ID CVE-2015-7112 Type cve Reporter cve@mitre.org Modified 2019-03-08T16:06:00
Description
The IOHIDFamily API in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2015-7111.
{"exploitdb": [{"lastseen": "2016-02-04T10:01:06", "description": "iOS and OS X Kernel - Double-Delete IOHIDEventQueue::start Code Execution. CVE-2015-7112. Dos exploits for multiple platform", "published": "2016-01-28T00:00:00", "type": "exploitdb", "title": "iOS and OS X Kernel - Double-Delete IOHIDEventQueue::start Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7112"], "modified": "2016-01-28T00:00:00", "id": "EDB-ID:39379", "href": "https://www.exploit-db.com/exploits/39379/", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=542\r\n\r\nThe IOHIDLibUserClient allows us to create and manage IOHIDEventQueues corresponding to available HID devices.\r\n\r\nHere is the ::start method, which can be reached via the IOHIDLibUserClient::_startQueue external method:\r\n\r\n************ SNIP **************\r\n\r\nvoid IOHIDEventQueue::start() \r\n{\r\n if ( _lock )\r\n IOLockLock(_lock);\r\n\r\n if ( _state & kHIDQueueStarted )\r\n goto START_END;\r\n\r\n if ( _currentEntrySize != _maxEntrySize ) <--- (a)\r\n {\r\n mach_port_t port = notifyMsg ? ((mach_msg_header_t *)notifyMsg)->msgh_remote_port : MACH_PORT_NULL;\r\n \r\n // Free the existing queue data\r\n if (dataQueue) { <-- (b)\r\n IOFreeAligned(dataQueue, round_page_32(getQueueSize() + DATA_QUEUE_MEMORY_HEADER_SIZE));\r\n }\r\n \r\n if (_descriptor) {\r\n _descriptor->release();\r\n _descriptor = 0;\r\n }\r\n \r\n // init the queue again. This will allocate the appropriate data.\r\n if ( !initWithEntries(_numEntries, _maxEntrySize) ) { (c) <----\r\n goto START_END;\r\n }\r\n \r\n _currentEntrySize = _maxEntrySize;\r\n \r\n // RY: since we are initing the queue, we should reset the port as well\r\n if ( port ) \r\n setNotificationPort(port);\r\n }\r\n else if ( dataQueue )\r\n {\r\n dataQueue->head = 0;\r\n dataQueue->tail = 0;\r\n }\r\n\r\n _state |= kHIDQueueStarted;\r\n\r\nSTART_END:\r\n if ( _lock )\r\n IOLockUnlock(_lock);\r\n\r\n}\r\n\r\n************ SNIP **************\r\n\r\n\r\nIf _currentEntrySize is not equal to _maxEntrySize then the start method will attempt to reallocate a better-sized queue;\r\nif dataQueue (a member of IODataQueue) is non-zero its free'd then initWithEntries is called with the new _maxEntrySize.\r\n\r\nNote that the error path on failure here jumps straight to the end of the function, so it's up to initWithEntries to\r\nclear dataQueue if it fails:\r\n\r\n\r\n************ SNIP **************\r\n\r\nBoolean IOHIDEventQueue::initWithEntries(UInt32 numEntries, UInt32 entrySize)\r\n{\r\n UInt32 size = numEntries*entrySize;\r\n \r\n if ( size < MIN_HID_QUEUE_CAPACITY )\r\n size = MIN_HID_QUEUE_CAPACITY;\r\n \r\n return super::initWithCapacity(size);\r\n}\r\n\r\n************ SNIP **************\r\n\r\n\r\nThere's a possible overflow here; but there will be *many* possible overflows coming up and we need to overflow at the right one...\r\n\r\nThis calls through to IOSharedDataQueue::initWithCapacity\r\n\r\n\r\n************ SNIP **************\r\n\r\nBoolean IOSharedDataQueue::initWithCapacity(UInt32 size)\r\n{\r\n IODataQueueAppendix * appendix;\r\n vm_size_t allocSize;\r\n\r\n if (!super::init()) {\r\n return false;\r\n }\r\n\r\n\r\n _reserved = (ExpansionData *)IOMalloc(sizeof(struct ExpansionData));\r\n if (!_reserved) {\r\n return false;\r\n }\r\n\r\n if (size > UINT32_MAX - DATA_QUEUE_MEMORY_HEADER_SIZE - DATA_QUEUE_MEMORY_APPENDIX_SIZE) {\r\n return false;\r\n }\r\n \r\n allocSize = round_page(size + DATA_QUEUE_MEMORY_HEADER_SIZE + DATA_QUEUE_MEMORY_APPENDIX_SIZE);\r\n\r\n if (allocSize < size) {\r\n return false;\r\n }\r\n\r\n dataQueue = (IODataQueueMemory *)IOMallocAligned(allocSize, PAGE_SIZE);\r\n\r\n************ SNIP **************\r\n\r\n\r\nWe need this function to fail on any of the first four conditions; if we reach the IOMallocAligned call\r\nthen dataQueue will either be set to a valid allocation (which is uninteresting) or set to NULL (also uninteresting.)\r\n\r\nWe probably can't fail the ::init() call nor the small IOMalloc. There are then two integer overflow checks;\r\nthe first will only fail if size (a UInt32 is greater than 0xfffffff4), and the second will be impossible to trigger on 64-bit since\r\nround_pages will be checking for 64-bit overflow, and we want a cross-platform exploit!