Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.MACOS_HT210919.NASL
HistoryFeb 07, 2020 - 12:00 a.m.

macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6

2020-02-0700:00:00
This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
100
JSON

The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.3, 10.13.x prior to 10.13.6, 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities:

  • In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. (CVE-2019-11043)

  • An arbitrary code exution vulnerability exists due to a misconfiguration. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host.
    (CVE-2019-18634)

  • An arbitrary code exution vulnerability exists due to the ability to process a maliciously crafted image. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host.
    (CVE-2020-3826 CVE-2020-3827 CVE-2020-3870 CVE-2020-3878)

  • A privilege escalation vulnerability exists in due to an out-of-bounds read issue. An unauthenticated, remote attacker can exploit this, to gain elevated access to the system. (CVE-2020-3829)

  • An arbitrary file write vulnerability exists in the handling of symlinks. A malicious program crafted by an attacker can exploit this to overwrite arbitrary files on the remote host.
    (CVE-2020-3830 CVE-2020-3835 CVE-2020-3855)

  • An information disclosure vulnerability exists in the access control handling of applications. A malicious application crafted by attacker can exploit this to disclose the kernel memory layout.
    (CVE-2020-3836)

  • An arbitrary code exution vulnerability exists due to a memory corruption issue. A malicious application crafted by a remote attacker may be able to execute arbitrary code with kernel privileges on the remote host.
    (CVE-2020-3837 CVE-2020-3842 CVE-2020-3871)

  • An arbitrary code exution vulnerability exists due to a permissions logic flaw. A malicious application crafted by a remote attacker may be able to execute arbitrary code with system privileges on the remote host.
    (CVE-2019-18634 CVE-2020-3854 CVE-2020-3845 CVE-2020-3853 CVE-2020-3857)

  • An information disclosure vulnerability exists in the input sanitization logic. A malicious application crafted by attacker can exploit this to read restricted memory.
    (CVE-2020-3839 CVE-2020-3847)

  • An arbitrary code exution vulnerability exists due to the loading of a maliciously crafted racoon configuration file. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host.
    (CVE-2020-3840)

  • A denial of service (DoS) vulnerability exists due to a memory corruption issue. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the system to crash, stop responding, or corrupt the kernel memory. (CVE-2020-3843)

  • An arbitrary code exution vulnerability exists due to either a buffer overflow or out-of-bounds read issue. An authenticated, local attacker can exploit this to execute arbitrary code on the remote host or cause an unexpected application to terminate.
    (CVE-2020-3846 CVE-2020-3848 CVE-2020-3849 CVE-2020-3850 CVE-2020-3877)

  • A memory corruption vulnerability exists due to a malicious crafted string. An unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the corruption of the heap memory. (CVE-2020-3856)

  • An security bypass vulnerability exists in the handling of files from an attacker controlled NFS mount. A remote attacker with local access could search for and open a file from an attacker controlled NFS mount and bypass Gatekeeper Security features. (CVE-2020-3866)

  • An information disclosure vulnerability exists where an application can read restricted memory. A local, authorized attacker can exploit this to read restricted memory.
    (CVE-2020-3872 CVE-2020-3875)

Note that Nessus has not tested for this issue but has instead relied only on the operating system’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(133531);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/06");

  script_cve_id(
    "CVE-2019-11043",
    "CVE-2019-18634",
    "CVE-2020-3826",
    "CVE-2020-3827",
    "CVE-2020-3829",
    "CVE-2020-3830",
    "CVE-2020-3835",
    "CVE-2020-3836",
    "CVE-2020-3837",
    "CVE-2020-3838",
    "CVE-2020-3839",
    "CVE-2020-3840",
    "CVE-2020-3842",
    "CVE-2020-3843",
    "CVE-2020-3845",
    "CVE-2020-3846",
    "CVE-2020-3847",
    "CVE-2020-3848",
    "CVE-2020-3849",
    "CVE-2020-3850",
    "CVE-2020-3853",
    "CVE-2020-3854",
    "CVE-2020-3855",
    "CVE-2020-3856",
    "CVE-2020-3857",
    "CVE-2020-3866",
    "CVE-2020-3870",
    "CVE-2020-3871",
    "CVE-2020-3872",
    "CVE-2020-3875",
    "CVE-2020-3877",
    "CVE-2020-3878"
  );
  script_xref(name:"APPLE-SA", value:"HT210919");
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2020-01-23");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/18");
  script_xref(name:"CEA-ID", value:"CEA-2019-0695");

  script_name(english:"macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a MacOS update which fixes multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.3, 
10.13.x prior to 10.13.6, 10.14.x prior to 10.14.6. It is, therefore, affected by multiple
vulnerabilities:

  - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24
    and 7.3.x below 7.3.11 in certain configurations of FPM
    setup it is possible to cause FPM module to write past
    allocated buffers into the space reserved for FCGI
    protocol data, thus opening the possibility of remote
    code execution. (CVE-2019-11043)

  - An arbitrary code exution vulnerability exists  
    due to a misconfiguration. An authenticated, local attacker 
    can exploit this to execute arbitrary code on the remote host.
    (CVE-2019-18634)

  - An arbitrary code exution vulnerability exists  
    due to the ability to process a maliciously crafted image. 
    An unauthenticated, remote attacker can exploit this to 
    execute arbitrary code on the remote host.
    (CVE-2020-3826 CVE-2020-3827 CVE-2020-3870 CVE-2020-3878)

  - A privilege escalation vulnerability exists in due to an out-of-bounds read issue. 
    An unauthenticated, remote attacker can exploit this, to gain elevated
    access to the system. (CVE-2020-3829)

  - An arbitrary file write vulnerability exists in the handling of symlinks. 
    A malicious program crafted by an attacker can exploit this to overwrite arbitrary files on the remote host.
    (CVE-2020-3830 CVE-2020-3835 CVE-2020-3855)

  - An information disclosure vulnerability exists in the access control handling of applications. 
    A malicious application crafted by attacker can exploit this to disclose the kernel memory layout.
    (CVE-2020-3836)

  - An arbitrary code exution vulnerability exists  
    due to a memory corruption issue. A malicious application 
    crafted by a remote attacker may be able to execute arbitrary code 
    with kernel privileges on the remote host.
    (CVE-2020-3837  CVE-2020-3842 CVE-2020-3871)

  - An arbitrary code exution vulnerability exists  
    due to a permissions logic flaw.  A malicious application 
    crafted by a remote attacker may be able to execute arbitrary code 
    with system privileges on the remote host.
    (CVE-2019-18634 CVE-2020-3854 CVE-2020-3845 CVE-2020-3853 CVE-2020-3857)

  - An information disclosure vulnerability exists in the input sanitization logic. 
    A malicious application crafted by attacker can exploit this to read restricted memory.
    (CVE-2020-3839 CVE-2020-3847)

  - An arbitrary code exution vulnerability exists  
    due to the loading of a maliciously crafted racoon configuration file. 
    An authenticated, local attacker can exploit this to execute arbitrary code on the remote host.
    (CVE-2020-3840)

  - A denial of service (DoS) vulnerability exists due to a memory corruption issue. An 
    unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the 
    system to crash, stop responding, or corrupt the kernel memory. (CVE-2020-3843)

  - An arbitrary code exution vulnerability exists  
    due to either a buffer overflow or out-of-bounds read issue. An authenticated, local attacker 
    can exploit this to execute arbitrary code on the remote host or 
    cause an unexpected application to terminate.
    (CVE-2020-3846 CVE-2020-3848 CVE-2020-3849 CVE-2020-3850 CVE-2020-3877)

  - A memory corruption vulnerability exists due to a malicious crafted string. An 
    unauthenticated, remote attacker can exploit this issue, via malicious input, to cause the 
    corruption of the heap memory. (CVE-2020-3856)

  - An security bypass vulnerability exists in the handling of files from an attacker controlled NFS mount. 
    A remote attacker with local access could search for and open a file from an attacker controlled NFS mount
    and bypass Gatekeeper Security features. (CVE-2020-3866)

  - An information disclosure vulnerability exists where an application 
    can read restricted memory.  A local, authorized attacker can exploit this to read restricted memory.
    (CVE-2020-3872 CVE-2020-3875)

Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported
version number.");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT210919");
  script_set_attribute(attribute:"solution", value:
"Upgrade to macOS 10.13.6, 10.14.6, 10.15.3 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3847");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-3850");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_ports("Host/MacOSX/Version", "Host/OS");

  exit(0);
}

include('lists.inc');
include('vcf.inc');
include('vcf_extras_apple.inc');

app_info = vcf::apple::macos::get_app_info();

constraints = [
  { 'max_version' : '10.13.6', 'min_version' : '10.13', 'fixed_build': '17G11023', 'fixed_display' : '10.13.6 Security Update 2020-001' },
  { 'max_version' : '10.14.6', 'min_version' : '10.14', 'fixed_build': '18G3020', 'fixed_display' : '10.14.6 Security Update 2020-001' },
  { 'max_version' : '10.15.2', 'min_version' : '10.15', 'fixed_build': '19D76', 'fixed_display' : '10.15.3 MacOS Catalina 10.15.3' }
];

vcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
VendorProductVersionCPE
applemac_os_xcpe:/o:apple:mac_os_x
applemacoscpe:/o:apple:macos

References

Related

openvas 19
apple 8
nessus 56
threatpost 1
cve 11
prion 15
oraclelinux 4
osv 6
redhat 9
ubuntucve 1
amazon 3
githubexploit 17
packetstorm 1
archlinux 2
freebsd 1
slackware 1
debian 4
exploitpack 1
redhatcve 1
cloudfoundry 1
debiancve 2
ubuntu 2
thn 2
f5 1
zdt 5
centos 3
suse 2
altlinux 3
mageia 1
alpinelinux 1
almalinux 2
checkpoint_advisories 1
symantec 1
rocky 1
ibm 1
gentoo 1
attackerkb 2
impervablog 1
veracode 1
hackerone 2
fedora 2
openvas
openvas
Apple MacOSX Security Updates(HT210919)-01
2020-01-29 00:00:00
Apple MacOSX Security Updates(HT210919) - 03
2020-01-29 00:00:00
Apple MacOSX Security Updates(HT210919) - 02
2020-01-29 00:00:00
apple
apple
About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
2020-01-28 00:00:00
About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra - Apple Support
2020-09-08 03:54:07
About the security content of watchOS 6.1.2 - Apple Support
2020-06-22 04:31:02
nessus
nessus
Apple TV < 13.3.1 Multiple Vulnerabilities
2020-02-18 00:00:00
Debian DSA-4614-1 : sudo - security update
2020-02-03 00:00:00
Oracle Linux 8 : sudo (ELSA-2020-0487)
2023-09-07 00:00:00
threatpost
threatpost
Apple Security Updates Tackle iOS Device Tracking, RCE Flaws
2020-01-29 22:09:30
cve
cve
CVE-2020-3830
2020-02-27 21:15:00
CVE-2019-18634
2020-01-29 18:15:00
CVE-2020-3845
2020-02-27 21:15:00
prion
prion
Stack overflow
2020-01-29 18:15:00
Memory corruption
2020-02-27 21:15:00
Input validation
2020-02-27 21:15:00
oraclelinux
oraclelinux
sudo security update
2020-02-13 00:00:00
php security update
2019-10-31 00:00:00
php:7.2 security update
2019-11-23 00:00:00
osv
osv
CVE-2019-18634
2020-01-29 18:15:12
sudo - security update
2020-02-01 00:00:00
sudo - security update
2020-02-01 00:00:00
redhat
redhat
(RHSA-2020:0509) Important: sudo security update
2020-02-13 19:00:11
(RHSA-2020:0487) Important: sudo security update
2020-02-13 09:08:44
(RHSA-2020:0726) Important: sudo security update
2020-03-05 12:33:40
ubuntucve
ubuntucve
CVE-2019-18634
2020-01-31 00:00:00
amazon
amazon
Important: sudo
2020-03-16 21:29:00
Important: sudo
2020-03-16 20:58:00
Critical: php
2019-10-31 20:28:00
githubexploit
githubexploit
Exploit for Out-of-bounds Write in Sudo Project Sudo
2021-04-25 18:53:17
Exploit for Out-of-bounds Write in Sudo Project Sudo
2020-02-07 02:41:44
Exploit for Out-of-bounds Write in Sudo Project Sudo
2020-02-07 18:07:03
packetstorm
packetstorm
Sudo 1.8.25p Buffer Overflow
2020-02-04 00:00:00
archlinux
