CVE-2019-7287
Published: 18 December 2019
Summary
CVE-2019-7287 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A memory corruption vulnerability, tracked as CVE-2019-7287 and assigned CWE-787, affects iOS versions prior to 12.1.4. The flaw stems from insufficient input validation that can trigger an out-of-bounds write condition. Successful exploitation allows an application to execute arbitrary code with kernel privileges, as reflected in its CVSS 3.1 score of 7.8.
An attacker can leverage the issue by supplying malicious input to a vulnerable application running on the device. Because the vector requires local access and user interaction but no prior privileges, a malicious or compromised app is sufficient to achieve full kernel-level code execution and compromise the system.
Apple addressed the issue in the iOS 12.1.4 security update published via HT209520. The vulnerability also appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for prompt patching on all supported devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-16831
Vulnerability details
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.1.4. An application may be able to execute arbitrary code with kernel privileges.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of insufficient input validation that leads to the out-of-bounds write in CVE-2019-7287.
Provides memory protection mechanisms that mitigate the memory corruption (CWE-787) enabling kernel-level code execution.
Requires timely installation of the iOS 12.1.4 patch that Apple released specifically to remediate this known-exploited vulnerability.