9VSA21-00431-01 CSIRT advierte de vulnerabilidades en productos de Apple

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática, CSIRT de Gobierno, comparte información sobre vulnerabilidades que afectan a diferentes productos de Apple.

Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.

Vulnerabilidades

CVE-2020-27942

CVE-2020-3838

CVE-2020-7463

CVE-2020-8037

CVE-2020-8285

CVE-2020-8286

CVE-2021-1739

CVE-2021-1740

CVE-2021-1784

CVE-2021-1797

CVE-2021-1805

CVE-2021-1806

CVE-2021-1807

CVE-2021-1808

CVE-2021-1809

CVE-2021-1810

CVE-2021-1811

CVE-2021-1813

CVE-2021-1815

CVE-2021-1816

CVE-2021-1817

CVE-2021-1820

CVE-2021-1822

CVE-2021-1824

CVE-2021-1825

CVE-2021-1826

CVE-2021-1828

CVE-2021-1830

CVE-2021-1831

CVE-2021-1832

CVE-2021-1834

CVE-2021-1835

CVE-2021-1836

CVE-2021-1837

CVE-2021-1839

CVE-2021-1840

CVE-2021-1843

CVE-2021-1846

CVE-2021-1847

CVE-2021-1848

CVE-2021-1849

CVE-2021-1851

CVE-2021-1852

CVE-2021-1853

CVE-2021-1854

CVE-2021-1857

CVE-2021-1858

CVE-2021-1860

CVE-2021-1864

CVE-2021-1865

CVE-2021-1867

CVE-2021-1868

CVE-2021-1872

CVE-2021-1873

CVE-2021-1874

CVE-2021-1875

CVE-2021-1876

CVE-2021-1877

CVE-2021-1878

CVE-2021-1881

CVE-2021-1882

CVE-2021-1883

CVE-2021-1884

CVE-2021-1885

CVE-2021-21300

CVE-2021-30652

CVE-2021-30653

CVE-2021-30656

CVE-2021-30659

CVE-2021-30660

CVE-2021-30661

Impactos

Las principales vulnerabilidades consideradas de riesgo alto son las siguientes:

Una vulnerabilidad con CVE pendiente que afecta a Apple Safari es considerada como de riesgo alto. Permite a un atacante remoto comprometer un sistema objetivo, debido a un error de uso de memoria después de ser liberada en WebRTC.

CVE-2021-1876 es una vulnerabilidad en macOS que permite a un atacante remoto comprometer un sistema objetivo. Existe debido a un error de uso de memoria después de ser liberada dentro del componente NSRemoteView.

CVE-2021-1875 es una vulnerabilidad en macOS que permite a un atacante remoto comprometer un sistema objetivo. Existe debido a un error al procesar archivos dentro de la biblioteca libxslt.

CVE-2021-1843 es una vulnerabilidad en macOS que permite a un atacante remoto comprometer un sistema objetivo. Existe debido a una validación insuficiente de la información ingresada por los usuarios en el componente ImageIO.

CVE-2020-27942, CVE-2021-1881 son vulnerabilidades en macOS que permiten a un atacante remoto comprometer un sistema objetivo. Existen debido a errores en el componente FontParser.

CVE-2021-1847 es una vulnerabilidad en macOS que permite a un atacante remoto comprometer un sistema objetivo. Existe debido a un error de límites de memoria en el componente CoreGraphics.

CVE-2021-1828 es una vulnerabilidad en macOS que permite a un atacante remoto comprometer un sistema objetivo. Existe debido a un error de límites de memoria dentro del componente WiF.

Productos Afectados                                                                       

Apple Safari 14.0 a 14.0.3-15610.4.3.1.7.

macOS 10.14 18A391 a 11.2.3 20D91.

iOS 14.5

iPadOS 14.5

Xcode 12.5

iCloud for Windows 12.3

Mitigación

Instalar las respectivas actualizaciones desde el sitio web del proveedor.

Enlaces

https://support.apple.com/en-us/HT212318

https://support.apple.com/en-us/HT212326

https://support.apple.com/en-us/HT212325

https://support.apple.com/en-us/HT212326

https://support.apple.com/en-us/HT212327

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27942

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3838

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7463

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8037

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8285

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8286

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1739

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1805

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1806

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1807

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1808

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1809

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1811

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1813

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1815

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1817

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1820

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1822

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1824

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1825

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1826

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1828

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1830

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1831

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1832

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1834

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1835

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1836

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1837

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1839

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1840

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1843

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1846

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1847

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1848

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1849

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1851

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1852

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1853

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1854

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1857

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1858

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1860

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1864

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1865

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1867

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1868

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1872

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1873

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1874

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1875

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1876

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1877

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1878

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1881

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1882

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1883

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1884

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1885

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30652

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30653

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30656

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30660

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30661

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA21-00431-01

9VSA21-00431-01 CSIRT advierte de vulnerabilidades en productos de Apple