archlinux
[ASA-202002-2] sudo: privilege escalation
2020-02-06 00:00:00
[ASA-201910-14] php: arbitrary code execution
2019-10-25 00:00:00
freebsd
freebsd
sudo -- Potential bypass of Runas user restrictions
2020-01-30 00:00:00
slackware
slackware
[slackware-security] sudo
2020-01-31 21:15:53
debian
debian
[SECURITY] [DSA 4614-1] sudo security update
2020-02-01 12:45:56
[SECURITY] [DSA 4614-1] sudo security update
2020-02-01 12:45:56
[SECURITY] [DLA 2094-1] sudo security update
2020-02-01 22:56:58
exploitpack
exploitpack
Sudo 1.8.25p - pwfeedback Buffer Overflow (PoC)
2020-02-04 00:00:00
redhatcve
redhatcve
CVE-2019-18634
2020-01-31 15:09:16
cloudfoundry
cloudfoundry
USN-4263-1: Sudo vulnerability | Cloud Foundry
2020-02-20 00:00:00
debiancve
debiancve
CVE-2019-18634
2020-01-29 18:15:00
CVE-2019-11043
2019-10-28 15:15:00
ubuntu
ubuntu
Sudo vulnerability
2020-02-03 00:00:00
Sudo vulnerability
2020-02-05 00:00:00
thn
thn
Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
2020-02-03 15:35:00
New PHP Flaw Could Let Attackers Hack Sites Running On Nginx Servers
2019-10-26 19:03:00
f5
f5
K91327225 : Linux sudo process vulnerability CVE-2019-18634
2020-02-24 00:00:00
zdt
zdt
Sudo 1.8.25p - Buffer Overflow Exploit
2020-02-04 00:00:00
Sudo 1.8.25p - (pwfeedback) Buffer Overflow Exploit
2020-02-05 00:00:00
PHP-FPM 7.x Remote Code Execution Exploit
2020-03-06 00:00:00
centos
centos
sudo security update
2020-03-10 20:33:30
sudo security update
2020-02-18 22:21:38
php security update
2019-11-01 22:23:48
suse
suse
Security update for sudo (important)
2020-02-25 00:00:00
Security update for php7 (important)
2019-11-05 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package sudo version 1:1.8.31p2-alt1
2020-08-30 00:00:00
Security fix for the ALT Linux 10 package php8.0 version 7.3.11-alt1
2019-11-19 00:00:00
Security fix for the ALT Linux 10 package php8.1 version 7.3.11-alt1
2019-11-19 00:00:00
mageia
mageia
Updated sudo packages fix security vulnerability
2020-02-09 22:13:40
alpinelinux
alpinelinux
CVE-2019-18634
2020-01-29 18:15:00
almalinux
almalinux
Critical: php:7.2 security update
2019-11-06 13:15:34
Critical: php:7.3 security update
2019-11-06 13:15:46
checkpoint_advisories
checkpoint_advisories
PHP FastCGI Process Manager Remote Code Execution (CVE-2019-11043)
2019-10-27 00:00:00
symantec
symantec
PHP CVE-2019-11043 Remote Code Execution Vulnerability
2019-10-24 00:00:00
rocky
rocky
php:7.2 security update
2019-11-06 13:15:34
ibm
ibm
Security Bulletin: API Connect is impacted by a vulnerability in PHP (CVE-2019-11043)
2020-01-24 20:33:22
gentoo
gentoo
PHP: Arbitrary code execution
2019-10-25 00:00:00
attackerkb
attackerkb
CVE-2020-3843
2020-02-27 00:00:00
CVE-2019-11043
2019-10-28 00:00:00
impervablog
impervablog
Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events
2019-10-30 11:03:17
veracode
veracode
Remote Code Execution (RCE)
2020-05-10 23:28:09
hackerone
hackerone
Internet Bug Bounty: CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm
2019-10-24 18:27:39
Nextcloud: Docker image with FPM is vulnerable to CVE-2019-11043
2019-10-22 16:44:12
fedora
fedora
[SECURITY] Fedora 31 Update: php-7.3.11-1.fc31
2019-10-31 00:59:18
[SECURITY] Fedora 30 Update: php-7.3.11-1.fc30
2019-11-03 00:13:06
JSON
Related for MACOS_HT210919.NASL
openvas19apple8nessus56threatpost1cve11prion15oraclelinux4osv6redhat9ubuntucve1amazon3githubexploit17packetstorm1archlinux2freebsd1slackware1debian4exploitpack1redhatcve1cloudfoundry1debiancve2ubuntu2thn2f51zdt5centos3suse2altlinux3mageia1alpinelinux1almalinux2checkpoint_advisories1symantec1rocky1ibm1gentoo1attackerkb2impervablog1veracode1hackerone2fedora2