CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
96.7%
The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 10.1. It is, therefore, affected by multiple vulnerabilities:
An out-of-bounds read error exists in WebKit when handling certain JavaScript code. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents.
(CVE-2016-9642)
A denial of service vulnerability exists in WebKit when handling certain regular expressions. An unauthenticated, remote attacker can exploit this, via a specially crafted web page, to exhaust available memory resources. (CVE-2016-9643)
Multiple information disclosure vulnerabilities exist in WebKit when handling page loading due to improper validation of certain input. An unauthenticated, remote attacker can exploit these to disclose data cross-origin. (CVE-2017-2364, CVE-2017-2367)
An unspecified state management flaw exists that allows an unauthenticated, remote attacker to spoof the address bar. (CVE-2017-2376)
A denial of service vulnerability exists in the Web Inspector component when closing a window while the debugger is paused. An unauthenticated, remote attacker can exploit this to terminate the application.
(CVE-2017-2377)
An unspecified flaw exists in WebKit when creating bookmarks using drag-and-drop due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to spoof bookmarks or potentially execute arbitrary code.
(CVE-2017-2378)
An information disclosure vulnerability exists in the Login AutofFill component that allows a local attacker to access keychain items. (CVE-2017-2385)
Multiple information disclosure vulnerabilities exist in WebKit when handling unspecified exceptions or elements. An unauthenticated, remote attacker can exploit these, via specially crafted web content, to disclose data cross-origin. (CVE-2017-2386, CVE-2017-2479, CVE-2017-2480)
An unspecified flaw exists in the handling of HTTP authentication that allows an unauthenticated, remote attacker to disclose authentication sheets on arbitrary websites or cause a denial of service condition.
(CVE-2017-2389)
Multiple memory corruption issues exist in WebKit that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2433, CVE-2017-2454, CVE-2017-2455, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2476)
A memory corruption issue exists in WebKit within the Web Inspector component due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-2405)
An unspecified type confusion error exists that allows an unauthenticated remote attacker to execute arbitrary code by using specially crafted web content.
(CVE-2017-2415)
A security bypass vulnerability exists in WebKit that allows an unauthenticated, remote attacker to bypass the Content Security Policy by using specially crafted web content. (CVE-2017-2419)
An unspecified flaw exists in WebKit when handling OpenGL shaders that allows an unauthenticated, remote attacker to disclose process memory content by using specially crafted web content. (CVE-2017-2424)
An information disclosure vulnerability exists in WebKit JavaScript Bindings when handling page loading due to unspecified logic flaws. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to disclose data cross-origin. (CVE-2017-2442)
A memory corruption issue exists in WebKit within the CoreGraphics component due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-2444)
A universal cross-site scripting (XSS) vulnerability exists in WebKit when handling frame objects due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to execute arbitrary script code in a user’s browser session. (CVE-2017-2445)
A flaw exists in WebKit due to non-strict mode functions that are called from built-in strict mode scripts not being properly restricted from calling sensitive native functions. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to execute arbitrary code. (CVE-2017-2446)
An out-of-bounds read error exists in WebKit when handling the bound arguments array of a bound function.
An unauthenticated, remote attacker can exploit this, via specially crafted web content, to disclose memory contents. (CVE-2017-2447)
An unspecified flaw exists in FaceTime prompt handling due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to spoof user interface elements. (CVE-2017-2453)
A use-after-free error exists in WebKit when handling RenderBox objects. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2463)
An unspecified use-after-free error exists in WebKit that allows an unauthenticated, remote attacker, via specially crafted web content, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2471)
A universal cross-site scripting (XSS) vulnerability exists in WebKit when handling frames due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to execute arbitrary script code in a user’s browser session. (CVE-2017-2475)
A use-after-free error exists in WebKit when handling ElementData objects. An unauthenticated, remote attacker can exploit this, via specially crafted web content, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2481)
A use-after-free error exists in JavaScriptCore when handling the String.replace() method. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2491)
A universal cross-site scripting (XSS) vulnerability exists in JavaScriptCore due to an unspecified prototype flaw. An unauthenticated, remote attacker can exploit this, via a specially crafted web page, to execute arbitrary code in a user’s browser session.
