93854

1037088

https://support.apple.com/HT207269

https://support.apple.com/HT207270

https://support.apple.com/HT207271

Versions of Apple TV earlier than 10.0.1 are vulnerable to the following issues :

 - A flaw exists in WebKit when handling the location attribute that allows a unauthenticated, remote attacker to bypass the cross-origin policies and disclose sensitive user information. (CVE-2016-4613)
 - An out-of-bounds read error exists in the FontParser component when handling specially crafted font files that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-4660)
 - An unspecified flaw exists in the Sandbox Profiles component that allows a local attacker, via a specially crafted application, to disclose the metadata of photo directories. (CVE-2016-4664)
 - An unspecified flaw exists in the Sandbox Profiles component that allows a local attacker, via a specially crafted application, to disclose the metadata of audio recordings. (CVE-2016-4665)
 - Multiple memory corruption issues exist in Webkit due to improper validation of user-supplied input.  An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2016-4666, CVE-2016-4677)
 - Multiple unspecified flaws exist in the System Boot component, within MIG generated code, due to improper validation of input.  A local attacker can exploit these to terminate the system or execute arbitrary code with elevated privileges. (CVE-2016-4669)
 - A memory corruption issue exists in the CoreGraphics component when handling specially crafted JPEG files.  An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4673)
 - An unspecified logic issue exists in libxpc that allows a local attacker to execute arbitrary code with root privileges. (CVE-2016-4675)
 - A NULL pointer dereference flaw exists in AppleSMC's smcHandleYPCEvent facility that is due to insufficient locking, which may allow a local attacker to gain elevated privileges. (CVE-2016-4678)
 - A flaw exists in libarchive due to improper path validation when creating temporary files during archive extraction.  An unauthenticated, remote attacker can exploit this, via a symlink attack, to overwrite arbitrary files. (CVE-2016-4679)
 - An unspecified flaw exists in the Kernel component due to improper sanitization of input.  A local attacker can exploit this to disclose kernel memory contents. (CVE-2016-4680)
 - A flaw exists in the CFNetwork Proxies component when handling proxy credentials that allows a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-7579)
 - A race condition exists in multiple IOKit drivers related to how they use task struct pointers.  This may allow a local attacker to potentially execute arbitrary code with kernel-level privileges. (CVE-2016-7613)

Note that only 4th generation models are affected by these vulnerabilities.

The version of iOS running on the mobile device is prior to 10.1, and is affected by multiple vulnerabilities in the following components :

 - CFNetwork Proxies (CVE-2016-7579)
 - Contacts (CVE-2016-4686)
 - CoreGraphics (CVE-2016-4673)
 - FaceTime (CVE-2016-7577)
 - FontParser (CVE-2016-4660, CVE-2016-4688)
 - IDS - Connectivity (CVE-2016-4721)
 - iTunes (CVE-2016-4685)
 - Kernel (CVE-2016-4669, CVE-2016-4680, CVE-2016-7613)
 - libarchive (CVE-2016-4679)
 - libxpc (CVE-2016-4675)
 - Safari (CVE-2016-7581)
 - Sandbox Profiles (CVE-2016-4664, CVE-2016-4665)
 - Security (CVE-2016-4670)
 - WebKit (CVE-2016-4666, CVE-2016-4677, CVE-2016-7578)

According to its banner, the version of Apple TV on the remote device is prior to 10.0.1. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in WebKit when handling the location     attribute that allows an unauthenticated, remote     attacker to bypass the cross-origin policies and     disclose sensitive user information. (CVE-2016-4613)

  - An out-of-bounds read error exists in the FontParser     component when handling specially crafted font files     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2016-4660)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of photo     directories. (CVE-2016-4664)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of audio     recordings. (CVE-2016-4665)

  - Multiple memory corruption issues exist in Webkit due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2016-4666, CVE-2016-4677,     CVE-2016-7578)

  - Multiple unspecified flaws exist in the System Boot     component, within MIG generated code, due to improper     validation of input. A local attacker can exploit these     to terminate the system or execute arbitrary code with     elevated privileges. (CVE-2016-4669)

