ID CVE-2016-1758 Type cve Reporter cve@mitre.org Modified 2016-12-03T03:22:00
Description
The kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to obtain sensitive memory-layout information or cause a denial of service (out-of-bounds read) via a crafted app.
{"exploitdb": [{"lastseen": "2018-03-03T21:34:52", "description": "Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation. CVE-2016-1828. Local exploit for OSX platform", "published": "2016-05-16T00:00:00", "type": "exploitdb", "title": "Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1758", "CVE-2016-1828"], "modified": "2016-05-16T00:00:00", "id": "EDB-ID:44239", "href": "https://www.exploit-db.com/exploits/44239/", "sourceData": "## rootsh\r\n\r\nrootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build\r\n14F27. It exploits [CVE-2016-1758] and [CVE-2016-1828], two vulnerabilities in\r\nXNU that were patched in OS X El Capitan [10.11.4] and [10.11.5]. rootsh will\r\nnot work on platforms with SMAP enabled.\r\n\r\n[CVE-2016-1758]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1758\r\n[CVE-2016-1828]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1828\r\n[10.11.4]: https://support.apple.com/en-us/HT206167\r\n[10.11.5]: https://support.apple.com/en-us/HT206567\r\n\r\n### CVE-2016-1758\r\n\r\nCVE-2016-1758 is an information leak caused by copying out uninitialized bytes\r\nof kernel stack to user space. By comparing leaked kernel pointers with fixed\r\nreference addresses it is possible to recover the kernel slide.\r\n\r\n### CVE-2016-1828\r\n\r\nCVE-2016-1828 is a use-after-free during object deserialization. By passing a\r\ncrafted binary-serialized dictionary into the kernel, it is possible to trigger\r\na virtual method invocation on an object with a controlled vtable pointer.\r\n\r\n### License\r\n\r\nThe rootsh code is released into the public domain. As a courtesy I ask that if\r\nyou use any of this code in another project you attribute it to me.\r\n\r\n\r\nDownload: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44239.zip", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44239/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:04", "description": "\nApple OS X 10.10.5 - rootsh Local Privilege Escalation", "edition": 1, "published": "2016-05-16T00:00:00", "title": "Apple OS X 10.10.5 - rootsh Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1758", "CVE-2016-1828"], "modified": "2016-05-16T00:00:00", "id": "EXPLOITPACK:78532747824889D07AF1B2A17F0BDDB8", "href": "", "sourceData": "## rootsh\n\nrootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build\n14F27. It exploits [CVE-2016-1758] and [CVE-2016-1828], two vulnerabilities in\nXNU that were patched in OS X El Capitan [10.11.4] and [10.11.5]. rootsh will\nnot work on platforms with SMAP enabled.\n\n[CVE-2016-1758]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1758\n[CVE-2016-1828]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1828\n[10.11.4]: https://support.apple.com/en-us/HT206167\n[10.11.5]: https://support.apple.com/en-us/HT206567\n\n### CVE-2016-1758\n\nCVE-2016-1758 is an information leak caused by copying out uninitialized bytes\nof kernel stack to user space. By comparing leaked kernel pointers with fixed\nreference addresses it is possible to recover the kernel slide.\n\n### CVE-2016-1828\n\nCVE-2016-1828 is a use-after-free during object deserialization. By passing a\ncrafted binary-serialized dictionary into the kernel, it is possible to trigger\na virtual method invocation on an object with a controlled vtable pointer.\n\n### License\n\nThe rootsh code is released into the public domain. As a courtesy I ask that if\nyou use any of this code in another project you attribute it to me.\n\n\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44239.zip", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:42:47", "bulletinFamily": "software", "cvelist": ["CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1760", "CVE-2016-1766", "CVE-2016-1783", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1864", "CVE-2016-1782", "CVE-2016-1761", "CVE-2016-1762", "CVE-2016-1781", "CVE-2016-1756", "CVE-2016-1785", "CVE-2016-1752", "CVE-2016-1740", "CVE-2016-1775", "CVE-2016-1763", "CVE-2015-7500", "CVE-2016-0802", "CVE-2016-1779", "CVE-2015-8242", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1780", "CVE-2016-1754", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2016-0801", "CVE-2016-1755", "CVE-2016-1778", "CVE-2016-1751", "CVE-2016-1784", "CVE-2016-1753", "CVE-2016-1788", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-1786"], "description": "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the [Apple Product Security](<https://www.apple.com/support/security/>) website.\n\nFor information about the Apple Product Security PGP Key, see [How to use the Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nWhere possible, [CVE IDs](<http://cve.mitre.org/about/>) are used to reference the vulnerabilities for further information.\n\nTo learn about other security updates, see [Apple security updates](<https://support.apple.com/kb/HT201222>).\n\n## iOS 9.3\n\n * **AppleUSBNetworking**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A USB device may be able to cause a denial of service\n\nDescription: An error handling issue existed in packet validation. This issue was addressed through improved error handling.\n\nCVE-ID\n\nCVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path\n\n * **FontParser**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **HTTPProtocol**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A remote attacker may be able to execute arbitrary code\n\nDescription: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.\n\nCVE-ID\n\nCVE-2015-8659\n\n * **IOHIDFamily**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to determine kernel memory layout\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1748 : Brandon Azad\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed through improved validation.\n\nCVE-ID\n\nCVE-2016-1752 : CESG\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-ID\n\nCVE-2016-1750 : CESG\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple integer overflows were addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to bypass code signing\n\nDescription: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed through improved permission validation.\n\nCVE-ID\n\nCVE-2016-1751 : Eric Monti of Square Mobile Security\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition existed during the creation of new processes. This was addressed through improved state handling.\n\nCVE-ID\n\nCVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vila\u00e7a\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team\n\nCVE-2016-1755 : Ian Beer of Google Project Zero\n\n * **Kernel**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1758 : Brandon Azad\n\n * **LaunchServices**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An application may be able to modify events from other applications\n\nDescription: An event handler validation issue existed in the XPC Services API. This issue was addressed through improved message validation.\n\nCVE-ID\n\nCVE-2016-1760 : Proteas of Qihoo 360 Nirvan Team\n\n * **libxml2**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2015-1819\n\nCVE-2015-5312 : David Drysdale of Google\n\nCVE-2015-7499\n\nCVE-2015-7500 : Kostya Serebryany of Google\n\nCVE-2015-7942 : Kostya Serebryany of Google\n\nCVE-2015-8035 : gustavo.grieco\n\nCVE-2015-8242 : Hugh Davenport\n\nCVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI)\n\nCVE-2016-1762\n\n * **Messages**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Visiting a maliciously crafted website may auto-fill text into other Message threads\n\nDescription: An issue existed in the parsing of SMS URLs. This issue was addressed through improved URL validation.\n\nCVE-ID\n\nCVE-2016-1763 : CityTog\n\n * **Messages**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments\n\nDescription: A cryptographic issue was addressed by rejecting duplicate messages on the client.\n\nCVE-ID\n\nCVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University\n\n * **Profiles**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An untrusted MDM profile may be incorrectly displayed as verified\n\nDescription: A certificate validation issue existed in MDM profiles. This was addressed through additional checks.\n\nCVE-ID\n\nCVE-2016-1766 : Taylor Boyko working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **Security**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Processing a maliciously crafted certificate may lead to arbitrary code execution\n\nDescription: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1950 : Francis Gabriel of Quarkslab\n\n * **TrueTypeScaler**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1778 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI) and Yang Zhao of CM Security\n\nCVE-2016-1783 : Mihai Parparita of Google\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A website may be able to track sensitive user information\n\nDescription: An issue existed in the handling of attachment URLs. This issue was addressed through improved URL handling.