Apple MacOSX Security Updates(HT208692)-01

2018-04-02T00:00:00

Description

This host is installed with Apple Mac OS X and is prone to multiple vulnerabilities.

{"id": "OPENVAS:1361412562310813112", "vendorId": null, "type": "openvas", "bulletinFamily": "scanner", "title": "Apple MacOSX Security Updates(HT208692)-01", "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "published": "2018-04-02T00:00:00", "modified": "2019-07-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813112", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "references": ["https://support.apple.com/en-us/HT208692"], "cvelist": ["CVE-2018-4142", "CVE-2018-4138", "CVE-2018-4174", "CVE-2018-4152", "CVE-2018-4132", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4157", "CVE-2018-4135", "CVE-2018-4131", "CVE-2018-4143", "CVE-2018-4115", "CVE-2018-4167", "CVE-2018-4111", "CVE-2018-4173", "CVE-2018-4170", "CVE-2018-4150", "CVE-2018-4160", "CVE-2018-4105"], "immutableFields": [], "lastseen": "2019-07-17T14:04:09", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "apple", "idList": ["APPLE:444B5944D49C1B1DB2F8D833473A3E28", "APPLE:6B41E03BE95C41152A91DE7584480E16", "APPLE:F5ED4B2C8BF2CB139C4753A54898E258", "APPLE:FAE8F6548DA345F4466BB73DD8BE2763", "APPLE:HT208692", "APPLE:HT208693", "APPLE:HT208696", "APPLE:HT208698"]}, {"type": "cve", "idList": ["CVE-2018-4105", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4111", "CVE-2018-4115", "CVE-2018-4131", "CVE-2018-4132", "CVE-2018-4135", "CVE-2018-4138", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4150", "CVE-2018-4152", "CVE-2018-4157", "CVE-2018-4160", "CVE-2018-4167", "CVE-2018-4170", "CVE-2018-4173", "CVE-2018-4174"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:37170621F78D33B9DDE68A73E0A16294"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891904"]}, {"type": "nessus", "idList": ["700515.PRM", "700516.PRM", "700548.PRM", "APPLETV_11_3.NASL", "APPLE_IOS_113_CHECK.NBIN", "MACOSX_SECUPD2018-002.NASL", "MACOS_10_13_4.NASL"]}], "rev": 4}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "apple", "idList": ["APPLE:444B5944D49C1B1DB2F8D833473A3E28", "APPLE:6B41E03BE95C41152A91DE7584480E16", "APPLE:F5ED4B2C8BF2CB139C4753A54898E258", "APPLE:FAE8F6548DA345F4466BB73DD8BE2763", "APPLE:HT208692", "APPLE:HT208693", "APPLE:HT208696", "APPLE:HT208698"]}, {"type": "cve", "idList": ["CVE-2018-4105", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4111", "CVE-2018-4115", "CVE-2018-4131", "CVE-2018-4132", "CVE-2018-4135", "CVE-2018-4138", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4150", "CVE-2018-4152", "CVE-2018-4157", "CVE-2018-4160", "CVE-2018-4167", "CVE-2018-4170", "CVE-2018-4174"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:37170621F78D33B9DDE68A73E0A16294"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891904"]}, {"type": "nessus", "idList": ["MACOSX_SECUPD2018-002.NASL", "MACOS_10_13_4.NASL"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-4142", "epss": "0.011020000", "percentile": "0.822190000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4138", "epss": "0.000740000", "percentile": "0.301730000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4174", "epss": "0.002500000", "percentile": "0.610900000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4152", "epss": "0.001200000", "percentile": "0.445280000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4132", "epss": "0.001200000", "percentile": "0.445280000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4107", "epss": "0.002160000", "percentile": "0.578240000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4108", "epss": "0.011020000", "percentile": "0.822180000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4157", "epss": "0.001480000", "percentile": "0.490270000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4135", "epss": "0.001200000", "percentile": "0.445280000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4131", "epss": "0.001200000", "percentile": "0.445160000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4143", "epss": "0.001480000", "percentile": "0.490270000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4115", "epss": "0.007010000", "percentile": "0.772470000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4167", "epss": "0.001480000", "percentile": "0.490270000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4111", "epss": "0.002730000", "percentile": "0.629720000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4173", "epss": "0.000570000", "percentile": "0.216070000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4170", "epss": "0.000430000", "percentile": "0.077680000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4150", "epss": "0.001490000", "percentile": "0.492800000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4160", "epss": "0.001200000", "percentile": "0.445280000", "modified": "2023-03-15"}, {"cve": "CVE-2018-4105", "epss": "0.011020000", "percentile": "0.822180000", "modified": "2023-03-15"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1678916735, "score": 1678914494, "epss": 1678936357}, "_internal": {"score_hash": "efefa2e7f9e9d29e897c21912b707f09"}, "pluginID": "1361412562310813112", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple MacOSX Security Updates(HT208692)-01\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813112\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-4108\", \"CVE-2018-4143\", \"CVE-2018-4105\", \"CVE-2018-4107\",\n \"CVE-2018-4160\", \"CVE-2018-4167\", \"CVE-2018-4142\", \"CVE-2018-4174\",\n \"CVE-2018-4131\", \"CVE-2018-4132\", \"CVE-2018-4135\", \"CVE-2018-4111\",\n \"CVE-2018-4170\", \"CVE-2018-4115\", \"CVE-2018-4157\", \"CVE-2018-4152\",\n \"CVE-2018-4150\", \"CVE-2018-4138\", \"CVE-2018-4173\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-02 10:46:18 +0530 (Mon, 02 Apr 2018)\");\n script_name(\"Apple MacOSX Security Updates(HT208692)-01\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An injection issue due to improper input validation.\n\n - An issue existed in the parsing of URLs in PDFs due to improper input\n validation.\n\n - An out-of-bounds read error.\n\n - An inconsistent user interface issue.\n\n - By scanning key states, an unprivileged application could log keystrokes\n entered into other applications even when secure input mode was enabled.\n\n - An issue existed in the handling of S/MIME HTML e-mail.\n\n - The sysadminctl command-line tool required that passwords be passed to it\n in its arguments, potentially exposing the passwords to other local users.\n\n - An issue existed in CFPreferences.\n\n - Multiple memory corruption issues.\n\n - A validation issue.\n\n - A consistency issue existed in deciding when to show the microphone use\n indicator.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to execute arbitrary code with kernel privileges,\n gain access to passwords supplied to sysadminctl, truncate an APFS volume\n password, gain access to potentially sensitive data, gain elevated privileges,\n conduct a denial-of-service attack, log keystrokes entered into applications,\n intercept and exfiltrate the contents of S/MIME-encrypted e-mail and use a\n removed configuration profile and access the microphone without indication to\n the user.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.13.x through 10.13.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.13.4 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208692\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.13\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.13\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif(version_is_less(version:osVer, test_version:\"10.13.4\"))\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.13.4\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "naslFamily": "Mac OS X Local Security Checks"}

{"nessus": [{"lastseen": "2023-02-17T23:19:47", "description": "The remote host is running a version of macOS that is 10.13.x prior to 10.13.4. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Admin Framework\n - APFS\n - ATS\n - CoreFoundation\n - CoreText\n - Disk Images\n - Disk Management\n - File System Events\n - iCloud Drive\n - Intel Graphics Driver\n - IOFireWireFamily\n - Kernel\n - kext tools\n - LaunchServices\n - Mail\n - Notes\n - NSURLSession\n - NVIDIA Graphics Drivers\n - PDFKit\n - PluginKit\n - Quick Look\n - Security\n - Storage\n - System Preferences\n - Terminal\n - WindowServer\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-10T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13890", "CVE-2017-8816", "CVE-2018-4104", "CVE-2018-4105", "CVE-2018-4106", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4111", "CVE-2018-4112", "CVE-2018-4115", "CVE-2018-4131", "CVE-2018-4132", "CVE-2018-4135", "CVE-2018-4136", "CVE-2018-4138", "CVE-2018-4139", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4152", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4160", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4170", "CVE-2018-4174", "CVE-2018-4175", "CVE-2018-4176"], "modified": "2019-04-10T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "700515.PRM", "href": "https://www.tenable.com/plugins/nnm/700515", "sourceData": "Binary data 700515.prm", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-01T14:37:36", "description": "The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.4. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Admin Framework\n - APFS\n - ATS\n - CoreFoundation\n - CoreText\n - Disk Images\n - Disk Management\n - File System Events\n - iCloud Drive\n - Intel Graphics Driver\n - IOFireWireFamily\n - Kernel\n - kext tools\n - LaunchServices\n - Mail\n - Notes\n - NSURLSession\n - NVIDIA Graphics Drivers\n - PDFKit\n - PluginKit\n - Quick Look\n - Security\n - Storage\n - System Preferences\n - Terminal\n - WindowServer\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-02T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13080", "CVE-2017-13890", "CVE-2017-13911", "CVE-2017-15412", "CVE-2017-7151", "CVE-2018-4104", "CVE-2018-4105", "CVE-2018-4106", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4111", "CVE-2018-4112", "CVE-2018-4115", "CVE-2018-4131", "CVE-2018-4132", "CVE-2018-4135", "CVE-2018-4136", "CVE-2018-4138", "CVE-2018-4139", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4152", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4160", "CVE-2018-4167", "CVE-2018-4170", "CVE-2018-4173", "CVE-2018-4174", "CVE-2018-4175", "CVE-2018-4176", "CVE-2018-4179", "CVE-2018-4185", "CVE-2018-4187", "CVE-2018-4298"], "modified": "2019-06-19T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_10_13_4.NASL", "href": "https://www.tenable.com/plugins/nessus/108786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108786);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-13080\",\n \"CVE-2017-13890\",\n \"CVE-2017-13911\",\n \"CVE-2017-15412\",\n \"CVE-2017-7151\",\n \"CVE-2018-4104\",\n \"CVE-2018-4105\",\n \"CVE-2018-4106\",\n \"CVE-2018-4107\",\n \"CVE-2018-4108\",\n \"CVE-2018-4111\",\n \"CVE-2018-4112\",\n \"CVE-2018-4115\",\n \"CVE-2018-4131\",\n \"CVE-2018-4132\",\n \"CVE-2018-4135\",\n \"CVE-2018-4136\",\n \"CVE-2018-4138\",\n \"CVE-2018-4139\",\n \"CVE-2018-4142\",\n \"CVE-2018-4143\",\n \"CVE-2018-4144\",\n \"CVE-2018-4150\",\n \"CVE-2018-4151\",\n \"CVE-2018-4152\",\n \"CVE-2018-4154\",\n \"CVE-2018-4155\",\n \"CVE-2018-4156\",\n \"CVE-2018-4157\",\n \"CVE-2018-4158\",\n \"CVE-2018-4160\",\n \"CVE-2018-4167\",\n \"CVE-2018-4170\",\n \"CVE-2018-4173\",\n \"CVE-2018-4174\",\n \"CVE-2018-4175\",\n \"CVE-2018-4176\",\n \"CVE-2018-4179\",\n \"CVE-2018-4185\",\n \"CVE-2018-4187\",\n \"CVE-2018-4298\"\n );\n script_bugtraq_id(\n 101274,\n 102098,\n 103579,\n 103581,\n 103582,\n 103958,\n 104223\n );\n script_name(english:\"macOS 10.13.x < 10.13.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is\n10.13.x prior to 10.13.4. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - Admin Framework\n - APFS\n - ATS\n - CoreFoundation\n - CoreText\n - Disk Images\n - Disk Management\n - File System Events\n - iCloud Drive\n - Intel Graphics Driver\n - IOFireWireFamily\n - Kernel\n - kext tools\n - LaunchServices\n - Mail\n - Notes\n - NSURLSession\n - NVIDIA Graphics Drivers\n - PDFKit\n - PluginKit\n - Quick Look\n - Security\n - Storage\n - System Preferences\n - Terminal\n - WindowServer\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208692\");\n # https://lists.apple.com/archives/security-announce/2018/Mar/msg00004.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e0e00f71\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4298\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13.4\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:'10.13.4', strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-01T14:38:15", "description": "According to its banner, the version of Apple TV on the remote device is prior to 11.3. It is, therefore, affected by multiple vulnerabilities as described in the HT208698 security advisory.\n\nNote that only 4th and 5th generation models are affected by these vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-16T00:00:00", "type": "nessus", "title": "Apple TV < 11.3 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4101", "CVE-2018-4104", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4130", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4146", "CVE-2018-4150", "CVE-2018-4155", "CVE-2018-4157", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4166", "CVE-2018-4167"], "modified": "2019-04-05T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_11_3.NASL", "href": "https://www.tenable.com/plugins/nessus/109060", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109060);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\n \"CVE-2018-4101\",\n \"CVE-2018-4104\",\n \"CVE-2018-4113\",\n \"CVE-2018-4114\",\n \"CVE-2018-4115\",\n \"CVE-2018-4118\",\n \"CVE-2018-4119\",\n \"CVE-2018-4120\",\n \"CVE-2018-4121\",\n \"CVE-2018-4122\",\n \"CVE-2018-4125\",\n \"CVE-2018-4127\",\n \"CVE-2018-4128\",\n \"CVE-2018-4129\",\n \"CVE-2018-4130\",\n \"CVE-2018-4142\",\n \"CVE-2018-4143\",\n \"CVE-2018-4144\",\n \"CVE-2018-4146\",\n \"CVE-2018-4150\",\n \"CVE-2018-4155\",\n \"CVE-2018-4157\",\n \"CVE-2018-4161\",\n \"CVE-2018-4162\",\n \"CVE-2018-4163\",\n \"CVE-2018-4165\",\n \"CVE-2018-4166\",\n \"CVE-2018-4167\"\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-3-29-3\");\n\n script_name(english:\"Apple TV < 11.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 11.3. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208698 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208698\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 11.3 or later. Note that this update is\nonly available for 4th and 5th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4143\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# https://en.wikipedia.org/wiki/TvOS\n# 4th gen model \"5,3\" and 5th gen model \"6,2\" share same build\nfixed_build = \"15L211\";\ntvos_ver = '11';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(4, 5),\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-17T23:19:45", "description": "The version of Apple iOS running on the mobile device is prior to 11.3. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-17T00:00:00", "type": "nessus", "title": "Apple iOS < 11.3 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4101", "CVE-2018-4104", "CVE-2018-4110", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4123", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4130", "CVE-2018-4131", "CVE-2018-4134", "CVE-2018-4137", "CVE-2018-4140", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4146", "CVE-2018-4149", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4168", "CVE-2018-4172", "CVE-2018-4174"], "modified": "2019-04-17T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "700548.PRM", "href": "https://www.tenable.com/plugins/nnm/700548", "sourceData": "Binary data 700548.prm", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-09T16:43:55", "description": "The version of Apple iOS running on the mobile device is prior to 11.3. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T00:00:00", "type": "nessus", "title": "Apple iOS < 11.3 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15412", "CVE-2018-4101", "CVE-2018-4104", "CVE-2018-4110", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4123", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4130", "CVE-2018-4131", "CVE-2018-4134", "CVE-2018-4137", "CVE-2018-4140", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4145", "CVE-2018-4146", "CVE-2018-4148", "CVE-2018-4149", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4168", "CVE-2018-4172", "CVE-2018-4173", "CVE-2018-4174", "CVE-2018-4177", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4208", "CVE-2018-4209", "CVE-2018-4210", "CVE-2018-4212", "CVE-2018-4213", "CVE-2018-4390", "CVE-2018-4391"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_113_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/108812", "sourceData": "Binary data apple_ios_113_check.