINpcLybv  
6U39illkCn4EOyTZSoET/kkbuu/CQ6QUPC/CX5R/FtBmAmLNcImRjIgHqRjQKVhO  
9ACminYR+gUbsSqn5OfU0hwbvX2pXzqzE8LoOmhgpJyJIbyUUPHt5C6DYmJ79dlf  
Ui0rXKF+kwzqDrAPxph3XhCW0F+IvceREMLefUQXxvQ/0eDZhkCGwyw4/zezoXhg  
k/rAGQ7EEd27AqyDGyRoLpmFvIXafTp3OrePNPnyjE7j06syH4NnkwQoLerdrW9x  
KOCWQYJ9v03SfJpzGQOVA+aP2sHe4jSR4mtq7m7dax6qKjKrLWog7aqu6+pZZ4Ga  
9AXLEU7sQgNF8TWosVgpUmQEas8v3GQflUqjHvczPyPr4T8Br5VhiM8FYj9SWsPb  
mO/57/3kdsaU6DrD1C1mf5SAjFFi65ox78n8hdXOe1B02fvpDOXyz278XBuVMWE0  
CfhrwhXicP0itQp/KtgrnT+iUhkuPieNBiped/KHPfe9YXOfpjGrtcPQfximiYsD  
rGPnxm5tCJPobmTzRUdsu9TSInqUP291SOvkyX1DEQUkIszm6ao=  
=oc3g  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-8

Apple Security Advisory 05-13-2024-7 - watchOS 10.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-7 watchOS 10.5

watchOS 10.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214104.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtuoACgkQX+5d1TXa  
IvoryhAA0MH7dQ2spvGCOs9o90Ha8QfUwkzV6S+x/kjtb+4dVh+Myyyxcq3HfJP/  
71NRMcHvxM2nE7d23D9TSDdkKqEckR/vpgRMR9oPPy+bLnqccu7Rx02dIyOcW0AD  
sOI+puKn2oVSENiQte+Rs5RBBslrzG5G+Ezr2BVyk5jA4q8f2yD3vFlc+4K6u4Xf  
xcM0rgqLTQ1Pe4CiJepLZlm5/I4ub9jNHgYw37lrBg8ptBBOP722Mt+XeuHcE0tr  
SCvoVCDePnbHPNzofgsSlv0bv6CpfvOYKgRouWzb3wf+a9Cg/2fPN39nZtVt7V+l  
WqSJjgGB71QgwtRpmr/nWz3VKzSE9xdnu0H6BOrVAC9qYWn1Qz9S0bfTVhWJDCvk  
XyGhpoHrsKOR/PDjm8nCx7MzqeWxsG/yaYHileud3a9tAx1g63kDrwaPjpG4sNg1  
U5pvYLE942yOoImWyFkfcnf9UCGqwdYiNR8uFyfuPoBFhiCM85CjwD3tM2UG0H5Q  
xxU1iYNIHPeDd4q5DEaFqtC3nNraY3JGoAO5im7vNFv4JcoiMb8ObNTLDkNduThd  
q1uB74m37Pfqq/PT2xtnACHfWpvUpu/Gc0JcUuS+uMB1nUbvPQpNNJqx7WHwk3Q2  
r8OvMZ1Vw+4APbZ7B5Jnj4pkxSAifC2HQ7FqytCGzRzGqHOrF60=  
=+u2d  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-7

Apple Security Advisory 05-13-2024-5 - macOS Ventura 13.6.7 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-05-13-2024-5 macOS Ventura 13.6.7macOS Ventura 13.6.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT214107.Apple maintains a Security Releases page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.FoundationAvailable for: macOS VenturaImpact: An app may be able to access user-sensitive dataDescription: A logic issue was addressed with improved checks.CVE-2024-27789: Mickey Jin (@patch1t)Login WindowAvailable for: macOS VenturaImpact: An attacker with knowledge of a standard user's credentials canunlock another standard user's locked screen on the same MacDescription: A logic issue was addressed with improved state management.CVE-2023-42861: an anonymous researcher, 凯 王, Steven Maser, MatthewMcLean, Brandon Chesser, CPU IT, inc, and Avalon IT Team of ConcentrixRTKitAvailable for: macOS VenturaImpact: An attacker with arbitrary kernel read and write capability maybe able to bypass kernel memory protections. Apple is aware of a reportthat this issue may have been exploited.Description: A memory corruption issue was addressed with improvedvalidation.CVE-2024-23296Additional recognitionApp StoreWe would like to acknowledge an anonymous researcher for theirassistance.macOS Ventura 13.6.7 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtJoACgkQX+5d1TXaIvrg7hAAr/7mbBr3n+eJIP7aXfLdQWZb/NQLK7i87jk0RDCweCeWf2ZDGSjEXn3I0t8qS9bFjouQi3c6Zgu96zIbZ7QHS2KZ3w+41Cjzknb+wKoxb6UkbDe8gaay/QODBQH/GVcFjdEKLJCbnBBjatpf9PgBTkMJQ7UvXbfCUksowN6dUnTcRyxB8fPyFp7yZrKfGLe2mfO3E6kx+lcqThgiKsKuuZNju0A0d8wFyEkKqcQOPtg6PYiM4MTkI+GsckdB1sYy9dK219Gx3s9kj/RUmjBl/rNweC6s85ltqQgzhO0vZtwlcoThM7eMmCAHddjx3YMbh2iv2ypE44xv7XzGik5PjNhWHbVqA2dvFsTuA1K1ZYy04dKQ7i9A/LAcs1THVT29cIA4Xzj1lWBviVHjmFYZG2xkssKf1haqs9H0YB0coZGrNMKVwrW5HBf71oYCr49z/iypIpM4dc7bC7VTPe25Q/Ri5da1D7tTtElY33Vi0uPTqcSQgIwAEN+kYNEbJrH1itk/kyW0y44TRSlo477UyDWXaNZXh8N7ClU1svAl7qUnDstLIPve+watsvlr2/nLwUEvV/3wbja3D6X35M/lwEX8rDA1HVjlNKEDfhV76xRae6Tx36y/5hGDCb6b666e9vh7p7KcaFd54TX+gnH8swkENhVBLV+mZWfSq0fMPTs==xqZE-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-5