\r\n\r\nTherefore, we have to reach the call to initWithCapacity with a size >= 0xfffffff4 (ie 12 possible values?)\r\n\r\nWhere do _maxEntrySize and _currentEntrySize come from?\r\n\r\nWhen the queue is created they are both set to 0x20, and we can partially control _maxEntrySize by adding an new HIDElement to the queue.\r\n\r\n_numEntries is a completely controlled dword.\r\n\r\nSo in order to reach the exploitable conditions we need to:\r\n\r\n1) create a queue, specifying a value for _numEntries. This will allocate a queue (via initWithCapacity) of _numEntries*0x20; this allocation must succeed.\r\n\r\n2) add an element to that queue with a *larger* size, such that _maxEntrySize is increased to NEW_MAX_SIZE.\r\n\r\n3) stop the queue.\r\n\r\n4) start the queue; at which point we will call IOHIDEventQueue::start. since _maxEntrySize is now larger this\r\nwill free dataQueue then call initWithEntries(_num_entries, NEW_MAX_SIZE). This has to fail in exactly the manner\r\ndescribed above such that dataQueue is a dangling pointer.\r\n\r\n5) start the queue again, since _maxEntrySize is still != _currentEntrySize, this will call free dataQueue again!\r\n\r\n\r\nThe really tricky part here is coming up with the values for _numEntries and NEW_MAX_SIZE; the constraints are:\r\n\r\n_numEntries is a dword\r\n(_numEntries*0x20)%2^32 must be an allocatable size (ideally <0x10000000)\r\n(_numEntries*NEW_MAX_SIZE)%2^32 must be >= 0xfffffff4\r\n\r\npresumable NEW_MAX_SIZE is also reasonably limited by the HID descriptor parsing code, but I didn't look.\r\n\r\nThis really doesn't give you much leaway, but it is quite satisfiable :)\r\n\r\nIn this case I've chosen to create a \"fake\" hid device so that I can completely control NEW_MAX_SIZE, thus the PoC requires\r\nroot (as did the TAIG jailbreak which also messed with report descriptors.) However, this isn't actually a requirement to hit the bug; you'd just need to look through every single HID report descriptor on your system to find one with a suitable report size.\r\n\r\nIn this case, _numEntries of 0x3851eb85 leads to an initial queue size of (0x3851eb85*0x20)%2^32 = 0xa3d70a0\r\nwhich is easily allocatable, and NEW_MAX_SIZE = 0x64 leads to: (0x3851eb85*0x64)%2^32 = 0xfffffff4\r\n\r\n\r\nTo run the PoC:\r\n\r\n1) unzip and build the fake_hid code and run 'test -k' as root; this will create an IOHIDUserDevice whose\r\ncookie=2 IOHIDElementPrivate report size is 0x64.\r\n\r\n2) build and run this file as a regular user.\r\n\r\n3) see double free crash.\r\n\r\nThere's actually nothing limiting this to a double free, you could go on indefinitely free'ing the same pointer.\r\n\r\nAs I said before, this bug doesn't actually require root but it's just *much* easier to repro with it!\r\n\r\nTesting on: MacBookAir5,2 10.10.5 14F27\r\nGuessing that this affects iOS too but haven't tested.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39379.zip\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/39379/"}], "zdt": [{"lastseen": "2018-02-18T01:24:12", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2016-01-28T00:00:00", "title": "Apple Mac OSX / iOS - Double-Delete IOHIDEventQueue::start Code Execution", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7112"], "modified": "2016-01-28T00:00:00", "href": "https://0day.today/exploit/description/25783", "id": "1337DAY-ID-25783", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=542\r\n \r\nThe IOHIDLibUserClient allows us to create and manage IOHIDEventQueues corresponding to available HID devices.\r\n \r\nHere is the ::start method, which can be reached via the IOHIDLibUserClient::_startQueue external method:\r\n \r\n************ SNIP **************\r\n \r\nvoid IOHIDEventQueue::start() \r\n{\r\n if ( _lock )\r\n IOLockLock(_lock);\r\n \r\n if ( _state & kHIDQueueStarted )\r\n goto START_END;\r\n \r\n if ( _currentEntrySize != _maxEntrySize ) <--- (a)\r\n {\r\n mach_port_t port = notifyMsg ? ((mach_msg_header_t *)notifyMsg)->msgh_remote_port : MACH_PORT_NULL;\r\n \r\n // Free the existing queue data\r\n if (dataQueue) { <-- (b)\r\n IOFreeAligned(dataQueue, round_page_32(getQueueSize() + DATA_QUEUE_MEMORY_HEADER_SIZE));\r\n }\r\n \r\n if (_descriptor) {\r\n _descriptor->release();\r\n _descriptor = 0;\r\n }\r\n \r\n // init the queue again. This will allocate the appropriate data.