(CVE-2017-2492)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(99167);
script_version("1.7");
script_cvs_date("Date: 2019/07/03 12:01:40");
script_cve_id(
"CVE-2016-9642",
"CVE-2016-9643",
"CVE-2017-2364",
"CVE-2017-2367",
"CVE-2017-2376",
"CVE-2017-2377",
"CVE-2017-2378",
"CVE-2017-2385",
"CVE-2017-2386",
"CVE-2017-2389",
"CVE-2017-2392",
"CVE-2017-2394",
"CVE-2017-2395",
"CVE-2017-2396",
"CVE-2017-2405",
"CVE-2017-2415",
"CVE-2017-2419",
"CVE-2017-2424",
"CVE-2017-2433",
"CVE-2017-2442",
"CVE-2017-2444",
"CVE-2017-2445",
"CVE-2017-2446",
"CVE-2017-2447",
"CVE-2017-2453",
"CVE-2017-2454",
"CVE-2017-2455",
"CVE-2017-2457",
"CVE-2017-2459",
"CVE-2017-2460",
"CVE-2017-2463",
"CVE-2017-2464",
"CVE-2017-2465",
"CVE-2017-2466",
"CVE-2017-2468",
"CVE-2017-2469",
"CVE-2017-2470",
"CVE-2017-2471",
"CVE-2017-2475",
"CVE-2017-2476",
"CVE-2017-2479",
"CVE-2017-2480",
"CVE-2017-2481",
"CVE-2017-2486",
"CVE-2017-2491",
"CVE-2017-2492",
"CVE-2017-2493",
"CVE-2017-7071"
);
script_bugtraq_id(
100613,
94554,
94559,
95725,
97129,
97130,
97131,
97133,
97136,
97140,
97143,
97147,
97176,
98316,
98700
);
script_xref(name:"APPLE-SA", value:"APPLE-SA-2017-03-27-2");
script_name(english:"macOS : Apple Safari < 10.1 Multiple Vulnerabilities");
script_summary(english:"Checks the Safari version.");
script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Apple Safari installed on the remote macOS or Mac OS X
host is prior to 10.1. It is, therefore, affected by multiple
vulnerabilities:
- An out-of-bounds read error exists in WebKit when
handling certain JavaScript code. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the disclosure of memory contents.
(CVE-2016-9642)
- A denial of service vulnerability exists in WebKit when
handling certain regular expressions. An
unauthenticated, remote attacker can exploit this, via a
specially crafted web page, to exhaust available memory
resources. (CVE-2016-9643)
- Multiple information disclosure vulnerabilities exist
in WebKit when handling page loading due to improper
validation of certain input. An unauthenticated, remote
attacker can exploit these to disclose data
cross-origin. (CVE-2017-2364, CVE-2017-2367)
- An unspecified state management flaw exists that allows
an unauthenticated, remote attacker to spoof the address
bar. (CVE-2017-2376)
- A denial of service vulnerability exists in the Web
Inspector component when closing a window while the
debugger is paused. An unauthenticated, remote attacker
can exploit this to terminate the application.
(CVE-2017-2377)
- An unspecified flaw exists in WebKit when creating
bookmarks using drag-and-drop due to improper validation
of certain input. An unauthenticated, remote attacker
can exploit this, via a specially crafted link, to spoof
bookmarks or potentially execute arbitrary code.
(CVE-2017-2378)
- An information disclosure vulnerability exists in the
Login AutofFill component that allows a local attacker
to access keychain items. (CVE-2017-2385)
- Multiple information disclosure vulnerabilities exist
in WebKit when handling unspecified exceptions or
elements. An unauthenticated, remote attacker can
exploit these, via specially crafted web content, to
disclose data cross-origin. (CVE-2017-2386,
CVE-2017-2479, CVE-2017-2480)
- An unspecified flaw exists in the handling of HTTP
authentication that allows an unauthenticated, remote
attacker to disclose authentication sheets on arbitrary
websites or cause a denial of service condition.
(CVE-2017-2389)
- Multiple memory corruption issues exist in WebKit that
allow an unauthenticated, remote attacker to cause a
denial of service condition or the execution of
arbitrary code. (CVE-2017-2394, CVE-2017-2395,
CVE-2017-2396, CVE-2017-2433, CVE-2017-2454,
CVE-2017-2455, CVE-2017-2459, CVE-2017-2460,
CVE-2017-2464, CVE-2017-2465, CVE-2017-2466,
CVE-2017-2468, CVE-2017-2469, CVE-2017-2470,
CVE-2017-2476)
- A memory corruption issue exists in WebKit within the
Web Inspector component due to improper validation of
certain input. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-2405)
- An unspecified type confusion error exists that allows
an unauthenticated remote attacker to execute arbitrary
code by using specially crafted web content.
