Vulnerability Description
A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. This vulnerability allows arbitrary code to be executed on the device. Exploiting the vulnerability requires physical access to the device: the device must be plugged in to a computer upon booting, and it must be put into Device Firmware Update (DFU) mode. The exploit is not persistent; rebooting the device overrides any changes to the device's software that were made during an exploited session on the device. Additionally, unless an attacker has access to the device's unlock PIN or fingerprint, an attacker cannot gain access to information protected by Apple's Secure Enclave or Touch ID features.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Securerom | - |
| Apple | A10 Fusion | - |
| Apple | A10X Fusion | - |
| Apple | A11 Bionic | - |
| Apple | A5 | - |
| Apple | A5X | - |
| Apple | A6 | - |
| Apple | A6X | - |
| Apple | A7 | - |
| Apple | A8 | - |
| Apple | A8X | - |
| Apple | A9 | - |
| Apple | A9X | - |
Related Weaknesses (CWE)
References
- https://www.kb.cert.org/vuls/id/941987Third Party Advisory
FAQ
What is CVE-2019-8900?
CVE-2019-8900 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. This vulnerability allows arbitrary c...
How severe is CVE-2019-8900?
CVE-2019-8900 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-8900?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Securerom, Apple A10 Fusion, Apple A10X Fusion, Apple A11 Bionic, Apple A5.