CVE-2019-8661
published 2019-12-18CVE-2019-8661: A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.6. A remote attacker may be able to cause…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.51%
94.8th percentile
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.6. A remote attacker may be able to cause arbitrary code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.14.6 | 10.14.6 |
| apple | macos | >= unspecified < macOS Mojave 10.14.6 | macOS Mojave 10.14.6 |
| apple | macos_mojave_10.14.6_security_update_2019-004_high_sierra_security_update_2019-0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crashes in the 'soagent' process triggered via iMessage with no user interaction, which may indicate exploitation of CVE-2019-8661. ↗
- →Inspect inbound iMessage payloads for NSURL objects containing the 'NS.minimalBookmarkData' property in their plist, which is the deserialization vector for this vulnerability. ↗
- →Look for pre-2012 alias file data being processed via FSResolveAliasWithMountFlags in CarbonCore, triggered remotely through iMessage deserialization of NSURL objects. ↗
- →Flag memory corruption events originating from ALI_GetUTF8Path (CarbonCore) via an unsafe strcat_chk call, reachable through remote iMessage delivery. ↗
- →The exploit requires no user interaction and is macOS-specific; prioritize detection on macOS endpoints receiving iMessages with serialized NSURL/bookmark data. ↗
- ·The PoC exploit uses Frida for injection; detection of Frida tooling (frida-agent, frida-server) on macOS endpoints may indicate attacker staging activity related to this CVE. ↗
- ·The vulnerability is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, and Security Update 2019-004 Sierra; unpatched systems in these product lines remain at risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2019-8661: macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra
vendor_apple·2019-07-22·CVSS 9.8
CVE-2019-8661 [CRITICAL] CVE-2019-8661: macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra
Product: macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra
CVE: CVE-2019-8661
Component: Carbon Core
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
GHSA
GHSA-qp2w-5j73-m364: A use after free issue was addressed with improved memory management
ghsa_unreviewed·2022-05-24
CVE-2019-8661 [HIGH] GHSA-qp2w-5j73-m364: A use after free issue was addressed with improved memory management
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.6. A remote attacker may be able to cause arbitrary code execution.
Project0
The Fully Remote Attack Surface of the iPhone - Project Zero
project_zero·2019-08-01
CVE-2019-8613 The Fully Remote Attack Surface of the iPhone - Project Zero
Posted by Natalie Silvanovich, Project Zero
While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities.
Vulnerabilities are considered ‘remote’ when the attacker does not require any physical or network proximity to the target to be able to use the vulnerability. Remote vulnerabilities are described as ‘fully remote’, ‘interaction-less’ or ‘zero click’ when they do not require any physical interaction from the target to be exploited, an
No detection rules found.
No writeups or analysis indexed.
2019-12-18
Published