APPLE-SA-2015-04-08-2

APPLE-SA-2015-04-08-3

APPLE-SA-2015-04-08-4

1032048

https://support.apple.com/HT204659

https://support.apple.com/HT204661

https://support.apple.com/HT204662

https://support.apple.com/kb/HT204870

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.3. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Admin Framework
 - Apache
 - ATS
 - Certificate Trust Policy
 - CFNetwork HTTPProtocol
 - CFNetwork Session
 - CFURL
 - CoreAnimation
 - FontParser
 - Graphics Driver
 - Hypervisor
 - ImageIO
 - IOHIDFamily
 - Kernel
 - LaunchServices
 - libnetcore
 - ntp
 - Open Directory Client
 - OpenLDAP
 - OpenSSL
 - PHP
 - QuickLook
 - SceneKit
 - ScreenSharing
 - Security - Code SIgning
 - UniformTypeIdentifiers
 - WebKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its banner, the remote Apple TV device is a version prior to 7.2. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption vulnerabilities exist in     WebKit due to improperly validated user-supplied input.
    A remote attacker, using a specially crafted website,     can exploit these to execute arbitrary code.
    (CVE-2015-1068, CVE-2015-1069, CVE-2015-1070,     CVE-2015-1071, CVE-2015-1072, CVE-2015-1073,     CVE-2015-1074, CVE-2015-1076, CVE-2015-1077,     CVE-2015-1078, CVE-2015-1079, CVE-2015-1080,     CVE-2015-1081, CVE-2015-1082, CVE-2015-1083,     CVE-2015-1119, CVE-2015-1120, CVE-2015-1121,     CVE-2015-1122, CVE-2015-1123, CVE-2015-1124)

  - An error exists in the IOKit objects due to improper     validation of metadata used by an audio driver, which     allows arbitrary code execution. (CVE-2015-1086)

  - An XML External Entity (XXE) injection vulnerability     exists in the NSXMLParser due to improper handling of     XML files, which allows information disclosure.
    (CVE-2015-1092)

  - An error exists in the IOAcceleratorFamily that allows     the kernel memory layout to be disclosed.
    (CVE-2015-1094)

  - A memory corruption vulnerability exists in the     IOHIDFamily API that allows arbitrary code execution.
    (CVE-2015-1095)

  - An error exists in the IOHIDFamily due to improper     bounds checking, which allows the kernel memory layout     to be disclosed. (CVE-2015-1096)

  - An error exists in the MobileFrameBuffer due to improper     bounds checking, which allows the kernel memory layout     to be disclosed. (CVE-2015-1097)

  - A denial of service vulnerability exists in the     setreuid() system call due to a race condition.
    (CVE-2015-1099)

  - An out-of-bounds memory error exists in the kernel that     allows a denial of service attack or information     disclosure. (CVE-2015-1100)

  - A memory corruption vulnerability exists in the kernel     that allows arbitrary code execution. (CVE-2015-1101)

  - A denial of service vulnerability exists due to a state     inconsistency in the processing of TCP headers, which     can only be exploited from an adjacent network.
    (CVE-2015-1102)

  - A vulnerability exists that allows a man-in-the-middle     attacker to redirect traffic via ICMP redirects.
    (CVE-2015-1103)

  - A security bypass vulnerability exists due to the     system treating remote IPv6 packets as local packets,     which allows an attacker to bypass network filters.
    (CVE-2015-1104)

  - A denial of service vulnerability exists due to improper     processing of TCP out-of-band data, which allows a     denial of service by a remote attacker. (CVE-2015-1105)

  - An information disclosure vulnerability exists due to     unique identifiers being sent to remote servers when     downloading assets for a podcast. (CVE-2015-1110)

  - An information disclosure vulnerability exists in the     third-party application sandbox that allows hardware     identifiers to be accessible by other applications.
    (CVE-2015-1114)

  - A privilege escalation vulnerability exists in the     setreuid() and setregid() system calls due to a failure     to drop privileges permanently. (CVE-2015-1117)

  - A memory corruption vulnerability exists due to improper     bounds checking when processing configuration profiles,     which allows a denial of service attack. (CVE-2015-1118)

The mobile device is running a version of iOS prior to version 8.3.
It is, therefore, affected by vulnerabilities in the following components :

  - AppleKeyStore
  - Audio Drivers
  - Backup
  - Certificate Trust Policy
  - CFNetwork
  - CFNetwork Session
  - CFURL
  - FontParser
  - Foundation
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOMobileFramebuffer
  - iWork Viewer
  - Kernel
  - Keyboards
  - libnetcore
  - Lock Screen
  - NetworkExtension
  - Podcasts
  - Safari
  - Sandbox Profiles
  - Telephony
  - UIKit View
  - WebKit

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.3. It is, therefore, affected multiple vulnerabilities in the following components :

  - Admin Framework
  - Apache
  - ATS
  - Certificate Trust Policy
  - CFNetwork HTTPProtocol
  - CFNetwork Session
  - CFURL
  - CoreAnimation
  - FontParser
  - Graphics Driver
  - Hypervisor
  - ImageIO
  - IOHIDFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - ntp
  - Open Directory Client
  - OpenLDAP
  - OpenSSL
  - PHP
  - QuickLook
  - SceneKit
  - ScreenSharing
  - Security - Code SIgning
  - UniformTypeIdentifiers
  - WebKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

ID	Name	Product	Family	Severity
700510	Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
82712	Apple TV < 7.2 Multiple Vulnerabilities	Nessus	Misc.	high
82703	Apple iOS < 8.3 Multiple Vulnerabilities	Nessus	Mobile Devices	high
82699	Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)	Nessus	MacOS X Local Security Checks	critical

CVE-2015-1103

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins