Lucene search

K
kasperskyKaspersky LabKLA11455
HistoryMar 25, 2019 - 12:00 a.m.

KLA11455 Multiple vulnerabilities in Apple iTunes

2019-03-2500:00:00
Kaspersky Lab
threats.kaspersky.com
35

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.766

Percentile

98.2%

Multiple vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, perform cross-site scripting attack, obtain sensitive information, bypass security restrictions and gain privileges.

Below is a complete list of vulnerabilities:

  1. A type confusion vulnerability in WebKit can be exploited remotely to execute arbitrary code;
  2. Multiple memory corruption vulnerabilities can be exploited remotely to execute arbitrary code;
  3. Multiple logic vulnerabilities in WebKit can be exploited remotely to perform cross-site scripting attack;
  4. A validation vulnerability in WebKit can be exploited remotely to obtain sensitive information;
  5. A memory corruption vulnerability can be exploited loccaly to bypass security restrictions;
  6. A buffer overflow vulnerability in CoreCrypto can be exploited locally to elevate privileges;
  7. A cross-origin vulnerability in WebKit can be exploited locally to obtain sensitive information;

Original advisories

HT209604

Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Apple-iTunes

CVE list

CVE-2019-7285 critical

CVE-2019-6201 critical

CVE-2019-8506 critical

CVE-2019-8518 critical

CVE-2019-8563 high

CVE-2019-8544 critical

CVE-2019-8551 warning

CVE-2019-8535 critical

CVE-2019-8523 critical

CVE-2019-8559 high

CVE-2019-8558 high

CVE-2019-8503 critical

CVE-2019-8556 high

CVE-2019-7292 warning

CVE-2019-8562 high

CVE-2019-8524 high

CVE-2019-8536 critical

CVE-2019-8542 high

CVE-2019-8515 warning

CVE-2019-8639 high

CVE-2019-8638 high

Solution

Update to the latest version

Download iTunes

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

  • XSS/CSS

Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.

Affected Products

  • Apple iTunes earlier than 12.9.4

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.766

Percentile

98.2%