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-01T14:37:50", "description": "The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components :\n\n - ATS\n - CFNetwork Session\n - CoreFoundation\n - CoreTypes\n - curl\n - Disk Images\n - iCloud Drive\n - Kernel\n - kext tools\n - LaunchServices\n - PluginKit\n - Security\n - Storage\n - Terminal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-02T00:00:00", "type": "nessus", "title": "macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-002)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13890", "CVE-2017-13911", "CVE-2017-15412", "CVE-2017-7151", "CVE-2017-8816", "CVE-2018-4104", "CVE-2018-4106", "CVE-2018-4108", "CVE-2018-4112", "CVE-2018-4131", "CVE-2018-4136", "CVE-2018-4139", "CVE-2018-4144", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4158", "CVE-2018-4175", "CVE-2018-4176"], "modified": "2019-06-19T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOSX_SECUPD2018-002.NASL", "href": "https://www.tenable.com/plugins/nessus/108787", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108787);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-13890\",\n \"CVE-2017-13911\",\n \"CVE-2017-15412\",\n \"CVE-2017-7151\",\n \"CVE-2017-8816\",\n \"CVE-2018-4104\",\n \"CVE-2018-4106\",\n \"CVE-2018-4108\",\n \"CVE-2018-4112\",\n \"CVE-2018-4131\",\n \"CVE-2018-4136\",\n \"CVE-2018-4139\",\n \"CVE-2018-4144\",\n \"CVE-2018-4150\",\n \"CVE-2018-4151\",\n \"CVE-2018-4154\",\n \"CVE-2018-4155\",\n \"CVE-2018-4156\",\n \"CVE-2018-4158\",\n \"CVE-2018-4175\",\n \"CVE-2018-4176\"\n );\n script_bugtraq_id(\n 101998,\n 102098,\n 103579,\n 103581,\n 103582\n );\n script_name(english:\"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-002)\");\n script_summary(english:\"Checks for the presence of Security Update 2018-002.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update that\nfixes multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - ATS\n - CFNetwork Session\n - CoreFoundation\n - CoreTypes\n - curl\n - Disk Images\n - iCloud Drive\n - Kernel\n - kext tools\n - LaunchServices\n - PluginKit\n - Security\n - Storage\n - Terminal\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208692\");\n # https://lists.apple.com/archives/security-announce/2018/Mar/msg00004.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e0e00f71\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2018-002 or later for 10.11.x or\nSecurity Update 2018-002 or later for 10.12.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-13911\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(11\\.6|12\\.6)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.11.6 or Mac OS X 10.12.6\");\n\nif (\"10.11.6\" >< os)\n patch = \"2018-002\";\nelse\n patch = \"2018-002\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n matches = pregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(matches)) continue;\n if (empty_or_null(matches[1]) || empty_or_null(matches[2]))\n continue;\n\n patch_found = check_patch(year:int(matches[1]), number:int(matches[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-17T23:19:47", "description": "The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.5. It is, therefore, affected by multiple vulnerabilities.\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-04-10T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.5 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4141", "CVE-2018-4159", "CVE-2018-4167", "CVE-2018-4171", "CVE-2018-4184", "CVE-2018-4193", "CVE-2018-4196", "CVE-2018-4198", "CVE-2018-4202", "CVE-2018-4211", "CVE-2018-4219", "CVE-2018-4221", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4227", "CVE-2018-4228", "CVE-2018-4229", "CVE-2018-4230", "CVE-2018-4234", "CVE-2018-4235", "CVE-2018-4236", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4242", "CVE-2018-4243", "CVE-2018-4249", "CVE-2018-4251", "CVE-2018-4253", "CVE-2018-5383", "CVE-2018-7584", "CVE-2018-8897"], "modified": "2019-04-10T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "700516.PRM", "href": "https://www.tenable.com/plugins/nnm/700516", "sourceData": "Binary data 700516.prm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:43:47", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan\n\nReleased March 29, 2018\n\n**Admin Framework**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Passwords supplied to sysadminctl may be exposed to other local users\n\nDescription: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed.\n\nCVE-2018-4170: an anonymous researcher\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An APFS volume password may be unexpectedly truncated\n\nDescription: An injection issue was addressed through improved input validation.\n\nCVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot\n\n**ATS**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.\n\nCVE-2018-4112: Haik Aftandilian of Mozilla\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**CoreFoundation**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated April 3, 2019\n\n**CoreTypes**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: Processing a maliciously crafted webpage may result in the mounting of a disk image\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: Multiple issues in curl\n\nDescription: An integer overflow existed in curl. This issue was addressed with improved bounds checking.\n\nCVE-2017-8816: Alex Nichols\n\nEntry updated April 3, 2019\n\n**Disk Images**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Mounting a malicious disk image may result in the launching of an application\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4176: Theodor Ragnar Gislason of Syndis\n\n**Disk Management**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An APFS volume password may be unexpectedly truncated\n\nDescription: An injection issue was addressed through improved input validation.\n\nCVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\nEntry added October 18, 2018\n\n**File System Events**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**iCloud Drive**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4151: Samuel Gro\u00df (@5aelo)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360\n\n**IOFireWireFamily**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2018-4136: Jonas Jensen of lgtm.com and Semmle\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2018-4160: Jonas Jensen of lgtm.com and Semmle\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**kext tools**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2018-4139: Ian Beer of Google Project Zero\n\n**LaunchServices**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: A maliciously crafted application may be able to bypass code signing enforcement\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4175: Theodor Ragnar Gislason of Syndis\n\n**libxml2**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.3, OS X El Capitan 10.11.6\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry updated October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added April 3, 2019\n\n**Local Authentication**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A local user may be able to view senstive user information\n\nDescription: There was an issue with the handling of smartcard PINs. This issue was addressed with additional logic.\n\nCVE-2018-4179: David Fuhrmann\n\nEntry added April 13, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.\n\nCVE-2018-4111: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\nEntry updated April 13, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.\n\nEntry updated April 13, 2018\n\n**Notes**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4152: Samuel Gro\u00df (@5aelo)\n\n**Notes**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**NSURLSession**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**NVIDIA Graphics Drivers**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360\n\n**PDFKit**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Clicking a URL in a PDF may visit a malicious website\n\nDescription: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation.\n\nCVE-2018-4107: Nick Safford of Innovia Technology\n\nEntry updated April 9, 2018\n\n**PluginKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4156: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Remote Management**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A remote user may be able to gain root privileges\n\nDescription: A permissions issue existed in Remote Management. This issue was addressed through improved permission validation.\n\nCVE-2018-4298: Tim van der Werff of SupCloud\n\nEntry added July 19, 2018\n\n**Security**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**SIP**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry added August 8, 2018, updated September 25, 2018\n\n**Status Bar**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to access the microphone without indication to the user\n\nDescription: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.\n\nCVE-2018-4173: Joshua Pokotilow of pingmd\n\nEntry added April 9, 2018\n\n**Storage**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4154: Samuel Gro\u00df (@5aelo)\n\n**System Preferences**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated April 3, 2019\n\n**Terminal**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Pasting malicious content may lead to arbitrary command execution\n\nDescription: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters.\n\nCVE-2018-4106: Simon Hosie\n\nEntry updated May 15, 2019\n\n**WindowServer**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled\n\nDescription: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.\n\nCVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH\n\nEntry updated April 3, 2019\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Safari Login AutoFill**\n\nWe would like to acknowledge Jun Kokatsu (@shhnjk) for their assistance.\n\nEntry added April 3, 2019\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\n**Sharing Pref Pane**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added April 3, 2019\n", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-15T09:12:42", "title": "About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4179", "CVE-2018-4142", "CVE-2018-4138", "CVE-2018-4174", "CVE-2018-4152", "CVE-2017-7151", "CVE-2017-13080", "CVE-2018-4132", "CVE-2018-4112", "CVE-2018-4185", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4157", "CVE-2018-4136", "CVE-2018-4166", "CVE-2018-4187", "CVE-2018-4176", "CVE-2018-4155", "CVE-2018-4298", "CVE-2017-13911", "CVE-2018-4135", "CVE-2018-4106", "CVE-2018-4131", "CVE-2018-4154", "CVE-2018-4139", "CVE-2018-4104", "CVE-2017-15412", "CVE-2018-4143", "CVE-2017-8816", "CVE-2017-13890", "CVE-2018-4115", "CVE-2018-4151", "CVE-2018-4167", "CVE-2018-4111", "CVE-2018-4173", "CVE-2018-4175", "CVE-2018-4144", "CVE-2018-4170", "CVE-2018-4150", "CVE-2018-4160", "CVE-2018-4105", "CVE-2018-4156", "CVE-2018-4158"], "modified": "2019-05-15T09:12:42", "id": "APPLE:HT208692", "href": "https://support.apple.com/kb/HT208692", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-10T17:00:28", "description": "# About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan\n\nThis document describes the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan\n\nReleased March 29, 2018\n\n**Admin Framework**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Passwords supplied to sysadminctl may be exposed to other local users\n\nDescription: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed.\n\nCVE-2018-4170: an anonymous researcher\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An APFS volume password may be unexpectedly truncated\n\nDescription: An injection issue was addressed through improved input validation.\n\nCVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot\n\n**ATS**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted file might disclose user information\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.\n\nCVE-2018-4112: Haik Aftandilian of Mozilla\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**CoreFoundation**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated April 3, 2019\n\n**CoreTypes**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: Processing a maliciously crafted webpage may result in the mounting of a disk image\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: Multiple issues in curl\n\nDescription: An integer overflow existed in curl. This issue was addressed with improved bounds checking.\n\nCVE-2017-8816: Alex Nichols\n\nEntry updated April 3, 2019\n\n**Disk Images**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Mounting a malicious disk image may result in the launching of an application\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4176: Theodor Ragnar Gislason of Syndis\n\n**Disk Management**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An APFS volume password may be unexpectedly truncated\n\nDescription: An injection issue was addressed through improved input validation.\n\nCVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\nEntry added October 18, 2018\n\n**File System Events**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**iCloud Drive**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4151: Samuel Gro\u00df (@5aelo)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360\n\n**IOFireWireFamily**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2018-4136: Jonas Jensen of lgtm.com and Semmle\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2018-4160: Jonas Jensen of lgtm.com and Semmle\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**kext tools**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2018-4139: Ian Beer of Google Project Zero\n\n**LaunchServices**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: A maliciously crafted application may be able to bypass code signing enforcement\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4175: Theodor Ragnar Gislason of Syndis\n\n**libxml2**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.3, OS X El Capitan 10.11.6\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry updated October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added April 3, 2019\n\n**Local Authentication**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A local user may be able to view senstive user information\n\nDescription: There was an issue with the handling of smartcard PINs. This issue was addressed with additional logic.\n\nCVE-2018-4179: David Fuhrmann\n\nEntry added April 13, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.\n\nCVE-2018-4111: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\nEntry updated April 13, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.\n\nEntry updated April 13, 2018\n\n**Notes**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4152: Samuel Gro\u00df (@5aelo)\n\n**Notes**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**NSURLSession**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**NVIDIA Graphics Drivers**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360\n\n**PDFKit**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: Clicking a URL in a PDF may visit a malicious website\n\nDescription: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation.\n\nCVE-2018-4107: Nick Safford of Innovia Technology\n\nEntry updated April 9, 2018\n\n**PluginKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4156: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Remote Management**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A remote user may be able to gain root privileges\n\nDescription: A permissions issue existed in Remote Management. This issue was addressed through improved permission validation.\n\nCVE-2018-4298: Tim van der Werff of SupCloud\n\nEntry added July 19, 2018\n\n**Security**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**SIP**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry added August 8, 2018, updated September 25, 2018\n\n**Status Bar**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A malicious application may be able to access the microphone without indication to the user\n\nDescription: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.\n\nCVE-2018-4173: Joshua Pokotilow of pingmd\n\nEntry added April 9, 2018\n\n**Storage**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4154: Samuel Gro\u00df (@5aelo)\n\n**System Preferences**\n\nAvailable for: macOS High Sierra 10.13.3\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated April 3, 2019\n\n**Terminal**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: Pasting malicious content may lead to arbitrary command execution\n\nDescription: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters.\n\nCVE-2018-4106: Simon Hosie\n\nEntry updated May 15, 2019\n\n**WindowServer**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3\n\nImpact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled\n\nDescription: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.\n\nCVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH\n\nEntry updated April 3, 2019\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Safari Login AutoFill**\n\nWe would like to acknowledge Jun Kokatsu (@shhnjk) for their assistance.