\r\n if ( !initWithEntries(_numEntries, _maxEntrySize) ) { (c) <----\r\n goto START_END;\r\n }\r\n \r\n _currentEntrySize = _maxEntrySize;\r\n \r\n // RY: since we are initing the queue, we should reset the port as well\r\n if ( port ) \r\n setNotificationPort(port);\r\n }\r\n else if ( dataQueue )\r\n {\r\n dataQueue->head = 0;\r\n dataQueue->tail = 0;\r\n }\r\n \r\n _state |= kHIDQueueStarted;\r\n \r\nSTART_END:\r\n if ( _lock )\r\n IOLockUnlock(_lock);\r\n \r\n}\r\n \r\n************ SNIP **************\r\n \r\n \r\nIf _currentEntrySize is not equal to _maxEntrySize then the start method will attempt to reallocate a better-sized queue;\r\nif dataQueue (a member of IODataQueue) is non-zero its free'd then initWithEntries is called with the new _maxEntrySize.\r\n \r\nNote that the error path on failure here jumps straight to the end of the function, so it's up to initWithEntries to\r\nclear dataQueue if it fails:\r\n \r\n \r\n************ SNIP **************\r\n \r\nBoolean IOHIDEventQueue::initWithEntries(UInt32 numEntries, UInt32 entrySize)\r\n{\r\n UInt32 size = numEntries*entrySize;\r\n \r\n if ( size < MIN_HID_QUEUE_CAPACITY )\r\n size = MIN_HID_QUEUE_CAPACITY;\r\n \r\n return super::initWithCapacity(size);\r\n}\r\n \r\n************ SNIP **************\r\n \r\n \r\nThere's a possible overflow here; but there will be *many* possible overflows coming up and we need to overflow at the right one...\r\n \r\nThis calls through to IOSharedDataQueue::initWithCapacity\r\n \r\n \r\n************ SNIP **************\r\n \r\nBoolean IOSharedDataQueue::initWithCapacity(UInt32 size)\r\n{\r\n IODataQueueAppendix * appendix;\r\n vm_size_t allocSize;\r\n \r\n if (!super::init()) {\r\n return false;\r\n }\r\n \r\n \r\n _reserved = (ExpansionData *)IOMalloc(sizeof(struct ExpansionData));\r\n if (!_reserved) {\r\n return false;\r\n }\r\n \r\n if (size > UINT32_MAX - DATA_QUEUE_MEMORY_HEADER_SIZE - DATA_QUEUE_MEMORY_APPENDIX_SIZE) {\r\n return false;\r\n }\r\n \r\n allocSize = round_page(size + DATA_QUEUE_MEMORY_HEADER_SIZE + DATA_QUEUE_MEMORY_APPENDIX_SIZE);\r\n \r\n if (allocSize < size) {\r\n return false;\r\n }\r\n \r\n dataQueue = (IODataQueueMemory *)IOMallocAligned(allocSize, PAGE_SIZE);\r\n \r\n************ SNIP **************\r\n \r\n \r\nWe need this function to fail on any of the first four conditions; if we reach the IOMallocAligned call\r\nthen dataQueue will either be set to a valid allocation (which is uninteresting) or set to NULL (also uninteresting.)\r\n \r\nWe probably can't fail the ::init() call nor the small IOMalloc. There are then two integer overflow checks;\r\nthe first will only fail if size (a UInt32 is greater than 0xfffffff4), and the second will be impossible to trigger on 64-bit since\r\nround_pages will be checking for 64-bit overflow, and we want a cross-platform exploit!\r\n \r\nTherefore, we have to reach the call to initWithCapacity with a size >= 0xfffffff4 (ie 12 possible values?)\r\n \r\nWhere do _maxEntrySize and _currentEntrySize come from?\r\n \r\nWhen the queue is created they are both set to 0x20, and we can partially control _maxEntrySize by adding an new HIDElement to the queue.\r\n \r\n_numEntries is a completely controlled dword.\r\n \r\nSo in order to reach the exploitable conditions we need to:\r\n \r\n1) create a queue, specifying a value for _numEntries. This will allocate a queue (via initWithCapacity) of _numEntries*0x20; this allocation must succeed.\r\n \r\n2) add an element to that queue with a *larger* size, such that _maxEntrySize is increased to NEW_MAX_SIZE.\r\n \r\n3) stop the queue.\r\n \r\n4) start the queue; at which point we will call IOHIDEventQueue::start. since _maxEntrySize is now larger this\r\nwill free dataQueue then call initWithEntries(_num_entries, NEW_MAX_SIZE). This has to fail in exactly the manner\r\ndescribed above such that dataQueue is a dangling pointer.\r\n \r\n5) start the queue again, since _maxEntrySize is still != _currentEntrySize, this will call free dataQueue again!