A vulnerability, which was classified as critical, has been found in Apple watchOS up to 5.2.1 (Smartwatch Operating System). This issue affects some unknown processing of the component WebKit. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution.

The weakness was disclosed 07/22/2019 by Venustech with Adlab of Venustech as HT210353 as confirmed advisory (Website). The advisory is shared at support.apple.com. The identification of this vulnerability is CVE-2019-8685 since 02/18/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The advisory points out:

Multiple memory corruption issues were addressed with improved memory handling.

Upgrading to version 5.3 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 138537, 138538, 138539 and 138540 are pretty similar.

Productinfo

Type

• Smartwatch Operating System

Vendor

• Apple

Name

• watchOS

Version

• 5.2.0
• 5.2.1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion