APPLE-SA-2016-05-16-1

APPLE-SA-2016-05-16-2

APPLE-SA-2016-05-16-3

APPLE-SA-2016-05-16-4

http://packetstormsecurity.com/files/137397/OS-X-Kernel-Raw-Cast-Out-Of-Bounds-Read.html

90698

1035890

https://bugs.chromium.org/p/project-zero/issues/detail?id=774

https://support.apple.com/HT206564

https://support.apple.com/HT206566

https://support.apple.com/HT206567

https://support.apple.com/HT206568

39927

The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - AppleGraphicsPowerManagement
  - Assets
  - Audio
  - Bluetooth
  - CoreCapture
  - CoreFoundation
  - CoreGraphics
  - CoreMedia External Displays
  - CoreMedia Playback
  - CoreStorage
  - CoreText
  - curl
  - Directory Services
  - Disk Images
  - FontParser
  - Foundation
  - Grapher
  - ICU
  - ImageIO
  - Intel Graphics Driver
  - IOFireWireFamily
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOSurface
  - Kernel
  - kext tools
  - libarchive
  - LibreSSL
  - OpenLDAP
  - OpenPAM
  - OpenSSL
  - Power Management
  - Security
  - syslog
  - WiFi
  - xar

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions.

The specific version of Mac OS X that the system is running is reportedly affected by the following vulnerabilities:

- Apple Mac OS X contains a use-after-free error in the WindowServer process that is triggered when handling CFData objects in memory. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2016-1804)

- Apple Mac OS X contains an array indexing flaw in the blit3d_submit_commands() function within the IOAcceleratorFamily component. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1815)

- Multiple Apple products contains a flaw as HTTP and HTTPS requests are not properly handled. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1801)

- Multiple Apple products contain a flaw that is triggered when handling return values related to key lengths in CommonCrypto (CCCrypt). This may allow a local attacker to gain unauthorized access to sensitive user information. (CVE-2016-1802)

- Multiple Apple products contain a NULL pointer dereference flaw in CoreCapture that is triggered as input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1803)

- Multiple Apple products contain a flaw related to disk images that is triggered by a race condition related to locking. This may allow a local attacker to gain unauthorized access to kernel memory information. (CVE-2016-1807)

- Multiple Apple products contain a flaw that is triggered as user-supplied input is not properly validated when handling disk images. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code. (CVE-2016-1808)

- Multiple Apple products contain a NULL pointer dereference flaw in ImageIO that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1811)

- Multiple Apple products contain an overflow condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow and potentially execute arbitrary code with kernel privileges. (CVE-2016-1817)

- Multiple Apple products contains a flaw in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1818)

- Multiple Apple products contain a use-after-free condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to dereference already freed memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1819)

- Multiple Apple products contain a NULL pointer dereference in IOAcceleratorFamily related to improper locking. This may allow a local attacker to cause a denial of service. (CVE-2016-1814)

- Multiple Apple products contain a NULL pointer dereference in the IOAccelSharedUserClient2::page_off_resource() function that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1813)

- Multiple Apple products contains an out-of-bounds access flaw in the IOHIDFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1823)

- Multiple Apple products contains a flaw in the IOHIDFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1824)

- Multiple Apple products contain a flaw in the kernel. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1827, CVE-2016-1828, CVE-2016-1829, CVE-2016-1830, CVE-2016-1831)

- Multiple Apple products contains a flaw in libc. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1832)

- Libxml2 contains an overflow condition in the xmlStrncatNew() function of xmlstring.c . The issue is triggered as user-supplied input is not properly validated when handling a string with a NULL. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1834)

- Libxml2 contains a use-after-free error in the xmlParseStartTag2() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1835)

- Libxml2 contains a use-after-free error in the xmlParseNCNameComplex() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1836)

- Libxml2 contains an overflow condition in the htmlParseSystemLiteral() and htmlParsePubidLiteral() functions of HTMLparser.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1837)

- Libxml2 contains an overflow condition in the xmlFAParseCharRange() function of xmlregexp.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1840)

- Multiple Apple products contains a flaw in libxslt. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted website. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1841)

- Multiple Apple products contain a flaw in MapKit that is triggered as shared links are transferred insecurely over HTTP. This may potentially allow a man-in-the-middle attacker to gain unauthorized access to sensitive information in these links. (CVE-2016-1842)

- Multiple Apple products contains a flaw in the OpenGL component. The issue is triggered as user-supplied input is not properly validated when handling specially crafted web content. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1847)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1792)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as bounds are not properly checked. This may allow a local attacker to determine kernel memory layout. (CVE-2016-1791)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControl component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1793)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControlClient::checkArguments() function in AppleMuxControl.kext that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1794)

- Apple Mac OS X contains a flaw in the AppleGraphicsPowerManagement component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1795)

- Apple Mac OS X contains an out-of-bounds read flaw in the ATS component. This may allow a local attacker to potentially disclose kernel memory layout. (CVE-2016-1796)

- Apple Mac OS X contains a flaw in the ATS component that is triggered the sandbox policy is not properly implemented for FontValidator. This may allow a local attacker to potentially execute arbitrary code with system privileges. (CVE-2016-1797)

- Apple Mac OS X contains a NULL pointer dereference flaw in the Audio component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a denial of service. (CVE-2016-1798)

- Apple Mac OS X contains a flaw in the Audio component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1799)

- Apple Mac OS X contains a flaw in the Captive Network Assistant component that is triggered as URL schemes are not properly validated. This may allow a user-assisted, man-in-the-middle attacker to potentially execute arbitrary code. (CVE-2016-1800)

- Apple Mac OS X contains an unspecified configuration flaw in the CoreStorage component. This may allow a local attacker to potentially execute arbitrary code with kernel privileges. (CVE-2016-1805)

- Apple Mac OS X contains a flaw in the Crash Reporter component (com.apple.SubmitDiagInfo) that is triggered when handling user-supplied paths when creating directories. This may allow a local attacker to execute arbitrary code with root privileges. (CVE-2016-1806)

- Apple Mac OS X contains a flaw in the Disk Utility component that is triggered as the incorrect keys were used to encrypt disk images. This may result in disk images not being properly compressed and encrypted. (CVE-2016-1809)

- Apple Mac OS X contains a NULL pointer dereference flaw in the ImageIO component that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1810)

- Apple Mac OS X contains an overflow condition in the Intel Graphics Driver component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1812)

- Apple Mac OS X contains a NULL pointer dereference in IOAcceleratorFamily that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1816)

- Apple Mac OS X contains an overflow condition in the IOAudioFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1820)

- Apple Mac OS X contains a NULL pointer dereference in the IOAudioFamily component. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1821)

- Apple Mac OS X contains a flaw in the IOFireWireFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1822)

- Apple Mac OS X contains multiple flaws in the IOHIDFamily component. These issues are triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1825)

- Apple Mac OS X contains an integer overflow condition in its dtrace implementation. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1826)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by a failure to properly validate roster changes. This may allow an authenticated remote attacker, or a malicious server, to manipulate another user's contact list. (CVE-2016-1844)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by an encoding issue in filename parsing. This may allow a remote attacker to gain unauthorized access to potentially sensitive user information. (CVE-2016-1843)

- Apple Mac OS X contains a NULL pointer dereference flaw in the nvCommandQueue::GetHandleIndex() function in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1846)

- Apple Mac OS X contains a flaw in the QuickTime component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1848)

- Apple Mac OS X contains a flaw in the SceneKit component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1850)

- Apple Mac OS X contains a flaw in the management of password profiles. This may allow a physically present attacker to bypass the screen lock and reset an expired password. (CVE-2016-1851)

- Apple Mac OS X contains a flaw in the Tcl component related to the usage of SSLv2. This may potentially allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1853)

- Apple Mac OS X contains an overflow condition in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a stack-based buffer overflow and potentially execute arbitrary code with kernel privileges. (CVE-2016-1861)

- No description supplied (CVE-2016-1833, CVE-2016-1839, CVE-2016-1815, CVE-2016-1804)

The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.5 and is affected by multiple vulnerabilities in the following components :

