| フィールド | 2022年06月25日 14:56 | 2022年06月25日 14:58 | 2024年01月05日 09:48 |
|---|
| vendor | Apple | Apple | Apple |
| name | iOS | iOS | iOS |
| version | <=12.4.1 | <=12.4.1 | <=12.4.1 |
| component | Siri | Siri | Siri |
| input_type | Audio File | Audio File | Audio File |
| discoverydate | 1557878400 | 1557878400 | 1557878400 |
| vendorinformdate | 1562716800 | 1562716800 | 1562716800 |
| risk | 2 | 2 | 2 |
| cvss2_vuldb_basescore | 6.8 | 6.8 | 6.8 |
| cvss2_vuldb_tempscore | 5.3 | 5.3 | 5.3 |
| cvss2_vuldb_av | N | N | N |
| cvss2_vuldb_ac | M | M | M |
| cvss2_vuldb_au | N | N | N |
| cvss2_vuldb_ci | P | P | P |
| cvss2_vuldb_ii | P | P | P |
| cvss2_vuldb_ai | P | P | P |
| cvss3_meta_basescore | 6.3 | 6.3 | 6.3 |
| cvss3_meta_tempscore | 5.7 | 5.7 | 5.7 |
| cvss3_vuldb_basescore | 6.3 | 6.3 | 6.3 |
| cvss3_vuldb_tempscore | 5.7 | 5.7 | 5.7 |
| cvss3_vuldb_av | N | N | N |
| cvss3_vuldb_ac | L | L | L |
| cvss3_vuldb_pr | N | N | N |
| cvss3_vuldb_ui | R | R | R |
| cvss3_vuldb_s | U | U | U |
| cvss3_vuldb_c | L | L | L |
| cvss3_vuldb_i | L | L | L |
| cvss3_vuldb_a | L | L | L |
| titleword | Self | Self | Self |
| advisoryquote | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. |
| date | 1570665600 (2019年10月10日) | 1570665600 (2019年10月10日) | 1570665600 (2019年10月10日) |
| location | Website | Website | Website |
| developer_mail | maru@****.** | maru@****.** | maru@****.** |
| type | Blog Post | Blog Post | Blog Post |
| url | https://www.scip.ch/en/?labs.20191010 | https://www.scip.ch/en/?labs.20191010 | https://www.scip.ch/en/?labs.20191010 |
| identifier | iPhone Siri Self-Reference Exploiting | iPhone Siri Self-Reference Exploiting | iPhone Siri Self-Reference Exploiting |
| coordination | 1 | 1 | 1 |
| person_name | Marc Ruef | Marc Ruef | Marc Ruef |
| person_mail | maru@****.** | maru@****.** | maru@****.** |
| person_website | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ |
| company_name | scip AG | scip AG | scip AG |
| reaction_date | 1562803200 (2019年07月11日) | 1562803200 (2019年07月11日) | 1562803200 (2019年07月11日) |
| disputed | 1 | 1 | 1 |
| availability | 1 | 1 | 1 |
| date | 1570665600 (2019年10月10日) | 1570665600 (2019年10月10日) | 1570665600 (2019年10月10日) |
| publicity | 1 | 1 | 1 |
| url | https://www.youtube.com/watch?v=AeuGjMbAirU | https://www.youtube.com/watch?v=AeuGjMbAirU | https://www.youtube.com/watch?v=AeuGjMbAirU |
| developer_name | Marc Ruef | Marc Ruef | Marc Ruef |
| developer_website | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ |
| price_0day | $25k-$100k | $25k-$100k | $25k-$100k |
| name | アップグレード | アップグレード | アップグレード |
| date | 1569283200 (2019年09月24日) | 1569283200 (2019年09月24日) | 1569283200 (2019年09月24日) |
| upgrade_version | 13.0 | 13.0 | 13.0 |
| advisoryquote | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. |
| videolink | https://youtu.be/AeuGjMbAirU | https://youtu.be/AeuGjMbAirU | https://youtu.be/AeuGjMbAirU |
| cvss2_vuldb_e | POC | POC | POC |
| cvss2_vuldb_rl | OF | OF | OF |
| cvss2_vuldb_rc | C | C | C |
| cvss3_vuldb_e | P | P | P |
| cvss3_vuldb_rl | O | O | O |
| cvss3_vuldb_rc | C | C | C |
| reaction_days | 76 | 76 | 76 |
| 0day_days | 132 | 132 | 132 |
| type | Smartphone Operating System | Smartphone Operating System | Smartphone Operating System |
| cwe | 269 (特権昇格) | 269 (特権昇格) | 269 (特権昇格) |
| cve | CVE-2019-25071 | CVE-2019-25071 | CVE-2019-25071 |
| responsible | VulDB | VulDB | VulDB |
| response_summary | Apple claims, that after examining the report they do not see any actual security implications. | Apple claims, that after examining the report they do not see any actual security implications. | Apple claims, that after examining the report they do not see any actual security implications. |
| price_trend | + | + | + |
| response_date | | 1562796000 (2019年07月11日) | 1562796000 (2019年07月11日) |
| cve_assigned | | | 1656021600 (2022年06月24日) |
| cve_nvd_summary | | | A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. NOTE: Apple claims, that after examining the report they do not see any actual security implications. |