\n\nEntry added April 3, 2019\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\n**Sharing Pref Pane**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added April 3, 2019\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: May 15, 2019\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "apple", "title": "About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13080", "CVE-2017-13890", "CVE-2017-13911", "CVE-2017-15412", "CVE-2017-7151", "CVE-2017-8816", "CVE-2018-4104", "CVE-2018-4105", "CVE-2018-4106", "CVE-2018-4107", "CVE-2018-4108", "CVE-2018-4111", "CVE-2018-4112", "CVE-2018-4115", "CVE-2018-4131", "CVE-2018-4132", "CVE-2018-4135", "CVE-2018-4136", "CVE-2018-4138", "CVE-2018-4139", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4152", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4160", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4170", "CVE-2018-4173", "CVE-2018-4174", "CVE-2018-4175", "CVE-2018-4176", "CVE-2018-4179", "CVE-2018-4185", "CVE-2018-4187", "CVE-2018-4298"], "modified": "2018-03-29T00:00:00", "id": "APPLE:FAE8F6548DA345F4466BB73DD8BE2763", "href": "https://support.apple.com/kb/HT208692", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:16", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## watchOS 4.3\n\nReleased March 29, 2018\n\n**CoreFoundation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**File System Events**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: All Apple Watch models\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018, updated November 16, 2018\n\n**NSURLSession**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**System Preferences**\n\nAvailable for: All Apple Watch models\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4121: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed with improved input validation.\n\nCVE-2018-4117: an anonymous researcher, an anonymous researcher\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-17T12:30:02", "title": "About the security content of watchOS 4.3 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4142", "CVE-2018-4390", "CVE-2018-4129", "CVE-2018-4146", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4157", "CVE-2018-4212", "CVE-2018-4166", "CVE-2018-4213", "CVE-2018-4155", "CVE-2018-4163", "CVE-2018-4114", "CVE-2018-4145", "CVE-2018-4162", "CVE-2018-4391", "CVE-2018-4104", "CVE-2017-15412", "CVE-2018-4125", "CVE-2018-4143", "CVE-2018-4209", "CVE-2018-4113", "CVE-2018-4115", "CVE-2018-4167", "CVE-2018-4210", "CVE-2018-4208", "CVE-2018-4144", "CVE-2018-4117", "CVE-2018-4161", "CVE-2018-4150", "CVE-2018-4122", "CVE-2018-4158", "CVE-2018-4121"], "modified": "2018-11-17T12:30:02", "id": "APPLE:HT208696", "href": "https://support.apple.com/kb/HT208696", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T04:14:37", "description": "# About the security content of watchOS 4.3\n\nThis document describes the security content of watchOS 4.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## watchOS 4.3\n\nReleased March 29, 2018\n\n**CoreFoundation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**File System Events**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: All Apple Watch models\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018, updated November 16, 2018\n\n**NSURLSession**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**System Preferences**\n\nAvailable for: All Apple Watch models\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4121: natashenka of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed with improved input validation.\n\nCVE-2018-4117: an anonymous researcher, an anonymous researcher\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "apple", "title": "About the security content of watchOS 4.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15412", "CVE-2018-4104", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4117", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4129", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4145", "CVE-2018-4146", "CVE-2018-4150", "CVE-2018-4155", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4208", "CVE-2018-4209", "CVE-2018-4210", "CVE-2018-4212", "CVE-2018-4213", "CVE-2018-4390", "CVE-2018-4391"], "modified": "2018-03-29T00:00:00", "id": "APPLE:F5ED4B2C8BF2CB139C4753A54898E258", "href": "https://support.apple.com/kb/HT208696", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T19:30:39", "description": "# About the security content of tvOS 11.3\n\nThis document describes the security content of tvOS 11.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## tvOS 11.3\n\nReleased March 29, 2018\n\n**CoreFoundation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**File System Events**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**NSURLSession**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**System Preferences**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks.\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4101: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4118: Jun Kokatsu (@shhnjk)\n\nCVE-2018-4119: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4120: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\nCVE-2018-4121: natashenka of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4127: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4128: Zach Markley\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4130: Omair working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4165: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition \n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "apple", "title": "About the security content of tvOS 11.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15412", "CVE-2018-4101", "CVE-2018-4104", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4130", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4145", "CVE-2018-4146", "CVE-2018-4150", "CVE-2018-4155", "CVE-2018-4157", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4208", "CVE-2018-4209", "CVE-2018-4210", "CVE-2018-4212", "CVE-2018-4213"], "modified": "2018-03-29T00:00:00", "id": "APPLE:444B5944D49C1B1DB2F8D833473A3E28", "href": "https://support.apple.com/kb/HT208698", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:50", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## tvOS 11.3\n\nReleased March 29, 2018\n\n**CoreFoundation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**File System Events**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**NSURLSession**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**System Preferences**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks.\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4101: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4118: Jun Kokatsu (@shhnjk)\n\nCVE-2018-4119: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4120: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\nCVE-2018-4121: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4127: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4128: Zach Markley\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4130: Omair working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4165: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition \n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-17T12:30:19", "title": "About the security content of tvOS 11.3 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4119", "CVE-2018-4142", "CVE-2018-4130", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4157", "CVE-2018-4212", "CVE-2018-4166", "CVE-2018-4213", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4155", "CVE-2018-4163", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4145", "CVE-2018-4162", "CVE-2018-4104", "CVE-2017-15412", "CVE-2018-4125", "CVE-2018-4143", "CVE-2018-4209", "CVE-2018-4113", "CVE-2018-4115", "CVE-2018-4167", "CVE-2018-4210", "CVE-2018-4127", "CVE-2018-4208", "CVE-2018-4144", "CVE-2018-4161", "CVE-2018-4150", "CVE-2018-4122", "CVE-2018-4121"], "modified": "2018-11-17T12:30:19", "id": "APPLE:HT208698", "href": "https://support.apple.com/kb/HT208698", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:10", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 11.3\n\nReleased March 29, 2018\n\n**Apple TV App**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in the Apple TV App\n\nDescription: An input validation issue was addressed through improved input validation.\n\n****CVE-2018-4177: Jerry Decime\n\nEntry added April 13, 2018\n\n**Clock**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to see the email address used for iTunes\n\nDescription: An information disclosure issue existed in the handling of alarms and timers. This issue was addressed with improved access restrictions.\n\nCVE-2018-4123: Zaheen Hafzar M M (@zaheenhafzer)\n\nEntry updated November 16, 2018\n\n**CoreFoundation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018, updated November 16, 2018\n\n**File System Events**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Files Widget**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: File Widget may display contents on a locked device\n\nDescription: The File Widget was displaying cached data when in the locked state. This issue was addressed with improved state management.\n\nCVE-2018-4168: Brandon Moore\n\n**Find My iPhone**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password\n\nDescription: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.\n\nCVE-2018-4172: Viljami Vastam\u00e4ki\n\n**iCloud Drive**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4151: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added September 17, 2019\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.\n\nEntry updated April 13, 2018\n\n**NSURLSession**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**PluginKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4156: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website by clicking a link may lead to user interface spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4134: xisigr of Tencent's Xuanwu Lab (tencent.com), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\n**Safari Login AutoFill**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to exfiltrate autofilled data in Safari without explicit user interaction.\n\nDescription: Safari autofill did not require explicit user interaction before taking place. The issue was addressed with improved autofill heuristics.\n\nCVE-2018-4137\n\nEntry updated November 16, 2018\n\n**SafariViewController**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: A state management issue was addressed by disabling text input until the destination page loads.\n\nCVE-2018-4149: Abhinash Jain (@abhinashjain)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**Status Bar**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to access the microphone without indication to the user\n\nDescription: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.\n\nCVE-2018-4173: Joshua Pokotilow of pingmd\n\nEntry added April 9, 2018\n\n**Storage**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4154: Samuel Gro\u00df (@5aelo)\n\n**System Preferences**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**Telephony**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A remote attacker can cause a device to unexpectedly restart\n\nDescription: A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed with improved message validation.\n\nCVE-2018-4140: @mjonsson, Arjan van der Oest of Voiceworks BV\n\nEntry updated November 16, 2018\n\n**Telephony**\n\nAvailable for: iPhone 5s and later, and Wi-Fi + Cellular models of iPad Air and later\n\nImpact: A remote attacker may be able to execute arbitrary code\n\nDescription: Multiple buffer overflows were addressed with improved input validation.\n\nCVE-2018-4148: Nico Golde of Comsecuris UG\n\nEntry added March 30, 2018\n\n**Web App**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Cookies may unexpectedly persist in web app\n\nDescription: A cookie management issue was addressed with improved state management.\n\nCVE-2018-4110: Ben Compton and Jason Colley of Cerner Corporation\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4101: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4118: Jun Kokatsu (@shhnjk)\n\nCVE-2018-4119: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4120: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\nCVE-2018-4121: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4127: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4128: Zach Markley\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4130: Omair working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4165: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed through improved input validation\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.\n\nCVE-2018-4117: an anonymous researcher, an anonymous researcher\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n**WindowServer**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled\n\nDescription: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.\n\nCVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\n**WebKit**\n\nWe would like to acknowledge Johnny Nipper of Tinder Security Team for their assistance.\n", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-27T08:17:52", "title": "About the security content of iOS 11.3 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4140", "CVE-2018-4119", "CVE-2018-4142", "CVE-2018-4130", "CVE-2018-4390", "CVE-2018-4177", "CVE-2018-4129", "CVE-2018-4174", "CVE-2018-4165", "CVE-2018-4146", "CVE-2018-4185", "CVE-2018-4207", "CVE-2018-4157", "CVE-2018-4212", "CVE-2018-4166", "CVE-2018-4213", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4187", "CVE-2018-4149", "CVE-2018-4155", "CVE-2018-4163", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4131", "CVE-2018-4145", "CVE-2018-4162", "CVE-2018-4391", "CVE-2018-4168", "CVE-2018-4154", "CVE-2018-4104", "CVE-2017-15412", "CVE-2018-4125", "CVE-2018-4143", "CVE-2018-4209", "CVE-2018-4113", "CVE-2018-4115", "CVE-2018-4151", "CVE-2018-4167", "CVE-2018-4210", "CVE-2018-4127", "CVE-2018-4208", "CVE-2018-4173", "CVE-2018-4123", "CVE-2018-4148", "CVE-2018-4134", "CVE-2018-4144", "CVE-2018-4137", "CVE-2018-4117", "CVE-2018-4161", "CVE-2018-4150", "CVE-2018-4122", "CVE-2018-4156", "CVE-2018-4110", "CVE-2018-4158", "CVE-2018-4121", "CVE-2018-4172"], "modified": "2020-07-27T08:17:52", "id": "APPLE:HT208693", "href": "https://support.apple.com/kb/HT208693", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T19:32:31", "description": "# About the security content of iOS 11.3\n\nThis document describes the security content of iOS 11.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 11.3\n\nReleased March 29, 2018\n\n**Apple TV App**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in the Apple TV App\n\nDescription: An input validation issue was addressed through improved input validation.\n\n****CVE-2018-4177: Jerry Decime\n\nEntry added April 13, 2018\n\n**Clock**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to see the email address used for iTunes\n\nDescription: An information disclosure issue existed in the handling of alarms and timers. This issue was addressed with improved access restrictions.\n\nCVE-2018-4123: Zaheen Hafzar M M (@zaheenhafzer)\n\nEntry updated November 16, 2018\n\n**CoreFoundation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4155: Samuel Gro\u00df (@5aelo)\n\nCVE-2018-4158: Samuel Gro\u00df (@5aelo)\n\n**CoreText**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: A denial of service issue was addressed with improved memory handling.\n\nCVE-2018-4142: Robin Leroy of Google Switzerland GmbH\n\nEntry updated November 16, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018, updated November 16, 2018\n\n**File System Events**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4167: Samuel Gro\u00df (@5aelo)\n\n**Files Widget**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: File Widget may display contents on a locked device\n\nDescription: The File Widget was displaying cached data when in the locked state. This issue was addressed with improved state management.\n\nCVE-2018-4168: Brandon Moore\n\n**Find My iPhone**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password\n\nDescription: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.\n\nCVE-2018-4172: Viljami Vastam\u00e4ki\n\n**iCloud Drive**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4151: Samuel Gro\u00df (@5aelo)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4150: an anonymous researcher\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4104: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4143: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to determine kernel memory layout\n\nDescription: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.\n\nCVE-2018-4185: Brandon Azad\n\nEntry added July 19, 2018\n\n**libxml2**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2017-15412: Nick Wellnhofer\n\nEntry added October 18, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nCVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter\n\nEntry added October 30, 2018\n\n**LinkPresentation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added September 17, 2019\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.\n\nEntry updated April 13, 2018\n\n**NSURLSession**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4166: Samuel Gro\u00df (@5aelo)\n\n**PluginKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4156: Samuel Gro\u00df (@5aelo)\n\n**Quick Look**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4157: Samuel Gro\u00df (@5aelo)\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website by clicking a link may lead to user interface spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4134: xisigr of Tencent's Xuanwu Lab (tencent.com), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\n**Safari Login AutoFill**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to exfiltrate autofilled data in Safari without explicit user interaction.