Apple Security Advisory 05-08-2024-1 - iTunes 12.13.2 for Windows addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-08-2024-1 iTunes 12.13.2 for Windows

iTunes 12.13.2 for Windows addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214099.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Windows 10 and later  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27793: Willy R. Vasquez of The University of Texas at Austin

iTunes 12.13.2 for Windows may be obtained from:  
https://www.apple.com/itunes/download/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmY78cYACgkQX+5d1TXa  
IvrzDBAAlfeS0odTgHy5AqrW8H47U7kDb6Mob0XW7RF/eii3C3M07a+zZ6fqXrws  
NrR85Az++0l0LICFINyG2uqNlJP831J3ib4MQLmCp0awX5UPLdZ1JZE5afu4GAZk  
t0rDDfUYuhVrArYC1BaSMm3OjiSD3CctLxHPY4PDsLbaeq/J7kSz03Lr42TyLuIU  
wO/c0hxiNSPrrq6vlSO2yCFzuISkB+HkJMPNFst6h7lpCAfimw2pHXhzGKAHUzAG  
ra2TEi4/Zpd5heDhC8rXbVYAgc9q5YCkPT5EDPa4aIYqZynICNugrY5Y0OSV05sp  
l8LuuEsTJY/Vmf4+1xx+ZI2E8LReP/QMCA0pPOGEJXT5PifdrEVIRvV7vAGClWk3  
C9t4FpcYBIt4e3AwSoaQoykdPRCB5mEL+D+gfycLvJBmbng+PnE2T+oQYd6IkVu4  
toYaJ+jo6fNmHHFueBT7ecsCG6kDyJyd1tDTLLxCaTDVPvJ10uk/k68FYbpTy1rY  
EzBbKGnaHKrr2DNFQPiqFnonaLRvUUJXlH5RtlrWVH9/cAXE8sIPfrrO+NPIAEG2  
WoCKA0jOYhR/SO5O4VLqAi0yTSzrvWp7Gp//ov9J0f2S28kUP0kdUGL/Z8Lsbro9  
un3U1C3pgDwcsGrYXpU+Ye/98gUjz5bEu2dMbT5u2fVwkbOQBVs=  
=NV/p  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-08-2024-1

Apple Security Advisory 05-13-2024-4 - macOS Sonoma 14.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-4 macOS Sonoma 14.5

macOS Sonoma 14.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214106.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: A local attacker may gain access to Keychain items  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-27837: Mickey Jin (@patch1t) and ajajfxhj

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass certain Privacy preferences  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-27825: Kirin (@Pwnrin)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27829: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations, and Pwn2car working with Trend Micro's Zero Day  
Initiative

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27841: an anonymous researcher

CFNetwork  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A correctness issue was addressed with improved checks.  
CVE-2024-23236: Ron Masas of Imperva

Finder  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed through improved state management.  
CVE-2024-27827: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An attacker may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27818: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Libsystem  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed by removing vulnerable  
code and adding additional checks.  
CVE-2023-42893: an anonymous researcher

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27822: Scott Johnson, Mykola Grymalyuk of RIPEDA Consulting,  
Jordy Witteman, and Carlos Polop

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27824: Pedro Tôrres (@t0rr3sp3dr0)

PrintCenter  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27813: an anonymous researcher

RemoteViewServices  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27843: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

StorageKit  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2024-27798: Yann GASCUEL of Alter Solutions

Sync Services  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks  
CVE-2024-27847: Mickey Jin (@patch1t)

udf  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27842: CertiK SkyFall Team

Voice Control  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27796: ajajfxhj

WebKit  
Available for: macOS Sonoma  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Music  
We would like to acknowledge an anonymous researcher for their  
assistance.

PackageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Safari Downloads  
We would like to acknowledge Arsenii Kostromin (0x3c3e) for their  
assistance.

macOS Sonoma 14.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCs7MACgkQX+5d1TXa  
IvqKHhAApqwSNiF1fzn2XOuX2AH9sPVTbcdRTlWmD9lOfTnvinbn8J0oNSFoXxDS  
9NqJclCmrl4E/o9d1mUrV9ys1lAI/Hm0E3Hq2VmrEzd4umlDeRvGN2qFuqF+JnEc  
svHlZcAmGpN9eMvxwMin+PXqchqXItZeAwbE2UzD+xTxQftoe/SNSgIlTkncBsMO  
kKS3hlGcNH9fIJhvWY0f7NfX6XKmbxtK6+Glx652v0ayvNmtloBMer+lcy7VcNkL  
Na3bykhiALpwon07xGYmzCn6TsrLhsF4bwsXwdJAmKSJ3s/I8o2SITJtxmRMxv2I  
DXANRFtC+WaaVqmvOC22XcLuFDvKTH719AcdmxDwBLUQ4P1nQEvObp2OLskayhCp  
oEQPrgSWQerdwNse4Hv3JuQrxJWeKCgHTBbWPvfPL5DCX9u8xy/5QgJevrv8RX3g  
hOxqYtIdLKzGuJZWapgd0Cv+InrId5j0xcaUvGxA33lkTeYiOgXQIqjtvOJRNYqK  
2cS59vJkn3j+RwuVjVf27q802Jt1ET75eEMFVf0VJUvWWkGfOWpHvXs3qiUJYgqX  
TQcZIpZL1W4jpMjYtjqk9sf6thL2xb5eXv7BDBfiRIQJYUrTlyQKlIH9xbSH4wNA  
XyKKhjtfx9dsPI0wceBVBA5BCGrnlqNBtOr3+8OzcWFCe0qWOKc=  
=NXp8  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-4

Apple Security Advisory 05-13-2024-3 - iOS 16.7.8 and iPadOS 16.7.8 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-05-13-2024-3 iOS 16.7.8 and iPadOS 16.7.8iOS 16.7.8 and iPadOS 16.7.8 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT214100.Apple maintains a Security Releases page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.FoundationAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An app may be able to access user-sensitive dataDescription: A logic issue was addressed with improved checks.CVE-2024-27789: Mickey Jin (@patch1t)RTKitAvailable for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generationImpact: An attacker with arbitrary kernel read and write capability maybe able to bypass kernel memory protections. Apple is aware of a reportthat this issue may have been exploited.Description: A memory corruption issue was addressed with improvedvalidation.CVE-2024-23296This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.8 and iPadOS 16.7.8".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCrxIACgkQX+5d1TXaIvrKgxAAjiI4N+H3dHj/1ev1GXuaZRhbSicl8Uv0H/zXt/7dmQVgzdie4YnFehUioBcx4E17yecsCV1fcg8jFui7vYuxxxwbVRCZbJ6757rVoFLadDOkbHi3F6pIIza5oaOfmNsriL8pHBjIalwWsZGlUPNGU9LTykaQA5cUjdA0xzFSd8u5H7DSKfND2aoi8q/5xhFaH3txr61FVqpsdcvsyWSfLRKjaB7i+rNijrgVQnFTSrMiiAOYA9HRNM9JGPFO6BDF/wfVJz55bD0MB0nHtRiDc7LzhhhnPtl6fbjMDLO+k3T7x0pxlZDd0k4Vxy93deTaBiLlTa0UdnBzPmMbTUZXxlICzPeAqnWZXwwDqzu+LAxLcNtKI7IZrWqr4FCQpgkIsrM1LP7Zuc1bXyx5Hflw2vg/eBGwnjH+zxoYqQnjGVy5S7JMan2PRYkeShP8JhHC4ZY3RC3Ta2oQFwOfK6wxIgM0+0zHlOA4bj0AppmzxJqcMmK4XOAbe1alIErzPS43CofElYSBswiCPVPCgQ2qrgP3pHrQFCqnVh37YEdCpc1ocB3ZUYgsURzIxruf6MVbUOrXhvQ8DwH53A/zopEcvdnYgI+nfS9G1cyTPil8FnV6XSCEBcdwov8HctE2V+84WaM/GfBMIY1gXJtVXuNz/GhBJEvDCzvKFBuIaV0H1bw==YjT5-----END PGP SIGNATURE-----

Tag

#vulnerability