  - A memory corruption issue exists in the CoreGraphics     component when handling specially crafted JPEG files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-4673)

  - An unspecified logic issue exists in libxpc that allows     a local attacker to execute arbitrary code with root     privileges. (CVE-2016-4675)

  - A flaw exists in libarchive due to improper path     validation when creating temporary files during archive     extraction. An unauthenticated, remote attacker can     exploit this, via a symlink attack, to overwrite     arbitrary files. (CVE-2016-4679)

  - An unspecified flaw exists in the Kernel component due     to improper sanitization of input. A local attacker can     exploit this to disclose kernel memory contents.
    (CVE-2016-4680)

  - An overflow condition exists in the FontParser component     due to improper validation when parsing font files. An     unauthenticated, remote attacker can exploit this to     cause a buffer overflow, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-4688)

  - A flaw exists in the CFNetwork Proxies component when     handling proxy credentials that allows a     man-in-the-middle attacker to disclose sensitive user     information. (CVE-2016-7579)

  - A flaw exists in the AppleMobileFileIntegrity component     due to improper validation of code signatures. A local     attacker can exploit this to have a signed executable     substitute code with the same team ID. (CVE-2016-7584)

  - Multiple race conditions exist in various IOKit drivers     related to how they use task struct pointers. A local     attacker can exploit this to execute arbitrary code with     kernel-level privileges. (CVE-2016-7613)

Note that only 4th generation models are affected by these vulnerabilities.

The version of iOS running on the mobile device is prior to 10.1. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the FaceTime component when handling     relayed calls due to inconsistencies in the user     interface. A man-in-the-middle attacker can exploit this     issue to cause a relayed call to continue to transmit     audio while the call appears to be terminated.
    (CVE-2016-4635)

  - An out-of-bounds read error exists in the FontParser     component when handling specially crafted font files     that allows an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2016-4660)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of photo     directories. (CVE-2016-4664)

  - An unspecified flaw exists in the Sandbox Profiles     component that allows a local attacker, via a specially     crafted application, to disclose the metadata of audio     recordings. (CVE-2016-4665)

  - Multiple memory corruption issues exist in Webkit due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2016-4666, CVE-2016-4677)

  - Multiple unspecified flaws exist in the System Boot     component, within MIG generated code, due to improper     validation of input. A local attacker can exploit these     to terminate the system or execute arbitrary code with     elevated privileges. (CVE-2016-4669)

  - A flaw exists in the Security component due to the     program logging the length of passwords. A local     attacker can exploit this to disclose sensitive     information. (CVE-2016-4670)

  - A memory corruption issue exists in the CoreGraphics     component when handling specially crafted JPEG files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-4673)

  - An unspecified logic issue exists in libxpc that allows     a local attacker to execute arbitrary code with root     privileges. (CVE-2016-4675)

  - A flaw exists in libarchive due to improper path     validation when creating temporary files during archive     extraction. An unauthenticated, remote attacker can     exploit this, via a symlink attack, to overwrite     arbitrary files. (CVE-2016-4679)

  - An unspecified flaw exists in the Kernel component due     to improper sanitization of input. A local attacker can     exploit this to disclose kernel memory contents.
    (CVE-2016-4680)

  - A flaw exists in the Contacts component due to a failure     to revoke an application's access to the Address Book     after its access has been removed in Settings. A local     attacker can exploit this to cause access to persist     after it should have been removed. (CVE-2016-4686)

  - A flaw exists in the CFNetworks component when handling     proxy credentials that allows a man-in-the-middle     attacker to disclose sensitive user information.
    (CVE-2016-7579)

ID	Name	Product	Family	Severity
9757	Apple TV < 10.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	high
9756	Apple iOS < 10.1 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
94337	Apple TV < 10.0.1 Multiple Vulnerabilities	Nessus	Misc.	high
94330	Apple iOS < 10.1 Multiple Vulnerabilities	Nessus	Mobile Devices	high

CVE-2016-4680

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins