CVE-2019-6223
Published: 05 March 2019
Summary
CVE-2019-6223 is a high-severity an unspecified weakness vulnerability in Apple Iphone Os. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 42.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-15 (Collaborative Computing Devices and Applications).
Deeper analysis
A logic issue in the handling of Group FaceTime calls, caused by inadequate state management, affected Apple iOS and macOS devices prior to the listed updates. The vulnerability resided in the FaceTime component and carried a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation with no required privileges or user interaction and a high impact on confidentiality.
An unauthenticated remote attacker acting as the initiator of a Group FaceTime call could exploit the flaw to force the recipient’s device to answer automatically, thereby gaining unauthorized audio or video access without the recipient’s knowledge or consent.
Apple addressed the issue through improved state management in iOS 12.1.4 and the macOS Mojave 10.14.3 Supplemental Update, as documented in security advisories HT209520 and HT209521. The vulnerability is also catalogued by CISA as one known to have been exploited in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-15790
Vulnerability details
A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. The initiator of a Group FaceTime call may be…
more
able to cause the recipient to answer.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization decisions so that a Group FaceTime call cannot be answered without explicit recipient consent.
Requires collaborative computing applications such as FaceTime to provide explicit user indication and control before audio/video access is granted.
Mandates timely remediation of the logic flaw in FaceTime state management that permitted unauthorized call answering.