Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.ITUNES_12_2_0.NASL
HistoryJul 03, 2015 - 12:00 a.m.

Apple iTunes < 12.2 Multiple Vulnerabilities (credentialed check)

2015-07-0300:00:00
This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
JSON

The version of Apple iTunes installed on the remote Windows host is prior to 12.2. It is, therefore, affected by multiple vulnerabilities in the bundled version of WebKit, including denial of service and arbitrary code execution vulnerabilities.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84504);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2014-3192",
    "CVE-2014-4452",
    "CVE-2014-4459",
    "CVE-2014-4466",
    "CVE-2014-4468",
    "CVE-2014-4469",
    "CVE-2014-4470",
    "CVE-2014-4471",
    "CVE-2014-4472",
    "CVE-2014-4473",
    "CVE-2014-4474",
    "CVE-2014-4475",
    "CVE-2014-4476",
    "CVE-2014-4477",
    "CVE-2014-4479",
    "CVE-2015-1068",
    "CVE-2015-1069",
    "CVE-2015-1070",
    "CVE-2015-1071",
    "CVE-2015-1072",
    "CVE-2015-1073",
    "CVE-2015-1074",
    "CVE-2015-1075",
    "CVE-2015-1076",
    "CVE-2015-1077",
    "CVE-2015-1078",
    "CVE-2015-1079",
    "CVE-2015-1080",
    "CVE-2015-1081",
    "CVE-2015-1082",
    "CVE-2015-1083",
    "CVE-2015-1119",
    "CVE-2015-1120",
    "CVE-2015-1121",
    "CVE-2015-1122",
    "CVE-2015-1124",
    "CVE-2015-1152",
    "CVE-2015-1153",
    "CVE-2015-1154"
  );
  script_bugtraq_id(
    70273,
    71137,
    71144,
    71438,
    71442,
    71444,
    71445,
    71449,
    71451,
    71459,
    71461,
    71462,
    72329,
    72330,
    72331,
    73972,
    74523,
    74525,
    74526
  );
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2015-06-30-6");

  script_name(english:"Apple iTunes < 12.2 Multiple Vulnerabilities (credentialed check)");
  script_summary(english:"Checks the version of iTunes on Windows.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Apple iTunes installed on the remote Windows host is
prior to 12.2. It is, therefore, affected by multiple vulnerabilities
in the bundled version of WebKit, including denial of service and
arbitrary code execution vulnerabilities.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT204949");
  # https://lists.apple.com/archives/security-announce/2015/Jun/msg00006.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?103c0dda");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apple iTunes 12.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4466");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("itunes_detect.nasl");
  script_require_keys("installed_sw/iTunes Version", "SMB/Registry/Enumerated");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

# Ensure this is Windows
get_kb_item_or_exit("SMB/Registry/Enumerated");

app_id = 'iTunes Version';
install = get_single_install(app_name:app_id, exit_if_unknown_ver:TRUE);

version = install["version"];
path = install["path"];

fixed_version = "12.2.0.145";
if (ver_compare(ver:version, fix:fixed_version) < 0)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "iTunes", version, path);
VendorProductVersionCPE
appleitunescpe:/a:apple:itunes

References

Related

nessus 27
securityvulns 25
kaspersky 3
openvas 12
cve 40
prion 40
ubuntucve 40
threatpost 1
zdi 2
debiancve 1
fedora 5
mageia 2
ubuntu 1
nessus
nessus
Apple iTunes < 12.2 Multiple Vulnerabilities (uncredentialed check)
2015-10-26 00:00:00
Safari < 6.2.4 / 7.1.4 / 8.0.4 Multiple Vulnerabilities
2015-04-17 00:00:00
Mac OS X : Apple Safari < 6.2.4 / 7.1.4 / 8.0.4 Multiple Vulnerabilities
2015-03-18 00:00:00
securityvulns
securityvulns
APPLE-SA-2015-06-30-6 iTunes 12.2
2015-07-05 00:00:00
APPLE-SA-2015-03-17-1 Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4
2015-03-18 00:00:00
Apple Safari / Webkit multiple security vulnerabilities
2015-03-18 00:00:00
kaspersky
kaspersky
KLA10620 Multiple vulnerabilities in Apple iTunes
2015-06-30 00:00:00
KLA10466 Multiple vulnerabilities in Apple Safari
2015-03-17 00:00:00
KLA10573 Multiple vulnerabilities in Apple Safari
2015-05-07 00:00:00
openvas
openvas
Apple Safari 'Webkit' Multiple Vulnerabilities -01 (Mar 2015) - Mac OS X
2015-03-27 00:00:00
Apple Safari 'Webkit' Multiple Vulnerabilities-01 (Dec 2014) - Mac OS X
2014-12-16 00:00:00
Apple Safari 'Webkit' Multiple Vulnerabilities -01 (Feb 2015) - Mac OS X
2015-02-09 00:00:00
cve
cve
CVE-2014-4477
2015-01-30 11:59:00
CVE-2014-4476
2015-01-30 11:59:00
CVE-2015-1153
2015-05-08 00:59:00
prion
prion
Memory corruption
2015-01-30 11:59:00
Memory corruption
2015-01-30 11:59:00
Memory corruption
2015-01-30 11:59:00
ubuntucve
ubuntucve
CVE-2014-4477
2015-01-30 00:00:00
CVE-2014-4476
2015-01-30 00:00:00
CVE-2015-1152
2015-05-08 00:00:00
threatpost
threatpost
Apple Fixes WebKit Vulnerabilities in Safari Browser
2015-05-07 10:49:05
zdi
zdi
(Pwn2Own) Apple Safari Uninitialized Buffer Use-After-Free Remote Code Execution Vulnerability
2015-04-08 00:00:00
(Mobile Pwn2Own) Apple Safari Set Use-After-Free Remote Code Execution Vulnerability
2015-01-27 00:00:00
debiancve
debiancve
CVE-2014-3192
2014-10-08 10:55:00
fedora
fedora
[SECURITY] Fedora 23 Update: webkitgtk3-2.4.10-1.fc23
2016-03-21 01:53:49
[SECURITY] Fedora 24 Update: webkitgtk3-2.4.10-1.fc24
2016-03-27 00:38:22
[SECURITY] Fedora 24 Update: webkitgtk-2.4.10-1.fc24
2016-03-27 00:38:11
mageia
mageia
Updated webkit packages fix security vulnerability
2016-03-25 09:38:37
Updated webkit2 packages fix security vulnerability
2016-03-25 09:38:37
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2016-03-21 00:00:00
JSON
Related for ITUNES_12_2_0.NASL
nessus27securityvulns25kaspersky3openvas12cve40prion40ubuntucve40threatpost1zdi2debiancve1fedora5mageia2ubuntu1