\n\nCVE-ID\n\nCVE-2016-1781 : Devdatta Akhawe of Dropbox, Inc.\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A website may be able to track sensitive user information\n\nDescription: A hidden web page may be able to access device-orientation and device-motion data. This issue was addressed by suspending the availability of this data when the web view is hidden.\n\nCVE-ID\n\nCVE-2016-1780 : Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of the School of Computing Science, Newcastle University, UK\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Visiting a maliciously crafted website may reveal a user's current location\n\nDescription: An issue existed in the parsing of geolocation requests. This was addressed through improved validation of the security origin for geolocation requests.\n\nCVE-ID\n\nCVE-2016-1779 : xisigr of Tencent's Xuanwu Lab (http://www.tencent.com)\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed through additional port validation.\n\nCVE-ID\n\nCVE-2016-1782 : Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd.\n\n * **WebKit**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Opening a maliciously crafted URL may lead to the disclosure of sensitive user information\n\nDescription: An issue existed in URL redirection when XSS auditor was used in block mode. This issue was addressed through improved URL navigation.\n\nCVE-ID\n\nCVE-2016-1864 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.\n\n * **WebKit History**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A resource exhaustion issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and \u674e\u666e\u541b of \u65e0\u58f0\u4fe1\u606f\u6280\u672fPKAV Team (PKAV.net)\n\n * **WebKit Page Loading**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses may have allowed a malicious website to display an arbitrary URL and read cached contents of the destination origin. This issue was addressed through improved URL display logic.\n\nCVE-ID\n\nCVE-2016-1786 : ma.la of LINE Corporation\n\n * **WebKit Page Loading**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: A caching issue existed with character encoding. This was addressed through additional request checking.\n\nCVE-ID\n\nCVE-2016-1785 : an anonymous researcher\n\n * **Wi-Fi**\n\nAvailable for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later\n\nImpact: An attacker with a privileged network position may be able to execute arbitrary code\n\nDescription: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.\n\nCVE-ID\n\nCVE-2016-0801 : an anonymous researcher\n\nCVE-2016-0802 : an anonymous researcher\n", "edition": 2, "modified": "2017-01-23T03:54:34", "published": "2017-01-23T03:54:34", "id": "APPLE:HT206166", "href": "https://support.apple.com/kb/HT206166", "title": "About the security content of iOS 9.3 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:08", "bulletinFamily": "software", "cvelist": ["CVE-2016-1746", "CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1773", "CVE-2015-8126", "CVE-2016-1768", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1761", "CVE-2015-3195", "CVE-2016-1744", "CVE-2016-1762", "CVE-2016-1737", "CVE-2015-7551", "CVE-2016-1738", "CVE-2016-1756", "CVE-2015-5334", "CVE-2016-1747", "CVE-2016-1752", "CVE-2016-1736", "CVE-2016-1740", "CVE-2016-1743", "CVE-2016-1775", "CVE-2016-1749", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2016-1770", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1741", "CVE-2016-1759", "CVE-2016-1745", "CVE-2016-1732", "CVE-2016-1769", "CVE-2016-1754", "CVE-2015-0973", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2014-9495", "CVE-2016-0801", "CVE-2015-8472", "CVE-2016-1764", "CVE-2016-0778", "CVE-2016-1755", "CVE-2016-1767", "CVE-2015-5333", "CVE-2016-1753", "CVE-2016-1733", "CVE-2016-1788", "CVE-2016-1735", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-0777"], "description": "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the [Apple Product Security](<https://www.apple.com/support/security/>) website.