 - AMD
 - apache_mod_php
 - AppleGraphicsControl
 - AppleGraphicsPowerManagement
 - ATS
 - Audio
 - Captive Network Assistant
 - CFNetwork Proxies
 - CommonCrypto
 - CoreCapture
 - CoreStorage
 - Crash Reporter
 - Disk Images
 - Disk Utility
 - Graphics Drivers
 - ImageIO
 - Intel Graphics Driver
 - IOAcceleratorFamily
 - IOAudioFamily
 - IOFireWireFamily
 - IOHIDFamilyKernel
 - libc
 - libxml2
 - libxslt
 - MapKit
 - Messages
 - Multi-Touch
 - NVIDIA Graphics Drivers
 - OpenGL
 - QuickTime
 - SceneKit
 - Screen Lock
 - Tcl

Versions of Apple TV earlier than 9.2.1 are unpatched for vulnerabilities in the following components :

 - CFNetwork Proxies
 - CommonCrypto
 - CoreCapture
 - Disk Images
 - ImageIO
 - IOAcceleratorFamily
 - IOHIDFamily
 - Kernel
 - libc
 - libxml2
 - libxslt
 - OpenGL
 - WebKit
 - WebKit Canvas

The remote host is running a version of iOS that is prior to version 9.3.2 and the following components contain vulnerabilities :

 - Accessibility
 - CFNetwork Proxies
 - CommonCrypto
 - CoreCapture
 - Disk Images
 - ImageIO
 - IOAcceleratorFamily
 - IOHIDFamily
 - Kernel
 - libc
 - libxml2
 - libxslt
 - MapKit
 - OpenGL
 - Safari
 - Siri
 - WebKit
 - WebKit Canvas

According to its banner, the version of the remote Apple TV device is prior to 9.2.1. It is, therefore, affected by multiple vulnerabilities in the following components :

  - CFNetwork Proxies
  - CommonCrypto
  - CoreCapture
  - Disk Images
  - ImageIO
  - IOAcceleratorFamily
  - IOHIDFamily
  - Kernel
  - libc
  - libxml2
  - libxslt
  - OpenGL
  - WebKit
  - WebKit Canvas

Note that only 4th generation models are affected by the vulnerabilities.

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - AMD
  - apache_mod_php
  - AppleGraphicsControl
  - AppleGraphicsPowerManagement
  - Assistant
  - ATS
  - Audio
  - Captive
  - CFNetwork
  - CommonCrypto
  - CoreCapture
  - CoreStorage
  - Crash
  - Disk
  - Disk
  - Driver
  - Drivers
  - Drivers
  - Graphics
  - Graphics
  - Graphics
  - ImageIO
  - Images
  - Intel
  - IOAcceleratorFamily
  - IOAudioFamily
  - IOFireWireFamily
  - IOHIDFamily
  - Kernel
  - libc
  - libxml2
  - libxslt
  - Lock
  - MapKit
  - Messages
  - Multi-Touch
  - Network
  - NVIDIA
  - OpenGL
  - Proxies
  - QuickTime
  - Reporter
  - SceneKit
  - Screen
  - Tcl
  - Utility

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The mobile device is running a version of iOS prior to 9.3.2. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Accessibility
  - CFNetwork Proxies
  - CommonCrypto
  - CoreCapture
  - Disk Images
  - ImageIO
  - IOAcceleratorFamily
  - IOHIDFamily
  - Kernel
  - libc
  - libxml2
  - libxslt
  - MapKit
  - OpenGL
  - Safari
  - Siri
  - WebKit
  - WebKit Canvas

ID	Name	Product	Family	Severity
95917	macOS 10.12.x < 10.12.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
802004	macOS < 10.11.5 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
9392	Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
9337	Apple TV < 9.2.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	high
9332	Apple iOS < 9.3.2 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
91311	Apple TV < 9.2.1 Multiple Vulnerabilities	Nessus	Misc.	high
91228	Mac OS X 10.11.x < 10.11.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
91225	Apple iOS < 9.3.2 Multiple Vulnerabilities	Nessus	Mobile Devices	high

CVE-2016-1823

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins