| Fält | 25/06/2022 14:56 | 25/06/2022 14:58 | 05/01/2024 09:48 |
|---|
| vendor | Apple | Apple | Apple |
| name | iOS | iOS | iOS |
| version | <=12.4.1 | <=12.4.1 | <=12.4.1 |
| component | Siri | Siri | Siri |
| input_type | Audio File | Audio File | Audio File |
| discoverydate | 1557878400 | 1557878400 | 1557878400 |
| vendorinformdate | 1562716800 | 1562716800 | 1562716800 |
| risk | 2 | 2 | 2 |
| cvss2_vuldb_basescore | 6.8 | 6.8 | 6.8 |
| cvss2_vuldb_tempscore | 5.3 | 5.3 | 5.3 |
| cvss2_vuldb_av | N | N | N |
| cvss2_vuldb_ac | M | M | M |
| cvss2_vuldb_au | N | N | N |
| cvss2_vuldb_ci | P | P | P |
| cvss2_vuldb_ii | P | P | P |
| cvss2_vuldb_ai | P | P | P |
| cvss3_meta_basescore | 6.3 | 6.3 | 6.3 |
| cvss3_meta_tempscore | 5.7 | 5.7 | 5.7 |
| cvss3_vuldb_basescore | 6.3 | 6.3 | 6.3 |
| cvss3_vuldb_tempscore | 5.7 | 5.7 | 5.7 |
| cvss3_vuldb_av | N | N | N |
| cvss3_vuldb_ac | L | L | L |
| cvss3_vuldb_pr | N | N | N |
| cvss3_vuldb_ui | R | R | R |
| cvss3_vuldb_s | U | U | U |
| cvss3_vuldb_c | L | L | L |
| cvss3_vuldb_i | L | L | L |
| cvss3_vuldb_a | L | L | L |
| titleword | Self | Self | Self |
| advisoryquote | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. | It happened when playing a YouTube video on an iPhone XS with iOS 12.3.1; suddenly, Siri piped up. It was as if she had heard the command Hey, Siri and responded. But there was no such command in the video. At first, we thought it might be a coincidence. |
| date | 1570665600 (10/10/2019) | 1570665600 (10/10/2019) | 1570665600 (10/10/2019) |
| location | Website | Website | Website |
| developer_mail | maru@****.** | maru@****.** | maru@****.** |
| type | Blog Post | Blog Post | Blog Post |
| url | https://www.scip.ch/en/?labs.20191010 | https://www.scip.ch/en/?labs.20191010 | https://www.scip.ch/en/?labs.20191010 |
| identifier | iPhone Siri Self-Reference Exploiting | iPhone Siri Self-Reference Exploiting | iPhone Siri Self-Reference Exploiting |
| coordination | 1 | 1 | 1 |
| person_name | Marc Ruef | Marc Ruef | Marc Ruef |
| person_mail | maru@****.** | maru@****.** | maru@****.** |
| person_website | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ |
| company_name | scip AG | scip AG | scip AG |
| reaction_date | 1562803200 (11/07/2019) | 1562803200 (11/07/2019) | 1562803200 (11/07/2019) |
| disputed | 1 | 1 | 1 |
| availability | 1 | 1 | 1 |
| date | 1570665600 (10/10/2019) | 1570665600 (10/10/2019) | 1570665600 (10/10/2019) |
| publicity | 1 | 1 | 1 |
| url | https://www.youtube.com/watch?v=AeuGjMbAirU | https://www.youtube.com/watch?v=AeuGjMbAirU | https://www.youtube.com/watch?v=AeuGjMbAirU |
| developer_name | Marc Ruef | Marc Ruef | Marc Ruef |
| developer_website | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ | https://www.computec.ch/mruef/ |
| price_0day | $25k-$100k | $25k-$100k | $25k-$100k |
| name | Upgrade | Upgrade | Upgrade |
| date | 1569283200 (24/09/2019) | 1569283200 (24/09/2019) | 1569283200 (24/09/2019) |
| upgrade_version | 13.0 | 13.0 | 13.0 |
| advisoryquote | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. | In accordance with the responsible disclosure process, we made prior email contact with Apple on July 10, 2019 and told them about our discovery. (…) The next day, the Apple Security Team replied. They indicated that the facts were correct, but they did not consider it a risk. |
| videolink | https://youtu.be/AeuGjMbAirU | https://youtu.be/AeuGjMbAirU | https://youtu.be/AeuGjMbAirU |
| cvss2_vuldb_e | POC | POC | POC |
| cvss2_vuldb_rl | OF | OF | OF |
| cvss2_vuldb_rc | C | C | C |
| cvss3_vuldb_e | P | P | P |
| cvss3_vuldb_rl | O | O | O |
| cvss3_vuldb_rc | C | C | C |
| reaction_days | 76 | 76 | 76 |
| 0day_days | 132 | 132 | 132 |
| type | Smartphone Operating System | Smartphone Operating System | Smartphone Operating System |
| cwe | 269 (privilegier eskalering) | 269 (privilegier eskalering) | 269 (privilegier eskalering) |
| cve | CVE-2019-25071 | CVE-2019-25071 | CVE-2019-25071 |
| responsible | VulDB | VulDB | VulDB |
| response_summary | Apple claims, that after examining the report they do not see any actual security implications. | Apple claims, that after examining the report they do not see any actual security implications. | Apple claims, that after examining the report they do not see any actual security implications. |
| price_trend | + | + | + |
| response_date | | 1562796000 (11/07/2019) | 1562796000 (11/07/2019) |
| cve_assigned | | | 1656021600 (24/06/2022) |
| cve_nvd_summary | | | A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. NOTE: Apple claims, that after examining the report they do not see any actual security implications. |