\r\n \r\n \r\nThe really tricky part here is coming up with the values for _numEntries and NEW_MAX_SIZE; the constraints are:\r\n \r\n_numEntries is a dword\r\n(_numEntries*0x20)%2^32 must be an allocatable size (ideally <0x10000000)\r\n(_numEntries*NEW_MAX_SIZE)%2^32 must be >= 0xfffffff4\r\n \r\npresumable NEW_MAX_SIZE is also reasonably limited by the HID descriptor parsing code, but I didn't look.\r\n \r\nThis really doesn't give you much leaway, but it is quite satisfiable :)\r\n \r\nIn this case I've chosen to create a \"fake\" hid device so that I can completely control NEW_MAX_SIZE, thus the PoC requires\r\nroot (as did the TAIG jailbreak which also messed with report descriptors.) However, this isn't actually a requirement to hit the bug; you'd just need to look through every single HID report descriptor on your system to find one with a suitable report size.\r\n \r\nIn this case, _numEntries of 0x3851eb85 leads to an initial queue size of (0x3851eb85*0x20)%2^32 = 0xa3d70a0\r\nwhich is easily allocatable, and NEW_MAX_SIZE = 0x64 leads to: (0x3851eb85*0x64)%2^32 = 0xfffffff4\r\n \r\n \r\nTo run the PoC:\r\n \r\n1) unzip and build the fake_hid code and run 'test -k' as root; this will create an IOHIDUserDevice whose\r\ncookie=2 IOHIDElementPrivate report size is 0x64.\r\n \r\n2) build and run this file as a regular user.\r\n \r\n3) see double free crash.\r\n \r\nThere's actually nothing limiting this to a double free, you could go on indefinitely free'ing the same pointer.\r\n \r\nAs I said before, this bug doesn't actually require root but it's just *much* easier to repro with it!\r\n \r\nTesting on: MacBookAir5,2 10.10.5 14F27\r\nGuessing that this affects iOS too but haven't tested.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39379.zip\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25783"}], "nessus": [{"lastseen": "2021-02-01T01:23:40", "description": "According to its banner, the version of the remote Apple TV device is\nprior to 9.1. It is, therefore, affected by multiple vulnerabilities\nin the following components :\n\n - AppleMobileFileIntegrity\n - Compression\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - dyld\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - Kernel\n - libarchive\n - libc\n - libxml2\n - MobileStorageMounter\n - OpenGL\n - Security\n - WebKit\n\nNote that only 4th generation models are affected by the\nvulnerabilities.", "edition": 29, "cvss3": {"score": 4.3, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}, "published": "2016-10-13T00:00:00", "title": "Apple TV < 9.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7068", "CVE-2015-7075", "CVE-2015-7112", "CVE-2015-7065", "CVE-2015-7038", "CVE-2015-7097", "CVE-2015-7100", "CVE-2015-7073", "CVE-2015-7099", "CVE-2015-7111", "CVE-2015-7061", "CVE-2015-7059", "CVE-2015-7066", "CVE-2015-7104", "CVE-2015-7058", "CVE-2015-7040", "CVE-2015-7083", "CVE-2015-7051", "CVE-2015-7101", "CVE-2015-7053", "CVE-2015-7074", "CVE-2015-7079", "CVE-2015-7098", "CVE-2015-7043", "CVE-2015-7110", "CVE-2015-7042", "CVE-2015-7105", "CVE-2015-7048", "CVE-2015-7115", "CVE-2015-7054", "CVE-2015-7064", "CVE-2015-7096", "CVE-2015-7060", "CVE-2015-7109", "CVE-2015-7039", "CVE-2015-7084", "CVE-2015-7103", "CVE-2015-7055", "CVE-2015-7116", "CVE-2015-7095", "CVE-2015-7102", "CVE-2011-2895", "CVE-2015-7041", "CVE-2015-7047", "CVE-2015-7072"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_9_1.NASL", "href": "https://www.tenable.com/plugins/nessus/94050", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94050);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/02/26 4:50:08\");\n\n script_cve_id(\n \"CVE-2011-2895\",\n \"CVE-2015-7038\",\n \"CVE-2015-7039\",\n \"CVE-2015-7040\",\n \"CVE-2015-7041\",\n \"CVE-2015-7042\",\n \"CVE-2015-7043\",\n \"CVE-2015-7047\",\n \"CVE-2015-7048\",\n \"CVE-2015-7051\",\n \"CVE-2015-7053\",\n \"CVE-2015-7054\",\n \"CVE-2015-7055\",\n \"CVE-2015-7058\",\n \"CVE-2015-7059\",\n \"CVE-2015-7060\",\n \"CVE-2015-7061\",\n \"CVE-2015-7064\",\n \"CVE-2015-7065\",\n \"CVE-2015-7066\",\n \"CVE-2015-7068\",\n \"CVE-2015-7072\",\n \"CVE-2015-7073\",\n \"CVE-2015-7074\",\n \"CVE-2015-7075\",\n \"CVE-2015-7079\",\n \"CVE-2015-7083\",\n \"CVE-2015-7084\",\n \"CVE-2015-7095\",\n \"CVE-2015-7096\",\n \"CVE-2015-7097\",\n \"CVE-2015-7098\",\n \"CVE-2015-7099\",\n \"CVE-2015-7100\",\n \"CVE-2015-7101\",\n \"CVE-2015-7102\",\n \"CVE-2015-7103\",\n \"CVE-2015-7104\",\n \"CVE-2015-7105\",\n \"CVE-2015-7109\",\n \"CVE-2015-7110\",\n \"CVE-2015-7111\",\n \"CVE-2015-7112\",\n \"CVE-2015-7115\",\n \"CVE-2015-7116\"\n );\n script_bugtraq_id(\n 49124,\n 78719,\n 78720,\n 78725,\n 78726,\n 78728,\n 78728,\n 78732,\n 78733,\n 78735,\n 80379\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-12-08-2\");\n script_xref(name:\"EDB-ID\", value:\"39357\");\n script_xref(name:\"EDB-ID\", value:\"38917\");\n\n script_name(english:\"Apple TV < 9.