\n\nFor information about the Apple Product Security PGP Key, see [How to use the Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nWhere possible, [CVE IDs](<http://cve.mitre.org/about/>) are used to reference the vulnerabilities for further information.\n\nTo learn about other security updates, see [Apple security updates](<https://support.apple.com/kb/HT201222>).\n\n## OS X El Capitan 10.11.4 and Security Update 2016-002\n\n * **apache_mod_php**\n\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted .png file may lead to arbitrary code execution\n\nDescription: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.\n\nCVE-ID\n\nCVE-2015-8126 : Adam Mari\u0161\n\nCVE-2015-8472 : Adam Mari\u0161\n\n * **AppleRAID**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team\n\n * **AppleRAID**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A local user may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team\n\n * **AppleUSBNetworking**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A USB device may be able to cause a denial of service\n\nDescription: An error handling issue existed in packet validation. This issue was addressed through improved error handling.\n\nCVE-ID\n\nCVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path\n\n * **Bluetooth**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1735 : Jeonghoon Shin@A.D.D\n\nCVE-2016-1736 : beist and ABH of BoB\n\n * **Carbon**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.\n\nCVE-ID\n\nCVE-2016-1737 : HappilyCoded (ant4g0nist &r3dsm0k3)\n\n * **dyld**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An attacker may tamper with code-signed applications to execute arbitrary code in the application's context\n\nDescription: A code signing verification issue existed in dyld. This issue was addressed with improved validation.\n\nCVE-ID\n\nCVE-2016-1738 : beist and ABH of BoB\n\n * **FontParser**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **HTTPProtocol**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A remote attacker may be able to execute arbitrary code\n\nDescription: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.\n\nCVE-ID\n\nCVE-2015-8659\n\n * **Intel Graphics Driver**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1743 : Piotr Bania of Cisco Talos\n\nCVE-2016-1744 : Ian Beer of Google Project Zero\n\n * **IOFireWireFamily**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A local user may be able to cause a denial of service\n\nDescription: A null pointer dereference was addressed through improved validation.\n\nCVE-ID\n\nCVE-2016-1745 : sweetchip of Grayhash\n\n * **IOGraphics**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)\n\nCVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **IOHIDFamily**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to determine kernel memory layout\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1748 : Brandon Azad\n\n * **IOUSBFamily**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-ID\n\nCVE-2016-1750 : CESG\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition existed during the creation of new processes. This was addressed through improved state handling.\n\nCVE-ID\n\nCVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vila\u00e7a\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team\n\n * **Kernel**\n\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team\n\nCVE-2016-1755 : Ian Beer of Google Project Zero\n\nCVE-2016-1759 : lokihardt\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to determine kernel memory layout\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1758 : Brandon Azad\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple integer overflows were addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **Kernel**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed through improved validation.\n\nCVE-ID\n\nCVE-2016-1752 : CESG\n\n * **libxml2**\n\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2015-1819\n\nCVE-2015-5312 : David Drysdale of Google\n\nCVE-2015-7499\n\nCVE-2015-7500 : Kostya Serebryany of Google\n\nCVE-2015-7942 : Kostya Serebryany of Google\n\nCVE-2015-8035 : gustavo.grieco\n\nCVE-2015-8242 : Hugh Davenport\n\nCVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI)\n\nCVE-2016-1762\n\n * **Messages**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Clicking a JavaScript link can reveal sensitive user information\n\nDescription: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.\n\nCVE-ID\n\nCVE-2016-1764 : Matthew Bryant of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox\n\n * **Messages**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments\n\nDescription: A cryptographic issue was addressed by rejecting duplicate messages on the client.\n\nCVE-ID\n\nCVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University\n\n * **NVIDIA Graphics Drivers**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1741 : Ian Beer of Google Project Zero\n\n * **OpenSSH**\n\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3\n\nImpact: Connecting to a server may leak sensitive user information, such as a client's private keys\n\nDescription: Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client.\n\nCVE-ID\n\nCVE-2016-0777 : Qualys\n\nCVE-2016-0778 : Qualys\n\n * **OpenSSH**\n\nAvailable for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5\n\nImpact: Multiple vulnerabilities in LibreSSL\n\nDescription: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.\n\nCVE-ID\n\nCVE-2015-5333 : Qualys\n\nCVE-2015-5334 : Qualys\n\n * **OpenSSL**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh.\n\nCVE-ID\n\nCVE-2015-3195\n\n * **Python**\n\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted .png file may lead to arbitrary code execution\n\nDescription: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.\n\nCVE-ID\n\nCVE-2014-9495\n\nCVE-2015-0973\n\nCVE-2015-8126 : Adam Mari\u0161\n\nCVE-2015-8472 : Adam Mari\u0161\n\n * **QuickTime**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1767 : Francis Provencher from COSIG\n\nCVE-2016-1768 : Francis Provencher from COSIG\n\n * **QuickTime**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-ID\n\nCVE-2016-1769 : Francis Provencher from COSIG\n\n * **Reminders**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Clicking a tel link can make a call without prompting the user\n\nDescription: A user was not prompted before invoking a call. This was addressed through improved entitlement checks.\n\nCVE-ID\n\nCVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of Laurent.ca\n\n * **Ruby**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A local attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. This issue was addressed by updating to version 2.0.0-p648.\n\nCVE-ID\n\nCVE-2015-7551\n\n * **Security**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: A local user may be able to check for the existence of arbitrary files\n\nDescription: A permissions issue existed in code signing tools. This was addressed though additional ownership checks.\n\nCVE-ID\n\nCVE-2016-1773 : Mark Mentovai of Google Inc.\n\n * **Security**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted certificate may lead to arbitrary code execution\n\nDescription: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1950 : Francis Gabriel of Quarkslab\n\n * **Tcl**\n\nAvailable for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted .png file may lead to arbitrary code execution\n\nDescription: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by removing libpng.\n\nCVE-ID\n\nCVE-2015-8126\n\n * **TrueTypeScaler**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.\n\nCVE-ID\n\nCVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI)\n\n * **Wi-Fi**\n\nAvailable for: OS X El Capitan v10.11 to v10.11.3\n\nImpact: An attacker with a privileged network position may be able to execute arbitrary code\n\nDescription: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.\n\nCVE-ID\n\nCVE-2016-0801 : an anonymous researcher\n\nCVE-2016-0802 : an anonymous researcher\n\nOS X El Capitan 10.11.4 includes the security content of [Safari 9.1](<https://support.apple.com/kb/HT206171>).\n", "edition": 2, "modified": "2017-01-23T03:54:34", "published": "2017-01-23T03:54:34", "id": "APPLE:HT206167", "href": "https://support.apple.com/kb/HT206167", "title": "About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-07-17T14:25:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1746", "CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1773", "CVE-2015-8126", "CVE-2016-1768", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1761", "CVE-2015-3195", "CVE-2016-1744", "CVE-2016-1762", "CVE-2016-1737", "CVE-2016-1765", "CVE-2015-7551", "CVE-2016-1738", "CVE-2016-1756", "CVE-2016-1747", "CVE-2016-1752", "CVE-2016-1736", "CVE-2016-1740", "CVE-2016-1743", "CVE