(CVE-2017-2415)
- A security bypass vulnerability exists in WebKit that
allows an unauthenticated, remote attacker to bypass the
Content Security Policy by using specially crafted web
content. (CVE-2017-2419)
- An unspecified flaw exists in WebKit when handling
OpenGL shaders that allows an unauthenticated, remote
attacker to disclose process memory content by using
specially crafted web content. (CVE-2017-2424)
- An information disclosure vulnerability exists in WebKit
JavaScript Bindings when handling page loading due to
unspecified logic flaws. An unauthenticated, remote
attacker can exploit this, via specially crafted web
content, to disclose data cross-origin. (CVE-2017-2442)
- A memory corruption issue exists in WebKit within the
CoreGraphics component due to improper validation of
certain input. An unauthenticated, remote attacker can
exploit this, via specially crafted web content, to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-2444)
- A universal cross-site scripting (XSS) vulnerability
exists in WebKit when handling frame objects due to
improper validation of certain input. An
unauthenticated, remote attacker can exploit this, via
specially crafted web content, to execute arbitrary
script code in a user's browser session. (CVE-2017-2445)
- A flaw exists in WebKit due to non-strict mode functions
that are called from built-in strict mode scripts not
being properly restricted from calling sensitive native
functions. An unauthenticated, remote attacker can
exploit this, via specially crafted web content, to
execute arbitrary code. (CVE-2017-2446)
- An out-of-bounds read error exists in WebKit when
handling the bound arguments array of a bound function.
An unauthenticated, remote attacker can exploit this,
via specially crafted web content, to disclose memory
contents. (CVE-2017-2447)
- An unspecified flaw exists in FaceTime prompt handling
due to improper validation of certain input. An
unauthenticated, remote attacker can exploit this to
spoof user interface elements. (CVE-2017-2453)
- A use-after-free error exists in WebKit when handling
RenderBox objects. An unauthenticated, remote attacker
can exploit this, via specially crafted web content, to
dereference already freed memory, resulting in the
execution of arbitrary code. (CVE-2017-2463)
- An unspecified use-after-free error exists in WebKit
that allows an unauthenticated, remote attacker, via
specially crafted web content, to dereference already
freed memory, resulting in the execution of arbitrary
code. (CVE-2017-2471)
- A universal cross-site scripting (XSS) vulnerability
exists in WebKit when handling frames due to improper
validation of certain input. An unauthenticated, remote
attacker can exploit this, via specially crafted web
content, to execute arbitrary script code in a user's
browser session. (CVE-2017-2475)
- A use-after-free error exists in WebKit when handling
ElementData objects. An unauthenticated, remote attacker
can exploit this, via specially crafted web content, to
dereference already freed memory, resulting in the
execution of arbitrary code. (CVE-2017-2481)
- A use-after-free error exists in JavaScriptCore when
handling the String.replace() method. An
unauthenticated, remote attacker can exploit this to
deference already freed memory, resulting in the
execution of arbitrary code. (CVE-2017-2491)
- A universal cross-site scripting (XSS) vulnerability
exists in JavaScriptCore due to an unspecified prototype
flaw. An unauthenticated, remote attacker can exploit
this, via a specially crafted web page, to execute
arbitrary code in a user's browser session.
(CVE-2017-2492)");
script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT207600");
# https://lists.apple.com/archives/security-announce/2017/Mar/msg00003.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b6d82a85");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apple Safari version 10.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2378");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/25");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari");
script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("macosx_apple_safari_installed.nbin");
script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/Safari/Installed");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
os = get_kb_item('Host/MacOSX/Version');
if (!os) audit(AUDIT_OS_NOT, 'Mac OS X or macOS');
if (!preg(pattern:"Mac OS X 10\.(10|11|12)([^0-9]|$)", string:os))
audit(AUDIT_OS_NOT, 'Mac OS X Yosemite 10.10 / Mac OS X El Capitan 10.11 / macOS Sierra 10.12');
get_kb_item_or_exit('MacOSX/Safari/Installed', exit_code:0);
path = get_kb_item_or_exit('MacOSX/Safari/Path', exit_code:1);
version = get_kb_item_or_exit('MacOSX/Safari/Version', exit_code:1);
fixed_version = '10.1';
if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
report = report_items_str(
report_items:make_array(
'Path', path,
'Installed version', version,
'Fixed version', fixed_version
),
ordered_fields:make_list('Path', 'Installed version', 'Fixed version')
);
security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);
}
else audit(AUDIT_INST_PATH_NOT_VULN, 'Safari', version, path);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9642
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9643
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2364
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2367
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2376
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2377
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2378
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2385
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2389
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2392
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2395
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2396
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2415
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2419
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2433
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2442
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2445
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2446
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2453
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2454
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2455
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2457
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2463
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2464
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2466
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2468
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2469
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2470
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2471
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2475
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2476
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2480
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2481
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2486
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2491
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2492
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2493
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7071
www.nessus.org/u?b6d82a85
support.apple.com/en-us/HT207600
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
96.7%