97132

1038138

http://www.talosintelligence.com/reports/TALOS-2017-0296/

https://support.apple.com/HT207601

https://support.apple.com/HT207602

https://support.apple.com/HT207615

https://support.apple.com/HT207617

According to its banner, the version of Apple TV on the remote device is prior to 10.2. It is, therefore, affected by multiple vulnerabilities :

  - An out-of-bounds read error exists in LibTIFF in the     DumpModeEncode() function within file tif_dumpmode.c.
    An unauthenticated, remote attacker can exploit this     to crash a process linked against the library or     disclose memory contents. (CVE-2016-3619)

  - An out-of-bounds read error exists in WebKit when     handling certain JavaScript code. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-9642)

  - A denial of service vulnerability exists in WebKit when     handling certain regular expressions. An     unauthenticated, remote attacker can exploit this, via a     specially crafted web page, to exhaust available memory     resources. (CVE-2016-9643)

  - An information disclosure vulnerability exists in WebKit     when handling page loading due to improper validation of     certain input. An unauthenticated, remote attacker can     exploit this to disclose data cross-origin.
    (CVE-2017-2367)

  - A buffer overflow condition exists in the Carbon     component when handling specially crafted DFONT files     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2379)

  - An information disclosure vulnerability exists in WebKit     when handling unspecified exceptions. An     unauthenticated, remote attacker can exploit this, via     specially crafted web content, to disclose data     cross-origin. (CVE-2017-2386)

  - A flaw exists in the libarchive component due to the     insecure creation of temporary files. A local attacker     can exploit this, by using a symlink attack against an     unspecified file, to cause unexpected changes to be made     to file system permissions. (CVE-2017-2390)

  - Multiple memory corruption issues exist in WebKit that     allow an unauthenticated, remote attacker to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-2394, CVE-2017-2395,     CVE-2017-2396, CVE-2017-2454, CVE-2017-2455,     CVE-2017-2459, CVE-2017-2460, CVE-2017-2464,     CVE-2017-2465, CVE-2017-2466, CVE-2017-2468,     CVE-2017-2469, CVE-2017-2470, CVE-2017-2476)

  - A memory corruption issue exists in the Kernel component     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a denial of service condition or     the execution or arbitrary code. (CVE-2017-2401)

  - Multiple memory corruption issues exist in the FontParser     component when handling font files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit these to cause a denial condition     or the execution of arbitrary code. (CVE-2017-2406,     CVE-2017-2407, CVE-2017-2487)

  - An unspecified type confusion error exists in WebKit     that allows an unauthenticated, remote attacker to     execute arbitrary code by using specially crafted web     content. (CVE-2017-2415)

  - A memory corruption issue exists in the ImageIO     component, specifically in the GIFReadPlugin::init()     function, when handling image files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted image     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-2416)

  - An infinite recursion condition exists in the     CoreGraphics component when handling image files. An     unauthenticated, remote can exploit this, via a     specially crafted image file, to cause a denial of     service condition. (CVE-2017-2417)

  - An unspecified flaw exists related to nghttp2 and     LibreSSL. An unauthenticated, remote attacker can     exploit this, by convincing a user to access a malicious     HTTP/2 server, to have an unspecified impact on     confidentiality, integrity, and availability.
    (CVE-2017-2428)

  - A type confusion error exists in the Audio component     when parsing specially crafted M4A audio files due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2430)

  - An integer overflow condition exists in the ImageIO     component when handling JPEG files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2017-2432)

  - A memory corruption issue exists in the CoreText     component when handling font files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2017-2435)

  - An out-of-bounds read error exists in the FontParser     component when handling font files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted file, to disclose process memory.
    (CVE-2017-2439)

  - An integer overflow condition exists in the Kernel     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to execute arbitrary code with kernel-level     privileges. (CVE-2017-2440)

  - A use-after-free error exists in libc++abi when     demangling C++ applications. An unauthenticated, remote     attacker can exploit this, by convincing a user to run a     specially crafted application, to execute arbitrary     code. (CVE-2017-2441)

  - A memory corruption issue exists in WebKit within the     CoreGraphics component due to improper validation of     certain input. An unauthenticated, remote attacker can     exploit this, via specially crafted web content, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-2444)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit when handling frame objects due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     specially crafted web content, to execute arbitrary     script code in a user's browser session. (CVE-2017-2445)

