Apple iOS < 6.1 Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

Report iOS devices older than 6.1.

Description :

The mobile device is running a version of iOS that is older than
version 6.1. This version contains security-related fixes for the
following issues :

- An error related to 'EUC-JP' encoding could allow cross-
site scripting attacks. (CVE-2011-3058)

- An out-of-bounds read error exists related to 802.11i
information handling that could allow remote attackers
to disable WiFi. (CVE-2012-2619)

- An error exists related to certificate-based
'Apple ID' authentication that could allow improper
trust extension. (CVE-2013-0963)

- An error exists related to the 'copyin' and 'copyout'
functions that could allow a user-mode process to access
the first page of kernel memory. (CVE-2013-0964)

- An error exists related to Mobile Safari
preferences that could improperly allow JavaScript
to be enabled after a user has disabled it.
(CVE-2013-0974)

- Many errors exist related to the bundled 'WebKit'
components. (CVE-2012-2824, CVE-2012-2857,
CVE-2012-2889, CVE-2012-3606, CVE-2012-3607,
CVE-2012-3621, CVE-2012-3632, CVE-2012-3687,
CVE-2012-3701, CVE-2013-0948, CVE-2013-0949,
CVE-2013-0950, CVE-2013-0951, CVE-2013-0952,
CVE-2013-0953, CVE-2013-0954, CVE-2013-0955,
CVE-2013-0956, CVE-2013-0958, CVE-2013-0959,
CVE-2013-0962, CVE-2013-0968)

- Two intermediate certificates, improperly issued by
TURKTRUST certificate authority, are incorrectly
trusted.

See also :

http://support.apple.com/kb/HT5642
http://lists.apple.com/archives/security-announce/2013/Jan/msg00000.html

Solution :

Apple has released a set of patches for iOS-based devices.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false