-2016-1775", "CVE-2016-1749", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2016-1770", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1741", "CVE-2016-1759", "CVE-2016-1745", "CVE-2016-1732", "CVE-2016-1769", "CVE-2016-1754", "CVE-2015-0973", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2014-9495", "CVE-2016-0801", "CVE-2015-8472", "CVE-2016-1764", "CVE-2016-0778", "CVE-2016-1755", "CVE-2016-1767", "CVE-2016-1753", "CVE-2016-1733", "CVE-2016-1788", "CVE-2016-1735", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-0777"], "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2016-04-01T00:00:00", "id": "OPENVAS:1361412562310806693", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806693", "type": "openvas", "title": "Apple Mac OS X Multiple Vulnerabilities-01 March-2016", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-01 March-2016\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806693\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2015-7551\", \"CVE-2016-1733\", \"CVE-2016-1732\", \"CVE-2016-1734\",\n \"CVE-2016-1735\", \"CVE-2016-1736\", \"CVE-2016-1737\", \"CVE-2016-1740\",\n \"CVE-2016-1738\", \"CVE-2016-1741\", \"CVE-2016-1743\", \"CVE-2016-1744\",\n \"CVE-2016-1745\", \"CVE-2016-1746\", \"CVE-2016-1747\", \"CVE-2016-1748\",\n \"CVE-2016-1749\", \"CVE-2016-1752\", \"CVE-2016-1753\", \"CVE-2016-1754\",\n \"CVE-2016-1755\", \"CVE-2016-1756\", \"CVE-2016-1757\", \"CVE-2016-1758\",\n \"CVE-2016-1759\", \"CVE-2016-1761\", \"CVE-2016-1764\", \"CVE-2016-1765\",\n \"CVE-2016-1767\", \"CVE-2016-1768\", \"CVE-2016-1769\", \"CVE-2016-1770\",\n \"CVE-2016-1773\", \"CVE-2016-1775\", \"CVE-2016-1750\", \"CVE-2016-1788\",\n \"CVE-2015-8126\", \"CVE-2015-8472\", \"CVE-2015-8659\", \"CVE-2015-1819\",\n \"CVE-2015-5312\", \"CVE-2015-7499\", \"CVE-2015-7500\", \"CVE-2015-7942\",\n \"CVE-2015-8035\", \"CVE-2015-8242\", \"CVE-2016-1762\", \"CVE-2016-0777\",\n \"CVE-2016-0778\", \"CVE-2015-3195\", \"CVE-2014-9495\", \"CVE-2015-0973\",\n \"CVE-2016-1950\", \"CVE-2016-0801\", \"CVE-2016-0802\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-04-01 13:19:28 +0530 (Fri, 01 Apr 2016)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01 March-2016\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details\n refer the reference links.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to execute arbitrary code or cause a denial of service (memory corruption),\n gain access to potentially sensitive information, trigger a dialing action,\n bypass a code-signing protection mechanism.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.11.x before\n 10.11.4, 10.9.x through 10.9.5, 10.10.x through 10.10.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.11.4 or later, or apply aptch from vendor.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT206167\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.(9|1[01])\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName || \"Mac OS X\" >!< osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.(9|1[01])\"){\n exit(0);\n}\n\nif(version_in_range(version:osVer, test_version:\"10.9\", test_version2:\"10.9.4\")||\n version_in_range(version:osVer, test_version:\"10.10\", test_version2:\"10.10.4\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n}\n\nelse if((osVer == \"10.10.5\") || (osVer == \"10.9.5\"))\n{\n buildVer = get_kb_item(\"ssh/login/osx_build\");\n if(!buildVer){\n exit(0);\n }\n if(osVer == \"10.10.5\" && version_is_less(version:buildVer, test_version:\"14F1713\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n else if(osVer == \"10.9.5\" && version_is_less(version:buildVer, test_version:\"13F1712\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n}\n\nelse if(osVer =~ \"^10\\.11\")\n{\n if(version_is_less(version:osVer, test_version:\"10.11.4\")){\n fix = \"10.11.4\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:23:25", "description": "The remote host is running a version of Mac OS X that is 10.11.x prior\nto 10.11.4. It is, therefore, affected by multiple vulnerabilities in\nthe following components :\n\n - apache_mod_php\n - AppleRAID\n - AppleUSBNetworking\n - Bluetooth\n - Carbon\n - dyld\n - FontParser\n - HTTPProtocol\n - Intel Graphics Driver\n - IOFireWireFamily\n - IOGraphics\n - IOHIDFamily\n - IOUSBFamily\n - Kernel\n - libxml2\n - Messages\n - NVIDIA Graphics Drivers\n - OpenSSH\n - OpenSSL\n - Python\n - QuickTime\n - Reminders\n - Ruby\n - Security\n - Tcl\n - TrueTypeScaler\n - Wi-Fi\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-22T00:00:00", "title": "Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1746", "CVE-2016-1734", "CVE-2015-8659", "CVE-2016-1773", "CVE-2015-8126", "CVE-2016-1768", "CVE-2016-1758", "CVE-2015-5312", "CVE-2016-1761", "CVE-2015-3195", "CVE-2016-1744", "CVE-2016-1762", "CVE-2016-1737", "CVE-2015-7551", "CVE-2016-1738", "CVE-2016-1756", "CVE-2016-1747", "CVE-2016-1752", "CVE-2016-1736", "CVE-2016-1740", "CVE-2016-1743", "CVE-2016-1775", "CVE-2016-1749", "CVE-2015-7500", "CVE-2016-0802", "CVE-2015-8242", "CVE-2016-1770", "CVE-2016-1757", "CVE-2015-1819", "CVE-2015-7499", "CVE-2016-1741", "CVE-2016-1759", "CVE-2016-1745", "CVE-2016-1732", "CVE-2016-1769", "CVE-2016-1754", "CVE-2015-0973", "CVE-2016-1950", "CVE-2016-1750", "CVE-2016-1748", "CVE-2014-9495", "CVE-2016-0801", "CVE-2015-8472", "CVE-2016-1764", "CVE-2016-0778", "CVE-2016-1755", "CVE-2016-1767", "CVE-2016-1753", "CVE-2016-1733", "CVE-2016-1788", "CVE-2016-1735", "CVE-2015-7942", "CVE-2015-8035", "CVE-2016-0777"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_11_4.NASL", "href": "https://www.tenable.com/plugins/nessus/90096", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90096);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2014-9495\",\n \"CVE-2015-0973\",\n \"CVE-2015-1819\",\n \"CVE-2015-3195\",\n \"CVE-2015-5312\",\n \"CVE-2015-7499\",\n \"CVE-2015-7500\",\n \"CVE-2015-7551\",\n \"CVE-2015-7942\",\n \"CVE-2015-8035\",\n \"CVE-2015-8126\",\n \"CVE-2015-8242\",\n \"CVE-2015-8472\",\n \"CVE-2015-8659\",\n \"CVE-2016-0777\",\n \"CVE-2016-0778\",\n \"CVE-2016-0801\",\n \"CVE-2016-0802\",\n \"CVE-2016-1732\",\n \"CVE-2016-1733\",\n \"CVE-2016-1734\",\n \"CVE-2016-1735\",\n \"CVE-2016-1736\",\n \"CVE-2016-1737\",\n \"CVE-2016-1738\",\n \"CVE-2016-1740\",\n \"CVE-2016-1741\",\n \"CVE-2016-1743\",\n \"CVE-2016-1744\",\n \"CVE-2016-1745\",\n \"CVE-2016-1746\",\n \"CVE-2016-1747\",\n \"CVE-2016-1748\",\n \"CVE-2016-1749\",\n \"CVE-2016-1750\",\n \"CVE-2016-1752\",\n \"CVE-2016-1753\",\n \"CVE-2016-1754\",\n \"CVE-2016-1755\",\n \"CVE-2016-1756\",\n \"CVE-2016-1757\",\n \"CVE-2016-1758\",\n \"CVE-2016-1759\",\n \"CVE-2016-1761\",\n \"CVE-2016-1762\",\n \"CVE-2016-1764\",\n \"CVE-2016-1767\",\n \"CVE-2016-1768\",\n \"CVE-2016-1769\",\n \"CVE-2016-1770\",\n \"CVE-2016-1773\",\n \"CVE-2016-1775\",\n \"CVE-2016-1788\",\n \"CVE-2016-1950\"\n );\n script_bugtraq_id(\n 71820,\n 71994,\n 75570,\n 77390,\n 77568,\n 77681,\n 78624,\n 78626,\n 79507,\n 79509,\n 79536,\n 79562,\n 80438,\n 80695,\n 80698\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-03-21-5\");\n\n script_name(english:\"Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.11.x prior\nto 10.11.4. It is, therefore, affected by multiple vulnerabilities in\nthe following components :\n\n - apache_mod_php\n - AppleRAID\n - AppleUSBNetworking\n - Bluetooth\n - Carbon\n - dyld\n - FontParser\n - HTTPProtocol\n - Intel Graphics Driver\n - IOFireWireFamily\n - IOGraphics\n - IOHIDFamily\n - IOUSBFamily\n - Kernel\n - libxml2\n - Messages\n - NVIDIA Graphics Drivers\n - OpenSSH\n - OpenSSL\n - Python\n - QuickTime\n - Reminders\n - Ruby\n - Security\n - Tcl\n - TrueTypeScaler\n - Wi-Fi\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT206167\");\n # http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6c87f79a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X version 10.11.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1761\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os)\n audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70)\n exit(1, \"Cannot determine the host's OS with sufficient confidence.\");\n}\nif (!os)\n audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nmatch = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(match)) exit(1, \"Failed to parse the Mac OS X version ('\" + os + \"').\");\n\nversion = match[1];\n\nif (\n version !~ \"^10\\.11([^0-9]|$)\"\n) audit(AUDIT_OS_NOT, \"Mac OS X 10.11 or later\", \"Mac OS X \"+version);\n\nfix = \"10.11.4\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n items = make_array(\"Installed version\", version,\n \"Fixed version\", fix\n );\n order = make_list(\"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n exit(0);\n\n }\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"Mac OS X\", version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