\n\nDescription: Safari autofill did not require explicit user interaction before taking place. The issue was addressed with improved autofill heuristics.\n\nCVE-2018-4137\n\nEntry updated November 16, 2018\n\n**SafariViewController**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: A state management issue was addressed by disabling text input until the destination page loads.\n\nCVE-2018-4149: Abhinash Jain (@abhinashjain)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4144: Abraham Masri (@cheesecakeufo)\n\n**Status Bar**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to access the microphone without indication to the user\n\nDescription: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.\n\nCVE-2018-4173: Joshua Pokotilow of pingmd\n\nEntry added April 9, 2018\n\n**Storage**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2018-4154: Samuel Gro\u00df (@5aelo)\n\n**System Preferences**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A configuration profile may incorrectly remain in effect after removal\n\nDescription: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.\n\nCVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera\n\nEntry updated November 16, 2018\n\n**Telephony**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A remote attacker can cause a device to unexpectedly restart\n\nDescription: A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed with improved message validation.\n\nCVE-2018-4140: @mjonsson, Arjan van der Oest of Voiceworks BV\n\nEntry updated November 16, 2018\n\n**Telephony**\n\nAvailable for: iPhone 5s and later, and Wi-Fi + Cellular models of iPad Air and later\n\nImpact: A remote attacker may be able to execute arbitrary code\n\nDescription: Multiple buffer overflows were addressed with improved input validation.\n\nCVE-2018-4148: Nico Golde of Comsecuris UG\n\nEntry added March 30, 2018\n\n**Web App**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Cookies may unexpectedly persist in web app\n\nDescription: A cookie management issue was addressed with improved state management.\n\nCVE-2018-4110: Ben Compton and Jason Colley of Cerner Corporation\n\nEntry updated November 16, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4101: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2018-4114: found by OSS-Fuzz\n\nCVE-2018-4118: Jun Kokatsu (@shhnjk)\n\nCVE-2018-4119: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4120: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\nCVE-2018-4121: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4122: WanderingGlitch of Trend Micro\u2019s Zero Day Initiative\n\nCVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4127: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4128: Zach Markley\n\nCVE-2018-4129: likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4130: Omair working with Trend Micro's Zero Day Initiative\n\nCVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative\n\nCVE-2018-4165: Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction with indexing types causing an ASSERT failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks\n\nCVE-2018-4113: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to a denial of service\n\nDescription: A memory corruption issue was addressed through improved input validation\n\nCVE-2018-4146: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.\n\nCVE-2018-4117: an anonymous researcher, an anonymous researcher\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4207: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4208: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4209: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction with indexing types caused a failure\n\nDescription: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.\n\nCVE-2018-4210: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4212: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Unexpected interaction causes an ASSERT failure\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2018-4213: found by OSS-Fuzz\n\nEntry added May 2, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\n**WindowServer**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled\n\nDescription: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.\n\nCVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.\n\nEntry added June 21, 2018\n\n**Security**\n\nWe would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.\n\nEntry added April 13, 2018\n\n**WebKit**\n\nWe would like to acknowledge Johnny Nipper of Tinder Security Team for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: July 27, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "apple", "title": "About the security content of iOS 11.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15412", "CVE-2018-4101", "CVE-2018-4104", "CVE-2018-4110", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4115", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4123", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4130", "CVE-2018-4131", "CVE-2018-4134", "CVE-2018-4137", "CVE-2018-4140", "CVE-2018-4142", "CVE-2018-4143", "CVE-2018-4144", "CVE-2018-4145", "CVE-2018-4146", "CVE-2018-4148", "CVE-2018-4149", "CVE-2018-4150", "CVE-2018-4151", "CVE-2018-4154", "CVE-2018-4155", "CVE-2018-4156", "CVE-2018-4157", "CVE-2018-4158", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4166", "CVE-2018-4167", "CVE-2018-4168", "CVE-2018-4172", "CVE-2018-4173", "CVE-2018-4174", "CVE-2018-4177", "CVE-2018-4185", "CVE-2018-4187", "CVE-2018-4207", "CVE-2018-4208", "CVE-2018-4209", "CVE-2018-4210", "CVE-2018-4212", "CVE-2018-4213", "CVE-2018-4390", "CVE-2018-4391"], "modified": "2018-03-29T00:00:00", "id": "APPLE:6B41E03BE95C41152A91DE7584480E16", "href": "https://support.apple.com/kb/HT208693", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:26:24", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the \"Mail\" component. It allows man-in-the-middle attackers to read S/MIME encrypted messages by leveraging an inconsistency in the user interface.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4174", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4174"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4174", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4174", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:24", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the \"Status Bar\" component. It allows invisible microphone access via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-04-13T17:29:00", "type": "cve", "title": "CVE-2018-4173", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4173"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4173", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4173", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:24", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Admin Framework\" component. It allows local users to discover a password by listing a process and its arguments during sysadminctl execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4170", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4170"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4170", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4170", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:23", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Notes\" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4152", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4152"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4152", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4152", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:20", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4143", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4143"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2018-4143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4143", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:16", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"PDFKit\" component. It allows remote attackers to bypass intended restrictions on visiting URLs within a PDF document.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4107", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4107"], "modified": "2018-05-04T14:58:00", "cpe": [], "id": "CVE-2018-4107", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4107", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:21", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"NVIDIA Graphics Drivers\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4138", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4138"], "modified": "2018-04-27T17:20:00", "cpe": [], "id": "CVE-2018-4138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4138", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:16", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"APFS\" component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4105", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4105"], "modified": "2018-05-04T15:05:00", "cpe": [], "id": "CVE-2018-4105", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4105", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:17", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves CFPreferences in the \"System Preferences\" component. It allows attackers to bypass intended access restrictions by leveraging incorrect configuration-profile persistence.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4115", "cwe": ["CWE-281"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4115"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4115", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:17", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Mail\" component. It allows man-in-the-middle attackers to read S/MIME encrypted message content by sending HTML e-mail that references remote resources but lacks a valid S/MIME signature.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4111", "cwe": ["CWE-347"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4111"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2018-4111", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4111", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:22", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4150", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4150"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2018-4150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4150", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:23", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"File System Events\" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4167", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4167"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4167", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4167", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:21", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"IOFireWireFamily\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4135", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4135"], "modified": "2018-04-27T17:21:00", "cpe": [], "id": "CVE-2018-4135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4135", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:23", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4160", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4160"], "modified": "2018-05-04T14:42:00", "cpe": [], "id": "CVE-2018-4160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4160", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:20", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"CoreText\" component. It allows remote attackers to cause a denial of service (application crash) via a crafted string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4142", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4142"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2018-4142", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4142", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:23", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the \"Quick Look\" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4157", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4157"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4157", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4157", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:19", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Intel Graphics Driver\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4132", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4132"], "modified": "2018-04-27T17:21:00", "cpe": [], "id": "CVE-2018-4132", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4132", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:19", "description": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"Disk Management\" component. It allows attackers to trigger truncation of an APFS volume password via an unspecified injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4108", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4108"], "modified": "2018-05-04T14:55:00", "cpe": [], "id": "CVE-2018-4108", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4108", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-02-09T14:26:19", "description": "An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the \"WindowServer\" component. It allows attackers to bypass the Secure Input Mode protection mechanism, and log keystrokes of arbitrary apps, via a crafted app that scans key states.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2018-4131", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4131"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-4131", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4131", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "myhack58": [{"lastseen": "2018-11-05T14:08:30", "description": "For convenience of expression, this article will use the first-person manner described. \nThis article describes my in Apple's macOS system kernel found several stack and buffer overflow vulnerabilities, Apple will this several vulnerabilities categorized as the kernel of remote code execution vulnerabilities, so those vulnerabilities the threat level is very high. An attacker can use these vulnerabilities to remote intrusion Mac, you can also by physical access to the computer, only need to the visitors log in without a password, you can use these loopholes to get permission and control of the computer. \nThese vulnerabilities are basically present in the NFS Protocol, is used to the network drive mounted to a Mac when the file system is used, similar to NAS. \nVulnerabilities related content \nApple in 2018 7 November 9 release of MacOS 10.13.6 version update fixes these vulnerabilities. But at the time they asked we do not publish these vulnerabilities because they need to do some investigation and see what other platforms have similar problems or whether you need to solve. Of course, now we can open that up. \nNFS this thing, now scope of use has been very wide, especially in some large enterprises, it is mainly used for the shared drive or networked device's main directory. Of course, it can also be in the home equipment, usually used as a media server. \nOn macos, install the NFS does not require special permissions, so any level of user can trigger these vulnerabilities, and even does not require a password for the visitor account. In addition, many computers especially in an enterprise environment will be configured to start automatically when mount the NFS share. \nThis means that these vulnerabilities exist at least two attack vectors: the \n1. May be used when using NFS, the file Manager of the enterprise in the rapid spread of the virus. \nWant to do this, the attacker need only in its file Manager on the installation with the malicious code of the NFS server software, or by the malicious files Manager put in the network up to intercept NFS traffic to reach the goal. \n2. For mention right. \nFor example, some people will use the Guest login, and then issue a series of commands to connect to the NFS server may be present in the network any location, it is possible on the computer to obtain kernel-level access. \nApple is the five vulnerabilities are assigned CVE: CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288 and CVE-2018-4291\u3002 I'm in 2018 5 on 21 September to Apple's bug reports, respectively, in the source code listed in Article 14 does not determine the point. But since Apple only recently released an update, so I have not had time to complete the full source code audit. Therefore, to avoid accidental disclosure Any may not fix the errors in this article I'll talk about two of which has been verified and repaired the vulnerability. \nVulnerability reproduction \nI wrote a PoC to verify the vulnerability of availability, you can use 0 covers 4096 bytes of heap memory causing the kernel to crash. I made a short video to prove it. \n4096 is a random selection, in fact I can feel free to modify to send as much data as possible, and anything greater than 128 bytes the number will trigger a buffer overflow, I was also able to completely control the bytes written value. Therefore, although these actions only destroy the core, but in fact can be achieved through these buffer overflows to achieve remote code execution and local mention of the right of operation. \nWhen I first found this vulnerability, hardly dare to imagine I will be for the PoC to write your own NFS server. But I have learned a few NFS-related knowledge as well as learn how to use rpcgen, I found that in fact want to achieve is also very simple. To verify this vulnerability with a PoC, contains only 46 lines of C language and Line 63 of the RPC language code. Of course, the source code will be in the official Apple completion of all the repair after the re-release. \nVulnerability details the \nI write for the PoC, these two vulnerabilities are required by this act seemingly harmless code to achieve: \nnfsm_chain_get_fh(error, &nmrep;, nfsvers, fh); \nThis line of code does is to read the NFS server sends back a Mac of the reply message nmrep of file handles fh on. This file handle is the NFS shared file or directory of the opaque identifier. An NFSv3 file handles up to 64 bytes, in NFSv4, up to 128 bytes, MAP of fhandle_t type then there is enough space to accommodate 128 bytes of a file handle, but they neglected to check nfsm_chain_get_fh the macro in a buffer overflow situation: \n/* get the size of and data for a file handle in an mbuf chain */ \n#define nfsm_chain_get_fh(E, NMC, VERS, FHP) \\ \ndo { \\ \nif ((VERS) != NFS_VER2) \\ \nnfsm_chain_get_32((E), (NMC), (FHP)->fh_len); \\ \nelse \\ \n(FHP)->fh_len = NFSX_V2FH;\\ \nnfsm_chain_get_opaque((E), (NMC), (a uint32_t that)(FHP)->fh_len, (FHP)->fh_data);\\ \nif (E) \\ \n(FHP)->fh_len = 0;\\ \n} while (0) \nSince the macro command used in large quantities, want to understand this code may seem difficult, but its actual role is very simple: it can be from the message reads a 32 for the unsigned integer to the(FHP)->fh_len, and then read the bytes from the message directly into the(FHP)->fh_data it. Since there is no bounds checking, so an attacker can select any byte sequence coverage of any number of kernel heap. Is covered by the file handle in memory nfs_socket. c:1401 distribution. \nThis PoC, the second bug is nfsm_chain_get_opaque of an integer overflow: \n/* copy the next consecutive bytes of opaque data from an mbuf chain */ \n#define nfsm_chain_get_opaque(E, NMC, LEN, PTR) \\ \ndo { \\ \na uint32_t that rndlen; \\ \nif (E) break; \\ \nrndlen = nfsm_rndup(LEN); \\ \nif ((NMC)->nmc_left >= rndlen) { \\ \nu_char *__tmpptr = (u_char*)(NMC)->nmc_ptr; \\ \n(NMC)->nmc_left -= rndlen; \\ \n(NMC)->nmc_ptr += rndlen; \\ \nbcopy(__tmpptr, (PTR), (LEN)); \\ \n} else { \\ \n(E) = nfsm_chain_get_opaque_f((NMC), (LEN), (u_char*)(PTR)); \\ \n} \\ \n} while (0) \nThis code uses bfsn_rndup the LEN move 4 to the next multiple. But it is in the call to bcopy will use the LEN of the original value. If its initial value is 0xFFFFFFFF, then nfsm_rndup will appear in the adder overflow, renlen value is 0, which means that capable(NMC)->nmc_left more successful, and the use of 0xFFFFFFFF as the size parameters of the call to bcopy to. This will cause the kernel to crash, and therefore it is used as a denial of service attack. \nUsing QL to find the error \nQL is a big advantage to be able to find known bugs variants. Earlier this year, my colleague Jonas Jensen in the Apple NFS start found two vulnerabilities: CVE-2018-4136 and CVE-2018-4160\u3002 We were also publishing an article about the vulnerabilities of the article is mainly devoted to bcopy call, this call may exist for the negative of the user to control the size of the parameters. The easiest way is to find the user control of the source buffer to the bcopy calls. It's funny, because they can be user's copy the data to the kernel. \n\n\n**[1] [[2]](<91904_2.htm>) [[3]](<91904_3.htm>) [next](<91904_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "myhack58", "title": "MacOS again appeared vulnerability, known as unbreakable system also has weaknesses-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4288", "CVE-2018-4286", "CVE-2018-4287", "CVE-2018-4136", "CVE-2018-4259", "CVE-2018-4160", "CVE-2018-4291"], "modified": "2018-11-05T00:00:00", "id": "MYHACK58:62201891904", "href": "http://www.myhack58.com/Article/html/3/62/2018/91904.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "googleprojectzero": [{"lastseen": "2021-07-30T19:23:13", "description": "Posted by Brandon Azad, Project Zero\n\n** \n**\n\nI recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.\n\n** \n**\n\nThis post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits.\n\n** \n**\n\nThis isn't your typical P0 blog post: There is no gripping zero-day exploitation, or novel exploitation research, or thrilling malware reverse engineering. The content has been written as a reference since I needed the information and figured that others might find it useful too. You have been forewarned.\n\n# A note on terminology\n\nUnfortunately, there is no authoritative dictionary called \"Technical Hacking Terms for Security Researchers\", which makes it difficult to precisely describe some of the high-level concepts I want to convey. To that end, I have decided to ascribe the following terms specific meanings for the context of this post. If any of these definitions are at odds with your understanding of these terms, feel free to suggest improved terminology and I can update this post. :)\n\n** \n**\n\nExploit primitive: A capability granted during an exploit that is reasonably generic.\n\n** \n**\n\nA few examples of common exploit primitives include: n-byte linear heap overflow, integer increment at a controlled address, write-what-where, arbitrary memory read/write, PC control, arbitrary function calling, etc.\n\n** \n**\n\nA common exploit primitive specific to iOS kernel exploitation is having a send right to a fake Mach port (struct ipc_port) whose fields can be directly read and written from userspace.\n\n** \n**\n\nExploit strategy: The low-level, vulnerability-specific method used to turn the vulnerability into a useful exploit primitive.\n\n** \n**\n\nFor example, this is the exploit strategy used in Ian Beer's async_wake exploit for iOS 11.1.2:\n\n** \n**\n\nAn information leak is used to discover the address of arbitrary Mach ports. A page of ports is allocated and a specific port from that page is selected based on its address. The IOSurfaceRootUserClient bug is triggered to deallocate the Mach port, yielding a receive right to a dangling Mach port at a known (and partially controlled) address.\n\n** \n**\n\nThe last part is the generic/vulnerability-independent primitive that I interpret to be the end of the vulnerability-specific exploit strategy.\n\n** \n**\n\nTypically, the aim of the exploit strategy is to produce an exploit primitive which is highly reliable.\n\n** \n**\n\nExploit technique: A reusable and reasonably generic strategy for turning one exploit primitive into another (usually more useful) exploit primitive.\n\n** \n**\n\nOne example of an exploit technique is Return-Oriented Programming (ROP), which turns arbitrary PC control into (nearly) arbitrary code execution by reusing executable code gadgets.\n\n** \n**\n\nAn exploit technique specific to iOS kernel exploitation is using a fake Mach port to read 4 bytes of kernel memory by calling pid_for_task() (turning a send right to a fake Mach port into an arbitrary kernel memory read primitive).\n\n** \n**\n\nExploit flow: The high-level, vulnerability-agnostic chain of exploit techniques used to turn the exploit primitive granted by the vulnerability into the final end goal (in this post, kernel read/write from local app context).\n\n# Public iOS kernel exploits from app context since iOS 10\n\nThis section will give a brief overview of iOS kernel exploits from local context targeting iOS 10 through iOS 13. I'll describe the high-level exploit flow and list the exploit primitives and techniques used to achieve it. While I have tried to track down every original (i.e., developed before exploit code was published) public exploit available either as source code or as a sufficiently complete writeup/presentation, I expect that I may have missed a few. Feel free to reach out and suggest any that I have missed and I can update this post.\n\n** \n**\n\nFor each exploit, I have outlined the vulnerability, the exploit strategy (specific to the vulnerability), and the subsequent exploit flow (generic). The boundary between which parts of the exploit are specific to the vulnerability and which parts are generic enough to be considered part of the overall flow is subjective. In each case I've highlighted the particular exploitation primitive granted by the vulnerability that I consider sufficiently generic.\n\n## mach_portal - iOS 10.1.1\n\nBy Ian Beer of Google Project Zero ([@i41nbeer](<https://twitter.com/i41nbeer>)). \n\n** \n**\n\nThe vulnerability: CVE-2016-7644 is a race condition in XNU's set_dp_control_port() which leads to a Mach port being over-released.\n\n** \n**\n\nExploit strategy: Many Mach ports are allocated and references to them are dropped by racing set_dp_control_port() (it is possible to determine when the race has been won deterministically). The ports are freed by dropping a stashed reference, leaving the process holding receive rights to dangling Mach ports filling a page of memory.\n\n** \n**\n\nSubsequent exploit flow: A zone garbage collection is forced by calling mach_zone_force_gc() and the page of dangling ports is reallocated with an out-of-line (OOL) ports array containing pointers to the host port. mach_port_get_context() is called on one of the dangling ports to disclose the address of the host port. Using this value, it is possible to guess the page on which the kernel task port lives. The context value of each of the dangling ports is set to the address of each potential ipc_port on the page containing the kernel task port, and the OOL ports are received back in userspace to give a send right to the kernel task port.\n\n** \n**\n\nReferences: [mach_portal exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=965#c2>).\n\n## In-the-wild iOS Exploit Chain 1 - iOS 10.1.1\n\nDiscovered in-the-wild by Cl\u00e9ment Lecigne ([@_clem1](<https://twitter.com/_clem1>)) of Google's Threat Analysis Group. Analyzed by Ian Beer and Samuel Gro\u00df ([@5aelo](<https://twitter.com/5aelo>)) of Google Project Zero.\n\n** \n**\n\nThe vulnerability: The vulnerability is a linear heap out-of-bounds write of IOAccelResource pointers in the IOKit function AGXAllocationList2::initWithSharedResourceList().\n\n** \n**\n\nExploit strategy: The buffer to be overflowed is placed directly before a recv_msg_elem struct, such that the out-of-bounds write will overwrite the uio pointer with an IOAccelResource pointer. The IOAccelResource pointer is freed and reallocated with a fake uio struct living at the start of an OSData data buffer managed by IOSurface properties. The uio is freed, leaving a dangling OSData data buffer accessible via IOSurface properties.\n\n** \n**\n\nSubsequent exploit flow: The dangling OSData data buffer slot is reallocated with an IOSurfaceRootUserClient instance, and the data contents are read via IOSurface properties to give the KASLR slide, the address of the current task, and the address of the dangling data buffer/IOSurfaceRootUserClient. Then, the data buffer is freed and reallocated with a modified version of the IOSurfaceRootUserClient, such that calling an external method on the modified user client will return the address of the kernel task read from the kernel's __DATA segment. The data buffer is freed and reallocated again such that calling an external method will execute the OSSerializer::serialize() gadget, leading to an arbitrary read-then-write that stores the address of the kernel task port in the current task's list of special ports. Reading the special port from userspace gives a send right to the kernel task port.\n\n** \n**\n\nReferences: [In-the-wild iOS Exploit Chain 1 - AGXAllocationList2::initWithSharedResourceList heap overflow](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-1.html>).\n\n## extra_recipe - iOS 10.2\n\nBy Ian Beer.\n\n** \n**\n\nThe vulnerability: CVE-2017-2370 is a linear heap buffer overflow reachable from unprivileged contexts in XNU's mach_voucher_extract_attr_recipe_trap() due to an attacker-controlled userspace pointer used as the length in a call to copyin().\n\n** \n**\n\nExploit strategy: The vulnerable Mach trap is called to create a kalloc allocation and immediately overflow out of it with controlled data, corrupting the ikm_size field of a subsequent ipc_kmsg object. This causes the ipc_kmsg, which is the preallocated message for a Mach port, to believe that it has a larger capacity than it does, overlapping it with the first 240 bytes of the subsequent allocation. By registering the Mach port as the exception port for a userspace thread and then crashing the thread with controlled register state, it is possible to repeatedly and reliably overwrite the overlapping part of the subsequent allocation, and by receiving the exception message it is possible to read those bytes. This gives a controlled 240-byte out-of-bounds read/write primitive off the end of the corrupted ipc_kmsg.\n\n** \n**\n\nSubsequent exploit flow: A second ipc_kmsg is placed after the corrupted one and read in order to determine the address of the allocations. Next an AGXCommandQueue user client is reallocated in the same slot and the virtual method table is read to determine the KASLR slide. Then the virtual method table is overwritten such that a virtual method call on the AGXCommandQueue invokes the OSSerializer::serialize() gadget, producing a 2-argument arbitrary kernel function call primitive. Calling the function uuid_copy() gives an arbitrary kernel read/write primitive.\n\n** \n**\n\nReferences: [Exception oriented exploitation on iOS](<https://googleprojectzero.blogspot.com/2017/04/exception-oriented-exploitation-on-ios.html>), [extra_recipe exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1004#c4>).\n\n## Yalu102 - iOS 10.2\n\nBy Luca Todesco ([@qwertyoruiopz](<https://twitter.com/qwertyoruiopz>)) and Marco Grassi ([@marcograss](<https://twitter.com/marcograss>)).\n\n** \n**\n\nThe vulnerability: CVE-2017-2370 (same as above).\n\n** \n**\n\nExploit strategy: The vulnerable Mach trap is called to create a kalloc allocation and immediately overflow out of it with controlled data, overwriting the contents of an OOL port array and inserting a pointer to a fake Mach port in userspace. Receiving the message containing the OOL ports yields a send right to the fake Mach port whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: The fake Mach port is converted into a clock port and clock_sleep_trap() is used to brute force a kernel image pointer. Then the port is converted into a fake task port to read memory via pid_for_task(). Kernel memory is scanned backwards from the leaked kernel image pointer until the kernel text base is located, breaking KASLR. Finally, a fake kernel task port is constructed.\n\n** \n**\n\nNotes: The exploit does not work with PAN enabled.\n\n** \n**\n\nReferences: [Yalu102 exploit code](<https://github.com/kpwn/yalu102>).\n\n## ziVA - iOS 10.3.1\n\nBy Adam Donenfeld ([@doadam](<https://twitter.com/doadam>)) of Zimperium.\n\n** \n**\n\nThe vulnerability: Multiple vulnerabilities in AppleAVE2 due to external methods sharing IOSurface pointers with userspace and trusting IOSurface pointers read from userspace.\n\n** \n**\n\nExploit strategy: An IOSurface object is created and an AppleAVE2 external method is called to leak its address. The vtable of an IOFence pointer in the IOSurface is leaked using another external method call, breaking KASLR. The IOSurface object is freed and reallocated with controlled data using an IOSurface property spray. Supplying the leaked pointer to an AppleAVE2 external method that trusts IOSurface pointers supplied from userspace allows hijacking a virtual method call on the fake IOSurface; this is treated as a oneshot hijacked virtual method call with a controlled target object at a known address.\n\n** \n**\n\nSubsequent exploit flow: The hijacked virtual method call is used with the OSSerializer::serialize() gadget to call copyin() and overwrite 2 sysctl_oid structs. The sysctls are overwritten such that reading the first sysctl calls copyin() to update the function pointer and arguments for the second sysctl and reading the second sysctl uses the OSSerializer::serialize() gadget to call the kernel function with 3 arguments. This 3-argument arbitrary kernel function call primitive is used to read and write arbitrary memory by calling copyin()/copyout().\n\n** \n**\n\nNotes: iOS 10.3 introduced the initial form of task_conversion_eval(), a weak mitigation that blocks userspace from accessing a right to the real kernel task port. Any exploit after iOS 10.3 needs to build a fake kernel task port instead.\n\n** \n**\n\nReferences: [Ro(o)tten Apples](<https://www.blackhat.com/docs/eu-17/materials/eu-17-Donenfeld-Rooten-Apples-Vulnerability-Heaven-In-The-IOS-Sandbox.pdf>), [ziVA exploit code](<https://github.com/doadam/ziVA>).\n\n## async_wake - iOS 11.1.2\n\nBy Ian Beer.\n\n** \n**\n\nThe vulnerability: CVE-2017-13861 is a vulnerability in IOSurfaceRootUserClient::s_set_surface_notify() that causes an extra reference to be dropped on a Mach port. CVE-2017-13865 is a vulnerability in XNU's proc_list_uptrs() that leaks kernel pointers by failing to fully initialize heap memory before copying out the contents to userspace.