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of the remote Apple TV device is\nprior to 9.1. It is, therefore, affected by multiple vulnerabilities\nin the following components :\n\n - AppleMobileFileIntegrity\n - Compression\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - dyld\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - Kernel\n - libarchive\n - libc\n - libxml2\n - MobileStorageMounter\n - OpenGL\n - Security\n - WebKit\n\nNote that only 4th generation models are affected by the\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205640\");\n # https://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?951f278f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 9.1 or later. Note that this update is\navailable only for 4th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7116\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"appletv_func.inc\");\ninclude(\"audit.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# fix\nfixed_build = \"13T402\";\ntvos_ver = \"9.1\"; # for reporting purposes only\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : 4,\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n severity : SECURITY_HOLE,\n port : port,\n url : url\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:41:37", "description": "The remote host is running a version of Mac OS X 10.9.5 or 10.10.5\nthat is missing Security Update 2015-005 or 2015-008. It is,\ntherefore, affected by multiple vulnerabilities in the following\ncomponents :\n\n - apache_mod_php\n - AppSandbox\n - Bluetooth\n - CFNetwork HTTPProtocol\n - Compression\n - Configuration Profiles\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - EFI\n - File Bookmark\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - IOThunderboltFamily\n - Kernel\n - kext tools\n - Keychain Access\n - libarchive\n - libc\n - libexpat\n - libxml2\n - OpenGL\n - OpenLDAP\n - OpenSSH\n - QuickLook\n - Sandbox\n - Security\n - System Integrity Protection\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-12-11T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Updates 2015-005 / 2015-008)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7068", "CVE-2015-6908", "CVE-2015-7075", "CVE-2015-7112", "CVE-2015-7065", "CVE-2015-7038", "CVE-2015-7076", "CVE-2012-1148", "CVE-2015-7071", "CVE-2012-1147", "CVE-2015-7073", "CVE-2015-7063", "CVE-2015-7111", "CVE-2015-7061", "CVE-2015-7059", "CVE-2015-7066", "CVE-2015-7058", "CVE-2015-7040", "CVE-2015-7083", "CVE-2015-7067", "CVE-2015-7053", "CVE-2015-7078", "CVE-2015-5334", "CVE-2015-7074", "CVE-2015-7043", "CVE-2015-7106", "CVE-2015-7110", "CVE-2015-7062", "CVE-2012-0876", "CVE-2015-7042", "CVE-2015-7105", "CVE-2015-7108", "CVE-2015-7054", "CVE-2015-7001", "CVE-2015-3807", "CVE-2015-7094", "CVE-2015-7064", "CVE-2015-7060", "CVE-2015-7045", "CVE-2015-7109", "CVE-2015-7039", "CVE-2015-7084", "CVE-2015-7107", "CVE-2015-7803", "CVE-2015-5333", "CVE-2015-7044", "CVE-2015-7052", "CVE-2015-7081", "CVE-2011-2895", "CVE-2015-7077", "CVE-2015-7041", "CVE-2015-7047", "CVE-2015-7046", "CVE-2015-7804"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2015-008.NASL", "href": "https://www.tenable.com/plugins/nessus/87321", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87321);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2011-2895\",\n \"CVE-2012-0876\",\n \"CVE-2012-1147\",\n \"CVE-2012-1148\",\n \"CVE-2015-3807\",\n \"CVE-2015-5333\",\n \"CVE-2015-5334\",\n \"CVE-2015-6908\",\n \"CVE-2015-7001\",\n \"CVE-2015-7038\",\n \"CVE-2015-7039\",\n \"CVE-2015-7040\",\n \"CVE-2015-7041\",\n \"CVE-2015-7042\",\n \"CVE-2015-7043\",\n \"CVE-2015-7044\",\n \"CVE-2015-7045\",\n \"CVE-2015-7046\",\n \"CVE-2015-7047\",\n \"CVE-2015-7052\",\n \"CVE-2015-7053\",\n \"CVE-2015-7054\",\n \"CVE-2015-7058\",\n \"CVE-2015-7059\",\n \"CVE-2015-7060\",\n \"CVE-2015-7061\",\n \"CVE-2015-7062\",\n \"CVE-2015-7063\",\n \"CVE-2015-7064\",\n \"CVE-2015-7065\",\n \"CVE-2015-7066\",\n \"CVE-2015-7067\",\n \"CVE-2015-7068\",\n \"CVE-2015-7071\",\n \"CVE-2015-7073\",\n \"CVE-2015-7074\",\n \"CVE-2015-7075\",\n \"CVE-2015-7076\",\n \"CVE-2015-7077\",\n \"CVE-2015-7078\",\n \"CVE-2015-7081\",\n \"CVE-2015-7083\",\n \"CVE-2015-7084\",\n \"CVE-2015-7094\",\n \"CVE-2015-7105\",\n \"CVE-2015-7106\",\n \"CVE-2015-7107\",\n \"CVE-2015-7108\",\n \"CVE-2015-7109\",\n \"CVE-2015-7110\",\n \"CVE-2015-7111\",\n \"CVE-2015-7112\",\n \"CVE-2015-7803\",\n \"CVE-2015-7804\"\n );\n script_bugtraq_id(\n 49124,\n 52379,\n 76343,\n 76714,\n 76959,\n 77112,\n 78719,\n 78721,\n 78725,\n 78730,\n 78733,\n 78735\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-12-08-3\");\n script_xref(name:\"EDB-ID\", value:\"38145\");\n script_xref(name:\"EDB-ID\", value:\"38917\");\n script_xref(name:\"EDB-ID\", value:\"39357\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Updates 2015-005 / 2015-008)\");\n script_summary(english:\"Checks for the presence of Security Update 2015-005 and 2015-008.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.9.5 or 10.10.5\nthat is missing Security Update 2015-005 or 2015-008. It is,\ntherefore, affected by multiple vulnerabilities in the following\ncomponents :\n\n - apache_mod_php\n - AppSandbox\n - Bluetooth\n - CFNetwork HTTPProtocol\n - Compression\n - Configuration Profiles\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - EFI\n - File Bookmark\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - IOThunderboltFamily\n - Kernel\n - kext tools\n - Keychain Access\n - libarchive\n - libc\n - libexpat\n - libxml2\n - OpenGL\n - OpenLDAP\n - OpenSSH\n - QuickLook\n - Sandbox\n - Security\n - System Integrity Protection\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205637\");\n # https://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec39a4a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2015-006 (OS X 10.9.5) / 2015-008 (OS X\n10.10.5) or later. Note that Security Update 2015-006 is a\nreplacement for the earlier 2015-005 update mentioned in the original\nadvisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\n# Advisory states that update 2015-005 is available for 10.10.5 and update 2015-008 is available for 10.9.5\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.(9|10)\\.5([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.9.5 or Mac OS X 10.10.5\");\n\nif ( \"10.9.5\" >< os) patch = \"2015-008\";\nelse if ( \"10.10.5\" >< os ) patch = \"2015-005\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.security\\..*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:38:54", "description": "The remote host is running a version of Mac OS X that is 10.11.x prior\nto 10.11.2. It is, therefore, affected by multiple vulnerabilities in\nthe following components :\n\n - apache_mod_php\n - AppSandbox\n - Bluetooth\n - CFNetwork HTTPProtocol\n - Compression\n - Configuration Profiles\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - EFI\n - File Bookmark\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - IOThunderboltFamily\n - Kernel\n - kext tools\n - Keychain Access\n - libarchive\n - libc\n - libexpat\n - libxml2\n - OpenGL\n - OpenLDAP\n - OpenSSH\n - QuickLook\n - Sandbox\n - Security\n - System Integrity Protection\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 25, "published": "2015-12-10T00:00:00", "title": "Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7068", "CVE-2015-6908", "CVE-2015-7075", "CVE-2015-7112", "CVE-2015-7065", "CVE-2015-7038", "CVE-2015-7076", "CVE-2012-1148", "CVE-2015-7071", "CVE-2012-1147", "CVE-2015-7073", "CVE-2015-7063", "CVE-2015-7111", "CVE-2015-7061", "CVE-2015-7059", "CVE-2015-7066", "CVE-2015-7058", "CVE-2015-7040", "CVE-2015-7083", "CVE-2015-7067", "CVE-2015-7053", "CVE-2015-7078", "CVE-2015-5334", "CVE-2015-7074", "CVE-2015-7043", "CVE-2015-7106", "CVE-2015-7110", "CVE-2015-7062", "CVE-2012-0876", "CVE-2015-7042", "CVE-2015-7105", "CVE-2015-7115", "CVE-2015-7108", "CVE-2015-7054", "CVE-2015-7001", "CVE-2015-3807", "CVE-2015-7094", "CVE-2015-7064", "CVE-2015-7060", "CVE-2015-7045", "CVE-2015-7109", "CVE-2015-7039", "CVE-2015-7084", "CVE-2015-7107", "CVE-2015-7803", "CVE-2015-5333", "CVE-2015-7044", "CVE-2015-7116", "CVE-2015-7052", "CVE-2015-7081", "CVE-2011-2895", "CVE-2015-7077", "CVE-2015-7041", "CVE-2015-7047", "CVE-2015-7046", "CVE-2015-7804"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_11_2.NASL", "href": "https://www.tenable.com/plugins/nessus/87314", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87314);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2011-2895\",\n \"CVE-2012-0876\",\n \"CVE-2012-1147\",\n \"CVE-2012-1148\",\n \"CVE-2015-3807\",\n \"CVE-2015-5333\",\n \"CVE-2015-5334\",\n \"CVE-2015-6908\",\n \"CVE-2015-7001\",\n \"CVE-2015-7038\",\n \"CVE-2015-7039\",\n \"CVE-2015-7040\",\n \"CVE-2015-7041\",\n \"CVE-2015-7042\",\n \"CVE-2015-7043\",\n \"CVE-2015-7044\",\n \"CVE-2015-7045\",\n \"CVE-2015-7046\",\n \"CVE-2015-7047\",\n \"CVE-2015-7052\",\n \"CVE-2015-7053\",\n \"CVE-2015-7054\",\n \"CVE-2015-7058\",\n \"CVE-2015-7059\",\n \"CVE-2015-7060\",\n \"CVE-2015-7061\",\n \"CVE-2015-7062\",\n \"CVE-2015-7063\",\n \"CVE-2015-7064\",\n \"CVE-2015-7065\",\n \"CVE-2015-7066\",\n \"CVE-2015-7067\",\n \"CVE-2015-7068\",\n \"CVE-2015-7071\",\n \"CVE-2015-7073\",\n \"CVE-2015-7074\",\n \"CVE-2015-7075\",\n \"CVE-2015-7076\",\n \"CVE-2015-7077\",\n \"CVE-2015-7078\",\n \"CVE-2015-7081\",\n \"CVE-2015-7083\",\n \"CVE-2015-7084\",\n \"CVE-2015-7094\",\n \"CVE-2015-7105\",\n \"CVE-2015-7106\",\n \"CVE-2015-7107\",\n \"CVE-2015-7108\",\n \"CVE-2015-7109\",\n \"CVE-2015-7110\",\n \"CVE-2015-7111\",\n \"CVE-2015-7112\",\n \"CVE-2015-7115\",\n \"CVE-2015-7116\",\n \"CVE-2015-7803\",\n \"CVE-2015-7804\"\n );\n script_bugtraq_id(\n 49124,\n 52379,\n 76343,\n 76714,\n 76959,\n 77112,\n 78719,\n 78721,\n 78725,\n 78730,\n 78733,\n 78735\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-12-08-3\");\n script_xref(name:\"EDB-ID\", value:\"38917\");\n\n script_name(english:\"Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.11.x prior\nto 10.11.2. It is, therefore, affected by multiple vulnerabilities in\nthe following components :\n\n - apache_mod_php\n - AppSandbox\n - Bluetooth\n - CFNetwork HTTPProtocol\n - Compression\n - Configuration Profiles\n - CoreGraphics\n - CoreMedia Playback\n - Disk Images\n - EFI\n - File Bookmark\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit SCSI\n - IOThunderboltFamily\n - Kernel\n - kext tools\n - Keychain Access\n - libarchive\n - libc\n - libexpat\n - libxml2\n - OpenGL\n - OpenLDAP\n - OpenSSH\n - QuickLook\n - Sandbox\n - Security\n - System Integrity Protection\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205579\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205637\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X version 10.11.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7071\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Cannot determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nmatch = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(match)) exit(1, \"Failed to parse the Mac OS X version ('\" + os + \"').\");\n\nversion = match[1];\n\nif (\n version !~ \"^10\\.11([^0-9]|$)\"\n) audit(AUDIT_OS_NOT, \"Mac OS X 10.11 or later\", \"Mac OS X \"+version);\n\nfixed_version = \"10.11.2\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected since it is running Mac OS X \"+version+\".\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7068", "CVE-2015-6908", "CVE-2015-7075", "CVE-2015-7112", "CVE-2015-7065", "CVE-2015-7038", "CVE-2015-7076", "CVE-2012-1148", "CVE-2015-7071", "CVE-2012-1147", "CVE-2015-7073", "CVE-2015-7063", "CVE-2015-7111", "CVE-2015-7061", "CVE-2015-7059", "CVE-2015-7066", "CVE-2015-7058", "CVE-2015-7040", "CVE-2015-7083", "CVE-2015-7067", "CVE-2015-7053", "CVE-2015-7078", "CVE-2015-5334", "CVE-2015-7074", "CVE-2015-7043", "CVE-2015-7106", "CVE-2015-7110", "CVE-2015-7062", "CVE-2012-0876", "CVE-2015-7042", "CVE-2015-7105", "CVE-2015-7115", "CVE-2015-7108", "CVE-2015-7054", "CVE-2015-7001", "CVE-2015-7094", "CVE-2015-7064", "CVE-2015-7060", "CVE-2015-7045", "CVE-2015-7109", "CVE-2015-7039", "CVE-2015-7084", "CVE-2015-7107", "CVE-2015-7803", "CVE-2015-5333", "CVE-2015-7044", "CVE-2015-7116", "CVE-2015-7052", "CVE-2015-7081", "CVE-2011-2895", "CVE-2015-7077", "CVE-2015-7041", "CVE-2015-7047", "CVE-2015-7046", "CVE-2015-7804"], "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2015-12-15T00:00:00", "id": "OPENVAS:1361412562310807000", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807000", "type": "openvas", "title": "Apple Mac OS X Multiple Vulnerabilities-01 December-15", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-01 December-15\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807000\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2015-7044\", \"CVE-2015-7045\", \"CVE-2015-7052\", \"CVE-2015-7059\",\n \"CVE-2015-7060\", \"CVE-2015-7061\", \"CVE-2015-7062\", \"CVE-2015-7063\",\n \"CVE-2015-7067\", \"CVE-2015-7071\", \"CVE-2015-7076\", \"CVE-2015-7077\",\n \"CVE-2015-7078\", \"CVE-2015-7106\", \"CVE-2015-7108\", \"CVE-2015-7109\",\n \"CVE-2015-7110\", \"CVE-2015-7105\", \"CVE-2015-7074\", \"CVE-2015-7075\",\n \"CVE-2015-7053\", \"CVE-2011-2895\", \"CVE-2015-7115\", \"CVE-2015-7116\",\n \"CVE-2015-7064\", \"CVE-2015-7065\", \"CVE-2015-7066\", \"CVE-2015-7107\",\n \"CVE-2015-7058\", \"CVE-2015-7803\", \"CVE-2015-7804\", \"CVE-2015-7001\",\n \"CVE-2015-7094\", \"CVE-2015-7054\", \"CVE-2015-7081\", \"CVE-2015-7111\",\n \"CVE-2015-7112\", \"CVE-2015-7068\", \"CVE-2015-7040\", \"CVE-2015-7041\",\n \"CVE-2015-7042\", \"CVE-2015-7043\", \"CVE-2015-7083\", \"CVE-2015-7084\",\n \"CVE-2015-7047\", \"CVE-2015-7038\", \"CVE-2015-7039\", \"CVE-2012-0876\",\n \"CVE-2012-1147\", \"CVE-2012-1148\", \"CVE-2015-6908\", \"CVE-2015-5333\",\n \"CVE-2015-5334\", \"CVE-2015-7046\", \"CVE-2015-7073\");\n script_bugtraq_id(78735, 78721, 78733);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-12-15 12:46:20 +0530 (Tue, 15 Dec 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01 December-15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An error in Bluetooth HCI interface.\n\n - An error in IOAcceleratorFamily.\n\n - An error in Disk Images component.\n\n - The System Integrity Protection feature mishandles union mounts.\n\n - The Keychain Access improperly interacts with Keychain Agent.\n\n - The Kext tools mishandles kernel-extension loading.\n\n - Error in in ASN.1 decode, kernel loader in EF, IOThunderboltFamily, in File\n Bookmark component.\n\n - The Multiple errors in Intel Graphics Driver component.\n\n - The Use-after-free error in Hypervisor.\n\n - A privilege issue existed in handling union mounts.\n\n - Multiple vulnerabilities existed in LibreSSL.\n\n - An input validation issue existed in OpenLDAP.\n\n - An issue existed in how Keychain Access interacted with Keychain Agent.\n\n For more details refer reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, execute arbitrary code, gain privileges,\n cause a denial of service, to spoof, to bypass protection mechanism.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.11 to 10.11.1,\n 10.9.x through 10.9.5 and 10.10.x through 10.10.5.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.11.2 or later or apply security update 2015-005 for 10.10.x and security\n update 2015-008 for 10.9.x. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/HT205637\");\n script_xref(name:\"URL\", value:\"http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.(9|1[01])\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.(9|1[01])\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif((osVer == \"10.9.5\") || (osVer == \"10.10.5\"))\n{\n buildVer = get_kb_item(\"ssh/login/osx_build\");\n if(!buildVer){\n exit(0);\n }\n\n if(osVer == \"10.9.5\" && version_is_less(version:buildVer, test_version:\"13F1507\"))\n {\n fix = \"Apply Security Update 2015-008\";\n osVer = osVer + \" Build \" + buildVer;\n }\n\n else if(osVer == \"10.10.5\" && version_is_less(version:buildVer, test_version:\"14F1505\"))\n {\n fix = \"Apply Security Update 2015-005\";\n osVer = osVer + \" Build \" + buildVer;\n }\n}\n\nif(osVer =~ \"^10\\.9\")\n{\n if(version_is_less(version:osVer, test_version:\"10.9.5\")){\n fix = \"Upgrade to latest OS release 10.9.5 and apply patch from vendor\";\n }\n}\nelse if(osVer =~ \"^10\\.10\")\n{\n if(version_is_less(version:osVer, test_version:\"10.10.5\")){\n fix = \"Upgrade to latest OS release 10.10.5 and apply patch from vendor\";\n }\n}\n\nelse if(osVer =~ \"^10\\.11\")\n{\n if(version_is_less(version:osVer, test_version:\"10.11.2\")){\n fix = \"10.11.2\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