\n\n** \n**\n\nExploit strategy: The information leak is used to discover the address of arbitrary Mach ports. A page of ports is allocated and a specific port from that page is selected based on its address. The port is deallocated using the IOSurfaceRootUserClient bug, yielding a receive right to a dangling Mach port at a known (and partially controlled) address.\n\n** \n**\n\nSubsequent exploit flow: The other ports on that page are freed and a zone garbage collection is forced so that the page is reallocated with the contents of an ipc_kmsg, giving a fake Mach port with controlled contents at a known address. The reallocation converted the port into a fake task port through which arbitrary kernel memory can be read using pid_for_task(). (The address to read is updated without reallocating the fake port by using mach_port_set_context().) Relevant kernel objects are located using the kernel read primitive and the fake port is reallocated again with a fake kernel task port.\n\n** \n**\n\nNotes: iOS 11 removed the mach_zone_force_gc() function which allowed userspace to prompt the kernel to perform a zone garbage collection, reclaiming all-free virtual pages in the zone map for use by other zones. Exploits for iOS 11 and later needed to develop a technique to force a zone garbage collection. At least three independent techniques have been developed to do so, demonstrated in async_wake, v0rtex, and In-the-wild iOS exploit chain 3.\n\n** \n**\n\nReferences: [async_wake exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c17>).\n\n## In-the-wild iOS Exploit Chain 2 - iOS 10.3.3\n\nDiscovered in-the-wild by Cl\u00e9ment Lecigne. Analyzed by Ian Beer and Samuel Gro\u00df.\n\n** \n**\n\nThe vulnerability: CVE-2017-13861 (same as above).\n\n** \n**\n\nExploit strategy: Two Mach ports, port A and port B, are allocated as part of a spray. The vulnerability is triggered to drop a reference on port A, and the ports surrounding A are freed, leading to a dangling port pointer. Zone garbage collection is forced by calling mach_zone_force_gc() and the page containing port A is reallocated with an OOL ports spray containing a pattern such that port A's ip_context field overlaps a pointer to port B. Calling mach_port_get_context() gives the address of port B. The vulnerability is triggered again with port B, leading to a receive right to a dangling Mach port at a known address.\n\n** \n**\n\nSubsequent exploit flow: After another zone garbage collection, the dangling port B is reallocated with a segmented OOL memory spray such that calling mach_port_get_context() can identify which 4 MB segment of the spray reallocated port B. That segment is freed and port B is reallocated with pipe buffers, giving a controlled fake Mach port at a known address. The fake port is converted into a clock port and clock_sleep_trap() is used to brute force KASLR. The fake port is next converted into a fake task port and a 4-byte kernel read primitive is established using pid_for_task(). Finally, the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [In-the-wild iOS Exploit Chain 2 - IOSurface](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-2.html>).\n\n## v0rtex - iOS 10.3.3\n\nBy Siguza ([@S1guza](<https://twitter.com/s1guza>)).\n\n** \n**\n\nThe vulnerability: CVE-2017-13861 (same as above).\n\n** \n**\n\nExploit strategy: Mach ports are sprayed and a reference on one port is dropped using the vulnerability. The other ports on the page are freed, leaving a receive right to a dangling Mach port.\n\n** \n**\n\nSubsequent exploit flow: A zone garbage collection is forced using mach_zone_force_gc() and the page containing the dangling port is reallocated with an OSString buffer via an IOSurface property spray. The OSString buffer contains a pattern that initializes critical fields of the port and allows the index of the OSString containing the port to be determined by calling mach_port_get_context() on the fake port. The OSString containing the fake port is freed and reallocated as a normal Mach port. mach_port_request_notification() is called to put the address of a real Mach port in the fake port's ip_pdrequest field, and the OSString's contents are read via IOSurface to get the address. mach_port_request_notification() is used again to get the address of the fake port itself.\n\n** \n**\n\nThe string buffer is freed and reallocated such that mach_port_get_attributes() can be used as a 4-byte arbitrary read primitive, with the target address to read updateable via mach_port_set_context(). (This is analogous to the pid_for_task() technique, but with slightly different constraints.) Starting at the address of the real Mach port, kernel memory is read to find relevant kernel objects. The string buffer is freed and reallocated again with a fake task port sufficient to remap the string buffer into the process's address space. The fake port is updated via the mapping to yield a 7-argument arbitrary kernel function call primitive using iokit_user_client_trap(), and kernel functions are called to generate a fake kernel task port.\n\n** \n**\n\nReferences: [v0rtex writeup](<https://siguza.github.io/v0rtex/>), [v0rtex exploit code](<https://github.com/Siguza/v0rtex>).\n\n## Incomplete exploit for CVE-2018-4150 bpf-filter-poc - iOS 11.2.6\n\nVulnerability analysis and POC by Chris Wade ([@cmwdotme](<https://twitter.com/cmwdotme>)) at Corellium. Exploit by littlelailo ([@littlelailo](<https://twitter.com/littlelailo>)).\n\n** \n**\n\nThe vulnerability: CVE-2018-4150 is a race condition in XNU's BPF subsystem which leads to a linear heap buffer overflow due to a buffer length being increased without reallocating the corresponding buffer.\n\n** \n**\n\nExploit strategy: The race is triggered to incorrectly increase the length of the buffer without reallocating the buffer itself. A packet is sent and stored in the buffer, overflowing into a subsequent OOL ports array and inserting a pointer to a fake Mach port in userspace. Receiving the message containing the OOL ports yields a send right to the fake Mach port whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: The fake Mach port is converted into a clock port and clock_sleep_trap() is used to brute force a kernel image pointer. Then the port is converted into a fake task port to read memory via pid_for_task(). Kernel memory is scanned backwards from the leaked kernel image pointer until the kernel text base is located, breaking KASLR. The final part of the exploit is incomplete, but construction of a fake kernel task port at this stage would be straightforward and deterministic using existing code.\n\n** \n**\n\nNotes: The exploit does not work with PAN enabled.\n\n** \n**\n\nReferences: [CVE-2018-4150 POC](<https://github.com/Jailbreaks/CVE-2018-4150/blob/master/CVE-2018-4150.c>), [incomplete-exploit-for-CVE-2018-4150-bpf-filter-poc exploit code](<https://github.com/littlelailo/incomplete-exploit-for-CVE-2018-4150-bpf-filter-poc->).\n\n## multi_path - iOS 11.3.1\n\nBy Ian Beer.\n\n** \n**\n\nThe vulnerability: CVE-2018-4241 is an intra-object linear heap buffer overflow in XNU's mptcp_usr_connectx() due to incorrect bounds checking.\n\n** \n**\n\nExploit strategy: The kernel heap is groomed to place a 2048-byte ipc_kmsg struct at a 16 MB aligned address below the mptses structs (the object containing the overflow) associated with a few multipath TCP sockets. The vulnerability is used to overwrite the lower 3 bytes of the mpte_itfinfo pointer in the mptses struct with zeros and the socket is closed. This triggers a kfree() of the corrupted pointer, freeing the ipc_kmsg struct at the 16 MB alignment boundary. The freed ipc_kmsg slot is reallocated with sprayed pipe buffers. The vulnerability is triggered again to overwrite the lower 3 bytes of the mpte_itfinfo pointer in another mptses struct with zeros and the socket is closed, causing another kfree() of the same address. This frees the pipe buffer that was just allocated into that slot, leaving a dangling pipe buffer.\n\n** \n**\n\nSubsequent exploit flow: The slot is reallocated again with a preallocated ipc_kmsg. A userspace thread is crashed to cause a message to be stored in the preallocated ipc_kmsg buffer overlapping the pipe buffer; reading the pipe in userspace yields the contents of the ipc_kmsg struct, giving the address of the dangling pipe buffer/ipc_kmsg. The pipe is written to change the contents of the ipc_kmsg struct such that receiving the message yields a send right to a fake Mach port inside the pipe buffer. The exception message is received and the pipe is rewritten to convert the fake port into a kernel read primitive using pid_for_task(). Relevant kernel objects are located and the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [multi_path exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1558#c3>).\n\n## multipath_kfree - iOS 11.3.1\n\nBy John \u00c5kerblom ([@jaakerblom](<https://twitter.com/jaakerblom>)).\n\n** \n**\n\nThe vulnerability: CVE-2018-4241 (same as above).\n\n** \n**\n\nExploit strategy: The kernel heap is groomed to place preallocated 4096-byte ipc_kmsg structs near the mptses structs for a few multipath TCP sockets. The vulnerability is triggered twice to corrupt the lower 2 bytes of the mpte_itfinfo pointer in two mptses structs, such that closing the sockets results in kfree()s of the two corrupted pointers. Each pointer is corrupted to point 0x7a0 bytes into an ipc_kmsg allocation, creating 4096-byte holes spanning 2 messages. A Mach port containing one of the partially-freed ipc_kmsg structs (with the ipc_kmsg header intact but the message contents freed) is located by using mach_port_peek() to detect a corrupted msgh_id field. Once the port is found, the hole is reallocated by spraying preallocated ipc_kmsg structs and a message is placed in each. Filling the hole overlaps the original (partially freed) ipc_kmsg's Mach message contents with the ipc_kmsg header of the replacement, such that receiving the message on the original port reads the contents of the replacement ipc_kmsg header. The header contains a pointer to itself, disclosing the address of the replacement ipc_kmsg allocation. The vulnerability is triggered a third time to free the replacement message, leaving a partially freed preallocated ipc_kmsg at a known address.\n\n** \n**\n\nSubsequent exploit flow: The hole in the corrupted ipc_kmsg is reallocated by spraying AGXCommandQueue user clients. A message is received on the Mach port in userspace, copying out the contents of the AGXCommandQueue object, from which the vtable is used to determine the KASLR slide. Then the corrupted ipc_kmsg is freed and reallocated by spraying more preallocated ipc_kmsg structs with a slightly different internal layout allowing more control over the contents. A message is placed in each of the just-sprayed ipc_kmsg structs to modify the overlapping AGXCommandQueue and hijack a virtual method call; the hijacked virtual method uses the OSSerializer::serialize() gadget to call copyout(), which is used to identify which of the sprayed AGXCommandQueue user clients overlaps the slot from the corrupted ipc_kmsg. The contents of each of the just-sprayed preallocated ipc_kmsg structs is updated in turn to identify which port corresponds to the corrupted ipc_kmsg. The preallocated port and user client port are used together to build a 3-argument arbitrary kernel function call primitive by updating the contents of the AGXCommandQueue object through an exception message sent to the preallocated port.\n\n** \n**\n\nReferences: [multipath_kfree exploit code](<https://github.com/potmdehex/multipath_kfree>).\n\n## empty_list - iOS 11.3.1\n\nBy Ian Beer.\n\n** \n**\n\nThe vulnerability: CVE-2018-4243 is a partially controlled 8-byte heap out-of-bounds write in XNU's getvolattrlist() due to incorrect bounds checking.\n\n** \n**\n\nExploit strategy: Due to significant triggering constraints, the vulnerability is treated as an 8-byte heap out-of-bounds write of zeros off the end of a kalloc.16 allocation. The kernel heap is groomed into a pattern of alternating blocks for the zones of kalloc.16 and ipc.ports, and further grooming reverses the kalloc.16 freelist. The vulnerability is repeatedly triggered after freeing various kalloc.16 allocations until a kalloc.16 allocation at the end of a block is overflowed, corrupting the first 8 bytes of the first ipc_port on the subsequent page. The corrupted port is freed by calling mach_port_set_attributes(), leaving the process holding a receive right to a dangling Mach port.\n\n** \n**\n\nSubsequent exploit flow: A zone garbage collection is forced and the dangling port is reallocated with an OOL ports array containing a pointer to another Mach port overlapping the ip_context field, so that the address of the other port is retrieved by calling mach_port_get_context(). The dangling port is then reallocated with pipe buffers and converted into a kernel read primitive using pid_for_task(). Using the address of the other port as a starting point, relevant kernel objects are located. Finally, the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [empty_list exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1564#c10>).\n\n## In-the-wild iOS Exploit Chain 3 - iOS 11.4\n\nDiscovered in-the-wild by Cl\u00e9ment Lecigne. Analyzed by Ian Beer and Samuel Gro\u00df.\n\n** \n**\n\nThe vulnerability: The vulnerability is a double-free reachable from AppleVXD393UserClient::DestroyDecoder() (the class name varies by hardware) due to failing to clear a freed pointer.\n\n** \n**\n\nExploit strategy: The target 56-byte allocation is created and freed, leaving the dangling pointer intact. The slot is reallocated with an OSData buffer using an IOSurface property spray. The vulnerable method is called again to free the buffer, leaving a dangling OSData buffer. The slot is reallocated again with an OOL ports array containing a single target Mach port pointer and the contents are read in userspace via IOSurface properties, yielding the address of the port. The vulnerable method is called once more to free the OOL ports and the slot is reallocated with another OSData buffer containing two pointers to the Mach port. The holding port holding the OOL descriptor is destroyed, dropping two references to the Mach port. This leaves the process with a receive right to a dangling Mach port at a known address.\n\n** \n**\n\nSubsequent exploit flow: A zone garbage collection is performed and the dangling port is reallocated with a segmented OOL memory spray such that calling mach_port_get_context() can identify which segment of the spray reallocated the port. That segment is freed and the dangling port is reallocated with pipe buffers, giving a controlled fake Mach port at a known address. The fake port is converted into a clock port and clock_sleep_trap() is used to brute force KASLR. The fake port is next converted into a fake task port and a kernel read primitive is established using pid_for_task(). Finally, the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [In-the-wild iOS Exploit Chain 3 - XPC + VXD393/D5500 repeated IOFree](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-3.html>).\n\n## Spice - iOS 11.4.1\n\nVulnerability analysis and POC by Luca Moro ([@JohnCool__](<https://twitter.com/JohnCool__>)) at Synacktiv. Exploit by Siguza, Viktor Oreshkin ([@stek29](<https://twitter.com/stek29>)), Ben Sparkes ([@iBSparkes](<https://twitter.com/ibsparkes>)), and littlelailo.\n\n** \n**\n\nThe vulnerability: The \"LightSpeed\" vulnerability (possibly CVE-2018-4344) is a race condition in XNU's lio_listio() due to improper state management that results in a use-after-free.\n\n** \n**\n\nExploit strategy: The vulnerable function is called in a loop in one thread to repeatedly trigger the vulnerability by allocating a buffer from kalloc.16 and racing to free the buffer twice. Another thread repeatedly sends a message containing an OOL ports array allocated from kalloc.16, immediately sprays a large number of kalloc.16 allocations containing a pointer to a fake Mach port in userspace via IOSurface properties, and receives the OOL ports. When the race is won, the double-free can cause the OOL ports array to be freed, and the subsequent spray can reallocate the slot with a fake OOL ports array. Receiving the OOL ports in userspace gives a receive right to a fake Mach port whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: A second Mach port is registered as a notification port on the fake port, disclosing the address of the second port in the fake port's ip_pdrequest field. The fake port is modified to construct a kernel read primitive using mach_port_get_attributes(). Starting from the disclosed port pointer, kernel memory is read to find relevant kernel objects. The fake port is converted into a fake user client port providing a 7-argument arbitrary kernel function call primitive using iokit_user_client_trap(). Finally, a fake kernel task port is constructed.\n\n** \n**\n\nNotes: The exploit does not work with PAN enabled.\n\n** \n**\n\nThe analysis was performed on the implementation in the file pwn.m, since this seems to provide the most direct comparison to the other exploit implementations in this list.\n\n** \n**\n\nReferences: [LightSpeed, a race for an iOS/macOS sandbox escape](<https://www.synacktiv.com/posts/exploit/lightspeed-a-race-for-an-iosmacos-sandbox-escape.html>), [Spice exploit code](<https://github.com/JakeBlair420/Spice>).\n\n## treadm1ll - iOS 11.4.1\n\nVulnerability analysis and POC by Luca Moro. Exploit by Tihmstar ([@tihmstar](<https://twitter.com/tihmstar>)).\n\n** \n**\n\nThe vulnerability: The \"LightSpeed\" vulnerability (same as above).\n\n** \n**\n\nExploit strategy: The vulnerable function is called in a loop in one thread to repeatedly trigger the vulnerability by allocating a buffer from kalloc.16 and racing to free the buffer twice. Another thread sends a fixed number of messages containing an OOL ports array allocated from kalloc.16. When the race is won, the double-free can cause the OOL ports array to be freed, leaving a dangling OOL ports array pointer in some messages. The first thread stops triggering the vulnerability and a large number of IOSurface objects are created. Each message is received in turn and a large number of kalloc.16 allocations containing a pointer to a fake Mach port in userspace are sprayed using IOSurface properties. Each spray can reallocate a slot from a dangling OOL ports array with a fake OOL ports array. Successfully receiving the OOL ports in userspace gives a receive right to a fake Mach port whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: A second Mach port is registered as a notification port on the fake port, disclosing the address of the second port in the fake port's ip_pdrequest field. The fake port is modified to construct a kernel read primitive using pid_for_task(). Starting from the disclosed port pointer, kernel memory is read to find relevant kernel objects. The fake port is converted into a fake user client port providing a 7-argument arbitrary kernel function call primitive using iokit_user_client_trap(). Finally, a fake kernel task port is constructed.\n\n** \n**\n\nNotes: The exploit does not work with PAN enabled.\n\n** \n**\n\nReferences: [LightSpeed, a race for an iOS/macOS sandbox escape](<https://www.synacktiv.com/posts/exploit/lightspeed-a-race-for-an-iosmacos-sandbox-escape.html>), [treadm1ll exploit code](<https://github.com/tihmstar/treadm1ll>).\n\n## Chaos - iOS 12.1.2\n\nBy Qixun Zhao ([@S0rryMybad](<https://twitter.com/S0rryMybad>)) of Qihoo 360 Vulcan Team.\n\n** \n**\n\nThe vulnerability: CVE-2019-6225 is a use-after-free due to XNU's task_swap_mach_voucher() failing to comply with MIG lifetime semantics that results in an extra reference being added or dropped on an ipc_voucher object.\n\n** \n**\n\nExploit strategy: A large number of ipc_voucher objects are sprayed and the vulnerability is triggered twice to decrease the reference count on a voucher and free it. The remaining vouchers on the page are freed and a zone garbage collection is forced, leaving a dangling ipc_voucher pointer in the thread's ith_voucher field.\n\n** \n**\n\nSubsequent exploit flow: The dangling voucher is reallocated by an OSString buffer using an IOSurface property spray. thread_get_mach_voucher() is called to obtain a send right to a newly allocated voucher port for the voucher, which causes a pointer to the voucher port to be stored in the fake voucher overlapping the OSString buffer; reading the OSString property discloses the address of the voucher port. The OSString overlapping the fake voucher is freed and reallocated with a large spray that both forces the allocation of controlled data containing a fake Mach port at a hardcoded address and updates the fake voucher's iv_port pointer to point to the fake Mach port. thread_get_mach_voucher() is called again to obtain a send right to the fake port and to identify which OSString buffer contains the fake Mach port. This leaves the process with a send right to a fake Mach port in an IOSurface property buffer at a known address (roughly equivalent to a dangling Mach port). A kernel read primitive is built by reallocating the OSString buffer to convert the fake port into a fake task port and calling pid_for_task() to read arbitrary memory. Relevant kernel objects are located and the fake port is converted into a fake map port to remap the fake port into userspace, removing the need to reallocate it. Finally the fake port is converted into a fake kernel task port.\n\n** \n**\n\nNotes: The A12 introduced PAC, which limits the ability to use certain exploitation techniques involving code pointers (e.g. vtable hijacking). Also, iOS 12 introduced a mitigation in ipc_port_finalize() against freeing a port while it is still active (i.e. hasn't been destroyed, for example because a process still holds a right to it). This changed the common structure of past exploits whereby a port would be freed while a process still held a right to it. Possibly as a result, obtaining a right to a fake port in iOS 12+ exploits seems to occur later in the flow than in earlier exploits.\n\n** \n**\n\nReferences: [IPC Voucher UaF Remote Jailbreak Stage 2 (EN)](<https://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20\$EN\$.html>).\n\n## voucher_swap - iOS 12.1.2\n\nBy Brandon Azad ([@_bazad](<https://twitter.com/_bazad>)) of Google Project Zero.\n\n** \n**\n\nThe vulnerability: CVE-2019-6225 (same as above).\n\n** \n**\n\nExploit strategy: The kernel heap is groomed to put a block of ipc_port allocations directly before a block of pipe buffers. A large number of ipc_voucher objects are sprayed and the vulnerability is triggered to decrease the reference count on a voucher and free it. The remaining vouchers on the page are freed and a zone garbage collection is forced, leaving a dangling ipc_voucher pointer in the thread's ith_voucher field.\n\n** \n**\n\nSubsequent exploit flow: The dangling voucher is reallocated with an OOL ports array containing a pointer to a previously-allocated ipc_port overlapping the voucher's iv_refs field. A send right to the voucher port is retrieved by calling thread_get_mach_voucher() and the voucher's reference count is increased by repeatedly calling the vulnerable function, updating the overlapping ipc_port pointer to point into the pipe buffers. Receiving the OOL ports yields a send right to a fake Mach port whose contents can be controlled directly. mach_port_request_notification() is called to insert a pointer to an array containing a pointer to another Mach port in the fake port's ip_requests field. A kernel read primitive is built using pid_for_task(), and the address of the other Mach port is read to compute the address of the fake port. Relevant kernel objects are located and a fake kernel task port is constructed.\n\n** \n**\n\nReferences: [voucher_swap: Exploiting MIG reference counting in iOS 12](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>), [voucher_swap exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1731#c10>).\n\n## machswap2 - iOS 12.1.2\n\nBy Ben Sparkes.\n\n** \n**\n\nThe vulnerability: CVE-2019-6225 (same as above).\n\n** \n**\n\nExploit strategy: A large number of ipc_voucher objects are sprayed and the vulnerability is triggered twice to decrease the reference count on a voucher and free it. The remaining vouchers on the page are freed and a zone garbage collection is forced, leaving a dangling ipc_voucher pointer in the thread's ith_voucher field.\n\n** \n**\n\nSubsequent exploit flow: The dangling voucher is reallocated by an OSString buffer containing a fake voucher using an IOSurface property spray. thread_get_mach_voucher() is called to obtain a send right to a newly allocated voucher port for the voucher, which causes a pointer to the voucher port to be stored in the fake voucher overlapping the OSString buffer; reading the OSString property discloses the address of the voucher port. Pipe buffers containing fake task ports are sprayed to land roughly 1 MB after the disclosed port address. The OSString overlapping the fake voucher is freed and reallocated to update the fake voucher's iv_port pointer to point to point into the pipe buffers. thread_get_mach_voucher() is called again to retrieve the updated voucher port, yielding a send right to a fake Mach port at a known address whose contents can be controlled directly. The fake port is converted into a fake task port and a kernel read primitive is established using pid_for_task(). Relevant kernel objects are located and a fake kernel task port is constructed.\n\n** \n**\n\nNotes: The author developed two versions of this exploit: one for pre-PAN devices, and one for PAN-enabled devices. The exploit presented here is for PAN-enabled devices.\n\n** \n**\n\nReferences: [machswap2 exploit code](<https://github.com/PsychoTea/machswap2>), [MachSwap: an iOS 12 Kernel Exploit](<https://sparkes.zone/blog/ios/2019/04/30/machswap-ios-12-kernel-exploit.html>), [machswap exploit code](<https://github.com/PsychoTea/machswap>).\n\n## In-the-wild iOS Exploit Chain 5 - iOS 12.1.2\n\nDiscovered in-the-wild by Cl\u00e9ment Lecigne. Analyzed by Ian Beer and Samuel Gro\u00df.\n\n** \n**\n\nThe vulnerability: CVE-2019-6225 (same as above).\n\n** \n**\n\nExploit strategy: A large number of ipc_voucher objects are sprayed and the vulnerability is triggered to decrease the reference count on a voucher and free it. The remaining vouchers on the page are freed and a zone garbage collection is forced, leaving a dangling ipc_voucher pointer in the thread's ith_voucher field.\n\n** \n**\n\nSubsequent exploit flow: The dangling voucher is reallocated by an OOL memory spray. A large number of Mach ports are allocated and then thread_get_mach_voucher() is called to obtain a send right to a newly allocated voucher port for the voucher, which causes a pointer to the voucher port to be stored in the fake voucher overlapping the OOL ports array. More ports are allocated and then the OOL memory spray is received, disclosing the address of the voucher port for the fake voucher. The dangling voucher is reallocated again with another OOL memory spray that updates the voucher's iv_port pointer to the subsequent page. The Mach ports are destroyed and a zone garbage collection is forced, leaving the fake voucher holding a pointer to a dangling port. The dangling port is reallocated with pipe buffers. Finally, thread_get_mach_voucher() is called, yielding a send right to a fake Mach port at a known address whose contents can be controlled directly. The fake port is converted into a fake task port and a kernel read primitive is established using pid_for_task(). Relevant kernel objects are located and the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [In-the-wild iOS Exploit Chain 5 - task_swap_mach_voucher](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>).\n\n## In-the-wild iOS Exploit Chain 4 - iOS 12.1.3\n\nDiscovered in-the-wild by Cl\u00e9ment Lecigne. Analyzed by Ian Beer and Samuel Gro\u00df. Also reported by an anonymous researcher.\n\n** \n**\n\nThe vulnerability: CVE-2019-7287 is a linear heap buffer overflow in the IOKit function ProvInfoIOKitUserClient::ucEncryptSUInfo() due to an unchecked memcpy().\n\n** \n**\n\nExploit strategy: The kernel heap is groomed to place holes in kalloc.4096 before an OOL ports array and holes in kalloc.6144 before an OSData buffer accessible via IOSurface properties. The vulnerability is triggered with the source allocated from kalloc.4096 and the destination allocated from kalloc.6144, causing the address of a target Mach port to be copied into the OSData buffer. The OSData buffer is then read, disclosing the address of the target port. The heap is groomed again to place holes in kalloc.4096 before an OOL memory buffer and in kalloc.6144 before an OOL ports array. The vulnerability is triggered again to insert a pointer to the target port into the OOL ports array. The target port is freed and a zone garbage collection is forced, leaving a dangling port pointer in the OOL ports array. The dangling port is reallocated with pipe buffers and the OOL ports are received, giving a receive right to a fake Mach port at a known address whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: The fake port is converted into a fake clock port and clock_sleep_trap() is used to brute force KASLR. The fake port is converted into a fake task port and a kernel read primitive is established using pid_for_task(). Relevant kernel objects are located and the fake port is converted into a fake kernel task port.\n\n** \n**\n\nReferences: [In-the-wild iOS Exploit Chain 4 - cfprefsd + ProvInfoIOKit](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html>), [About the security content of iOS 12.1.4](<https://support.apple.com/lt-lt/HT209520>).\n\n## Attacking iPhone XS Max - iOS 12.1.4\n\nBy Tielei Wang ([@wangtielei](<https://twitter.com/wangtielei>)) and Hao Xu ([@windknown](<https://twitter.com/windknown>)).\n\n** \n**\n\nThe vulnerability: The vulnerability is a race condition in XNU's UNIX domain socket bind implementation due to the temporary unlock antipattern that results in a use-after-free.\n\n** \n**\n\nExploit strategy: Sockets are sprayed and the vulnerability is triggered to leave a pointer to a dangling socket pointer in a vnode struct. The sockets are closed, a zone garbage collection is forced, and the sockets are reallocated with controlled data via an OSData spray (possibly an IOSurface property spray). The fake socket is constructed to have a reference count of 0. The use after free is triggered to call socket_unlock() on the fake socket, which causes the fake socket/OSData buffer to be freed using kfree(). This leaves a dangling OSData buffer accessible using unspecified means.\n\n** \n**\n\nSubsequent exploit flow: The dangling OSData buffer is reallocated with an OOL ports array and the OSData buffer is freed, leaving a dangling OOL ports array. Kernel memory is sprayed to place a fake Mach port at a hardcoded address (or an information leak is used) and the OOL ports array is reallocated with another OSData buffer, inserting a pointer to the fake Mach port into the OOL ports array. The OOL ports are received, yielding a send or receive right to the fake Mach port at a known address. The fake port is converted into a fake kernel task port by unspecified means.\n\n** \n**\n\nNotes: The only reference for this exploit is a BlackHat presentation, hence the uncertainties in the explanations above.\n\n** \n**\n\nThe authors developed two versions of this exploit: one for non-PAC devices, and one for PAC-enabled devices. The exploit presented here is for PAC-enabled devices. The non-PAC exploit is substantially simpler (hijacking a function pointer used by socket_lock()).\n\n** \n**\n\nReferences: [Attacking iPhone XS Max](<https://i.blackhat.com/USA-19/Thursday/us-19-Wang-Attacking-IPhone-XS-Max.pdf>).\n\n## SockPuppet - iOS 12.2 and iOS 12.4\n\nBy Ned Williamson ([@nedwilliamson](<https://twitter.com/nedwilliamson>)) working with Google Project Zero.\n\n** \n**\n\nThe vulnerability: CVE-2019-8605 is a use-after-free due to XNU's in6_pcbdetach() failing to clear a freed pointer.\n\n** \n**\n\nExploit strategy: Safe arbitrary read, arbitrary kfree(), and arbitrary Mach port address disclosure primitives are constructed over the vulnerability.\n\n** \n**\n\nThe arbitrary read primitive: The vulnerability is triggered multiple times to create a number of dangling ip6_pktopts structs associated with sockets. The dangling ip6_pktopts are reallocated with an OSData buffer spray via IOSurface properties such that ip6po_minmtu is set to a known value and ip6po_pktinfo is set to the address to read. The ip6po_minmtu field is checked via getsockopt(), and if correct, getsockopt(IPV6_PKTINFO) is called to read 20 bytes of data from the address pointed to by ip6po_pktinfo.\n\n** \n**\n\nThe arbitrary kfree() primitive: The vulnerability is triggered multiple times to create a number of dangling ip6_pktopts structs associated with sockets. The dangling ip6_pktopts are reallocated with an OSData buffer spray via IOSurface properties such that ip6po_minmtu is set to a known value and ip6po_pktinfo is set to the address to free. The ip6po_minmtu field is checked via getsockopt(), and if correct, setsockopt(IPV6_PKTINFO) is called to invoke kfree_addr() on the ip6po_pktinfo pointer.\n\n** \n**\n\nThe arbitrary Mach port address disclosure primitive: The vulnerability is triggered multiple times to create a number of dangling ip6_pktopts structs associated with sockets. The dangling ip6_pktopts are reallocated with an OOL ports array spray containing pointers to the target port. The ip6po_minmtu and ip6po_prefer_tempaddr fields are read via getsockopt(), disclosing the value of the target port pointer. The port is checked to be of the expected type using the arbitrary read primitive.\n\n** \n**\n\nSubsequent exploit flow: The Mach port address disclosure primitive is used to disclose the address of the current task. Two pipes are created and the addresses of the pipe buffers in the kernel are found using the kernel read primitive. Relevant kernel objects are located and a fake kernel task port is constructed in one of the pipe buffers. The arbitrary kfree() primitive is used to free the pipe buffer for the other pipe, and the pipe buffer is reallocated by spraying OOL ports arrays. The pipe is then written to insert a pointer to the fake kernel task port into the OOL ports array, and the OOL ports are received, yielding a fake kernel task port.\n\n** \n**\n\nNotes: Unlike most other exploits on this list which are structured linearly, SockPuppet is structured hierarchically, building on the same primitives throughout. This distinct structure is likely due to the power and stability of the underlying vulnerability: the bug directly provides both an arbitrary read and an arbitrary free primitive, and in practice both primitives are 100% safe and reliable because it is possible to check that the reallocation is successful. However, this structure means that there is no clear temporal boundary in the high-level exploit flow between the vulnerability-specific and generic exploitation. Instead, that boundary occurs between conceptual layers in the exploit code.\n\n** \n**\n\nThe SockPuppet bug was fixed in iOS 12.3 but reintroduced in iOS 12.4.\n\n** \n**\n\nReferences: [SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4](<https://googleprojectzero.blogspot.com/2019/12/sockpuppet-walkthrough-of-kernel.html>), [SockPuppet exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1806#c13>).\n\n## AppleAVE2Driver exploit - iOS 12.4.1\n\nBy 08Tc3wBB ([@08Tc3wBB](<https://twitter.com/08Tc3wBB>)).\n\n** \n**\n\nThe vulnerability: CVE-2019-8795 is a memory corruption in AppleAVE2Driver whereby improper bounds checking leads to processing of out-of-bounds data, eventually resulting in a controlled virtual method call or arbitrary kfree(). CVE-2019-8794 is a kernel memory disclosure in AppleSPUProfileDriver due to uninitialized stack data being shared with userspace.\n\n** \n**\n\nExploit strategy: The KASLR slide is discovered using the AppleSPUProfileDriver vulnerability. OSData buffers containing fake task ports are sprayed using IOSurface properties. The vulnerability is triggered to free an OSData buffer at a hardcoded address, leaving a dangling OSData buffer accessible via IOSurface properties.\n\n** \n**\n\nSubsequent exploit flow: The dangling OSData buffer is reallocated with an OOL ports array and the OSData buffer is freed, leaving a dangling OOL ports array. The OOL ports array is reallocated with another OSData buffer, inserting pointers to the fake task ports sprayed earlier into the OOL ports array. The OOL ports are received, yielding send rights to the fake task ports, and pid_for_task() is used to read pointers to relevant kernel objects. The OSData buffer is freed and reallocated to convert one of the fake ports into a fake kernel task port.\n\n** \n**\n\nNotes: iOS versions up to 13.1.3 were vulnerable, but the exploit presented here targeted iOS 12.4.1.\n\n** \n**\n\nThe author developed two versions of this exploit: one for non-PAC devices, and one for PAC-enabled devices. The exploit presented here is for PAC-enabled devices.\n\n** \n**\n\nReferences: [ZecOps_FreeTheSandbox_iOS_PAC_TFP0_POC_BEQ_12_4_2 exploit code](<https://github.com/ZecOps/public/tree/master/ZecOps_FreeTheSandbox_iOS_PAC_TFP0_POC_BEQ_12_4_2>), [ZecOps Task-For-Pwn 0 Bounty: TFP0 POC on PAC-Enabled iOS Devices <= 12.4.2](<https://blog.zecops.com/vulnerabilities/releasing-first-public-task-for-pwn0-tfp0-granting-poc-on-ios/>), [SSD Advisory \u2013 iOS Jailbreak via Sandbox Escape and Kernel R/W leading to RCE](<https://ssd-disclosure.com/ssd-advisory-via-ios-jailbreak-sandbox-escape-and-kernel-r-w-leading-to-rce/>), [SSD Advisory 4066 exploit code](<https://github.com/ssd-secure-disclosure/advisories/tree/master/SSD%20Advisory%20-%204066>), [About the security content of iOS 13.2 and iPadOS 13.2](<https://support.apple.com/en-il/HT210721>).\n\n## oob_timestamp - iOS 13.3\n\nBy Brandon Azad.\n\n** \n**\n\nThe vulnerability: CVE-2020-3837 is a linear heap out-of-bounds write of up to 8 bytes of timestamp data in IOKit's IOAccelCommandQueue2::processSegmentKernelCommand() due to incorrect bounds checking.\n\n** \n**\n\nExploit strategy: The kernel map is groomed to lay out two 96 MB shared memory regions, an 8-page ipc_kmsg, an 8-page OOL ports array, and 80 MB of OSData buffers sprayed via IOSurface properties. The number of bytes to overflow is computed based on the current time and the overflow is triggered to corrupt the ipc_kmsg's ikm_size field, such that the ipc_kmsg now has a size of between 16 pages and 80 MB. The port containing the ipc_kmsg is destroyed, freeing the corrupted ipc_kmsg, the OOL ports array, and some of the subsequent OSData buffers. More OSData buffers are sprayed via IOSurface to reallocate the OOL ports array containing a pointer to a fake Mach port at a hardcoded address that is likely to overlap one of the 96 MB shared memory regions. The OOL ports are received, producing a receive right to a fake Mach port at a known address whose contents can be controlled directly.\n\n** \n**\n\nSubsequent exploit flow: A kernel memory read primitive is constructed using pid_for_task(). Relevant kernel objects are located and a fake kernel task port is constructed.\n\n** \n**\n\nNotes: iOS 13 introduced zone_require, a mitigation that checks whether certain objects are allocated from the expected zalloc zone before they are used. An oversight in the implementation led to a trivial bypass when objects are allocated outside of the zalloc_map.\n\n** \n**\n\nReferences: [oob_timestamp exploit code](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1986#c5>). \n\n\n## tachy0n (unc0ver 5.0.0) - iOS 13.5\n\nBy Pwn20wnd ([@Pwn20wnd](<https://twitter.com/Pwn20wnd>)), unc0ver Team ([@unc0verTeam](<https://twitter.com/unc0verTeam>)), and Siguza.\n\n** \n**\n\nThe vulnerability: The \"LightSpeed\" vulnerability (see \"Spice\" above; reintroduced in iOS 13).\n\n** \n**\n\nExploit strategy: (Analysis pending.) The vulnerable function is called in a loop in one thread to repeatedly trigger the vulnerability by allocating a buffer from kalloc.16 and racing to free the buffer twice. Preliminary results suggest that the freed kalloc.16 slot is reallocated by OSData buffers sprayed via IOSurface properties.\n\n** \n**\n\nSubsequent exploit flow: (Analysis pending.)\n\n** \n**\n\nNotes: The unc0ver exploit was released as an obfuscated binary; a more complete analysis of the exploit strategy and exploit flow will be released after the [tachy0n](<https://twitter.com/s1guza/status/1266433756270866433>) exploit code is published.\n\n** \n**\n\nWhile iOS 12 patched the LightSpeed vulnerability, the patch did not address the root cause and created a memory leak. This memory leak was fixed in iOS 13, but the change also reintroduced the old (vulnerable) behavior. This is a regression, not a variant: the original LightSpeed POC does trigger on iOS 13.\n\n \nReferences: [LightSpeed, a race for an iOS/macOS sandbox escape](<https://www.synacktiv.com/posts/exploit/lightspeed-a-race-for-an-iosmacos-sandbox-escape.html>), [unc0ver-v5.0.0.ipa](<https://github.com/pwn20wndstuff/Undecimus/releases/tag/v5.0.0>).\n\n# iOS kernel exploit mitigations\n\nNext we will look at some current iOS kernel exploit mitigations. This list is not exhaustive, but it briefly summarizes some of the mitigations that exploit developers may encounter up through iOS 13.\n\n## Kernel Stack Canaries - iOS 6\n\niOS 6 introduced kernel stack canaries (or stack cookies) to protect against stack buffer overflows in the kernel.\n\n \nNone of the exploits in this list are affected by the presence of stack canaries as they do not target stack buffer overflow vulnerabilities.\n\n## Kernel ASLR - iOS 6\n\nKernel Address Space Layout Randomization (Kernel ASLR or KASLR) is a mitigation that randomizes the base address of the kernelcache image in the kernel address space. Before Kernel ASLR was implemented, the addresses of kernel functions and objects in the kernelcache image were always located at a fixed address.\n\n** \n**\n\nBypassing or working around KASLR is a standard step of all modern iOS kernel exploits.\n\n## Kernel Heap ASLR - iOS 6\n\nSince iOS 6 the base addresses for various kernel heap regions have been randomized. This seeks to mitigate exploits that hardcode addresses at which objects will be deterministically allocated. \n\n** \n**\n\nWorking around kernel heap randomization is a standard step of modern iOS kernel exploits. Usually this involves heap spraying, in which the kernel is induced to allocate large amounts of data to influence the shape of the heap even when exact addresses are not known. Also, many vulnerabilities can be leveraged to produce an information leak, disclosing the addresses of relevant kernel objects on the heap.\n\n## W^X / DEP - iOS 6\n\niOS 6 also introduced substantial kernel address space hardening by ensuring that kernel pages are mapped either as writable or as executable, but never both (often called \"write xor execute\" or W^X). This means that page tables no longer map kernel code pages as writable, and the kernel heap and stack are no longer mapped as executable. (Ensuring that non-code data is not mapped as executable is often called Data Execution Prevention, or DEP.)\n\n** \n**\n\nModern public iOS exploits do not attempt to bypass W^X (e.g. by modifying page tables and injecting shellcode); instead, exploitation is achieved by modifying kernel data structures and performing code-reuse attacks instead. This is largely due to the presence of a stronger, hardware-enforced W^X mitigation called KTRR.\n\n## PXN - iOS 7\n\nApple's A7 processor was the first 64-bit, ARMv8-A processor in an iPhone. Previously, iOS 6 had separated the kernel and user address space so that user code and data pages were inaccessible during normal kernel execution. With the move to 64-bit, the address spaces were no longer separated. Thus, the Privileged Execute-Never (PXN) bit was set in page table entries to ensure that the kernel could not execute shellcode residing in userspace pages.\n\n** \n**\n\nSimilarly to W^X, PXN as a protection against jumping to userspace shellcode is overshadowed by the stronger protection of KTRR.\n\n## PAN - iOS 10\n\nPrivileged access-never (PAN) is an ARMv8.1-A security feature introduced with the Apple A10 processor that prevents the kernel from accessing virtual addresses that are also accessible to userspace. This is used to prevent the kernel from dereferencing attacker-supplied pointers to data structures in userspace. It is similar to the Supervisor Mode Access Prevention (SMAP) feature on some Intel processors.\n\n** \n**\n\nWhile PAN has been [bypassed](<http://siguza.github.io/PAN/>) before, modern public iOS kernel exploits usually work around PAN by spraying data into the kernel and then learning the address of the data. While the most reliable techniques involve disclosing the address of the data inserted into the kernel, techniques exist to work around PAN generically, such as spraying enough data to overwhelm the kernel map randomization and force a fixed, hardcoded address to be allocated with the controlled data. Other primitives exist for establishing shared memory mappings between userspace and the kernel, which can also be used to work around PAN.\n\n## KTRR - iOS 10\n\nKTRR (possibly Kernel Text Readonly Region, part of [Kernel Integrity Protection](<https://support.apple.com/guide/security/kernel-integrity-protection-secb1caeb4bc/1/web/1>)) is a custom hardware security mitigation introduced on the Apple A10 processor (ARMv8.1-A). It is a strong form of W^X protection enforced by the MMU and the memory controller over a single span of contiguous memory covering the read-only parts of the kernelcache image and some sensitive data structures like top-level page tables and the trust cache. It has also been [referred to by Apple](<https://i.blackhat.com/USA-19/Thursday/us-19-Krstic-Behind-The-Scenes-Of-IOS-And-Mas-Security.pdf>) as Kernel Integrity Protection (KIP) v1.\n\n** \n**\n\nWhile KTRR has been publicly bypassed [twice](<https://twitter.com/qwertyoruiopz/status/974907288501747713>) [before](<https://googleprojectzero.blogspot.com/2019/10/ktrw-journey-to-build-debuggable-iphone.html>), modern public iOS kernel exploits usually work around KTRR by not manipulating KTRR-protected memory.\n\n## APRR - iOS 11\n\nAPRR (possibly standing for [Access Protection Rerouting](<https://siguza.github.io/APRR/>) or [Access Permission Restriction Register](<https://support.apple.com/guide/security/kernel-integrity-protection-secb1caeb4bc/1/web/1>)) is a custom hardware feature on Apple A11 and later CPUs that indirects virtual memory access permissions (usually specified in the page table entry for the page) through a special register, allowing access permissions for large groups of pages to be changed atomically and per-core. It works by converting the bits in the PTE that typically directly specify the access permissions into an index into a special register containing the true access permissions; changing the register value swaps protections on all pages mapped with the same access permissions index. APRR is somewhat similar to the Memory Protection Keys feature available on newer Intel processors.\n\n** \n**\n\nAPRR on its own does not provide any security boundaries, but it makes it possible to segment privilege levels inside a single address space. It is heavily used by PPL to create a security boundary within the iOS kernel.\n\n## PPL - iOS 12\n\nPPL ([Page Protection Layer](<https://support.apple.com/guide/security/page-protection-layer-sec38dc659b4/1/web/1>)) is the software layer built on APRR and dependent on KTRR that aims to put a security boundary between kernel read/write/execute and direct page table access. The primary goal of PPL is to prevent an attacker from modifying user pages that have been codesigned (e.g. using kernel read/write to overwrite a userspace process's executable code). This necessarily means that PPL must also maintain total control over the page tables and prevent an attacker from mapping sensitive physical addresses, including page tables, page table metadata, and IOMMU registers.\n\n** \n**\n\nAs of May 2020, PPL has not been publicly bypassed. That said, modern iOS kernel exploits are so far unaffected by PPL.\n\n## PAC - iOS 12\n\nPointer Authentication Codes ([PAC](<https://support.apple.com/guide/security/pointer-authentication-codes-seca5759bf02/1/web/1>)) is an ARMv8.3-A security feature that mitigates pointer tampering by storing a cryptographic signature of the pointer value in the upper bits of the pointer. Apple introduced PAC with the A12 and significantly [hardened](<https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html>) the implementation (compared to the ARM standard) in order to defend against attackers with kernel read/write, although for most purposes it is functionally indistinguishable. Apple's kernel uses PAC for control flow integrity (CFI), placing a security boundary between kernel read/write and kernel code execution.\n\n** \n**\n\nDespite [numerous](<https://bazad.github.io/presentations/MOSEC-2019-A-study-in-PAC.pdf>) [public](<https://i.blackhat.com/USA-19/Thursday/us-19-Wang-Attacking-IPhone-XS-Max.pdf>) [bypasses](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1986#c5>) of the iOS kernel's PAC-based CFI, PAC in the kernel is still an effective exploit mitigation: it has severely restricted exploitability of many bugs and killed some exploit techniques. For example, exploits in the past have used a kernel execute primitive in order to build a kernel read/write primitive (see e.g. ziVA); that is no longer possible on A12 without bypassing PAC first. Furthermore, extensive use of PAC-protected pointers in IOKit has made it significantly harder to turn many bugs into useful primitives. Given the long history of serious security issues in IOKit, this is a substantial win.\n\n## zone_require - iOS 13\n\nzone_require is a software mitigation introduced in iOS 13 that adds checks that certain pointers are allocated from the expected zalloc zones before using them. The most common zone_require checks in the iOS kernelcache are of Mach ports; for example, every time an ipc_port is locked, the zone_require() function is called to check that the allocation containing the Mach port resides in the ipc.ports zone (and not, for example, an OSData buffer allocated with kalloc()).\n\n** \n**\n\nSince fake Mach ports are an integral part of modern techniques, zone_require has a substantial impact on exploitation. Vulnerabilities like CVE-2017-13861 (async_wake) that drop a reference on an ipc_port no longer offer a direct path to creating a fake port. While zone_require has been publicly bypassed [once](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1986#c5>), the technique relied on an oversight in the implementation that is easy to correct.\n\n# Changelog\n\n2020/07/09\n\n| \n\nAn entry was added for tachy0n (unc0ver 5.0.0) - iOS 13.5. \n \n---|--- \n \n2020/06/19\n\n| \n\nThe entry on MachSwap was replaced with machswap2, since the latter works on PAN-enabled devices.\n\nAn entry was added for AppleAVE2Driver exploit - iOS 12.4.1.\n\nThe description for PAN was updated to clarify that it was introduced with the A10 processor, not iOS 10.\n\nThe description for PPL was updated to clarify that it primarily protects userspace processes, as the kernel's code is protected by KTRR. \n \n2020/06/11\n\n| \n\nOriginal post published.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-11T00:00:00", "type": "googleprojectzero", "title": "\nA survey of recent iOS kernel exploits\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7644", "CVE-2017-13861", "CVE-2017-13865", "CVE-2017-2370", "CVE-2018-4150", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4344", "CVE-2019-6225", "CVE-2019-7287", "CVE-2019-8605", "CVE-2019-8794", "CVE-2019-8795", "CVE-2020-12388", "CVE-2020-3837"], "modified": "2020-06-11T00:00:00", "id": "GOOGLEPROJECTZERO:37170621F78D33B9DDE68A73E0A16294", "href": "https://googleprojectzero.blogspot.com/2020/06/a-survey-of-recent-ios-kernel-exploits.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

Apple MacOSX Security Updates(HT208692)-01

Description

Related