  - A flaw exists in WebKit due to non-strict mode functions     that are called from built-in strict mode scripts not     being properly restricted from calling sensitive native     functions. An unauthenticated, remote attacker can     exploit this, via specially crafted web content, to     execute arbitrary code. (CVE-2017-2446)

  - An out-of-bounds read error exists in WebKit when     handling the bound arguments array of a bound function.
    An unauthenticated, remote attacker can exploit this,     via specially crafted web content, to disclose memory     contents. (CVE-2017-2447)

  - An unspecified flaw exists in the Security component due     to improper validation of OTR packets under certain     conditions. A man-in-the-middle attacker can exploit     this to disclose and optionally manipulate transmitted     data by spoofing the TLS/SSL server via a packet that     appears to be valid. (CVE-2017-2448)

  - An out-of-bounds read error exists in CoreText component     when handling font files. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to disclose process memory. (CVE-2017-2450)

  - A buffer overflow condition exists in the Security     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this,     by convincing a user to run a specially crafted     application, to execute arbitrary code with root     root privileges. (CVE-2017-2451)

  - A race condition exists in the Kernel component when     handling memory using the 'mach_msg' system call. An     unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code with root privileges.
    CVE-2017-2456)

  - An buffer overflow condition exists in the Keyboards     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a denial of service condition or     the execution of arbitrary code. (CVE-2017-2458)

  - A denial of service vulnerability exists in the     CoreText component when handling specially crafted text     messages due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this to     exhaust available resources on the system.
    (CVE-2017-2461)

  - A heap buffer overflow condition exists in the Audio     component when parsing specially crafted M4A audio files     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to execute arbitrary code.
    (CVE-2017-2462)

  - An memory corruption issue exists in the ImageIO     component when handling specially crafted files due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2467)

  - A use-after-free error exists in the Kernel component in     the XNU port actions extension due to improper handling     of port references in error cases. An local attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2472)

  - A signedness error exists in the Kernel component in the     SIOCSIFORDER IOCTL due to improper validation of certain     input. A local attacker can exploit this to cause an     out-of-bounds read and memory corruption, resulting in     a denial of service condition or the execution of     arbitrary code with kernel-level privileges.
    (CVE-2017-2473)

  - A off-by-one overflow condition exists in the Kernel     component in the SIOCSIFORDER IOCTL due to improper     validation of certain input. A local attacker can exploit     this to cause a heap-based buffer overflow, resulting in     the execution of arbitrary code with kernel-level     privileges. (CVE-2017-2474)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit when handling frames due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via specially crafted web     content, to execute arbitrary script code in a user's     browser session. (CVE-2017-2475)

  - A race condition exists in the Kernel component in the     necp_open() function when closing files descriptors due     to improper handling of proc_fd locks. A local attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2478)

  - A use-after-free error exists in WebKit when handling     ElementData objects. An unauthenticated, remote attacker     can exploit this, via specially crafted web content, to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2481)

  - A heap buffer overflow condition exists in the Kernel     component within the Berkeley Packet Filter (BPF)     BIOCSBLEN IOCTL due to improper validation of certain     input when reattaching to an interface. A local attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code with kernel-level     privileges. (CVE-2017-2482)

  - An off-by-one error exists in the Kernel component,     specifically in the audit_pipe_open() function, when     handling auditpipe devices due to improper validation of     certain input. A local attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2483)

  - An unspecified memory corruption issue exists in the     Security component when parsing X.509 certificates due     to improper validation of certain input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-2485)

  - A double-free error exists in the Kernel component due     to FSEVENTS_DEVICE_FILTER_64 IOCTL not properly locking     devices. A local attacker can exploit this to corrupt     memory, resulting in the execution of arbitrary code     with elevated privileges. (CVE-2017-2490)

  - A use-after-free error exists in JavaScriptCore when     handling the String.replace() method. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2491)

  - A universal cross-site scripting (XSS) vulnerability     exists in JavaScriptCore due to an unspecified prototype     flaw. An unauthenticated, remote attacker can exploit     this, via a specially crafted web page, to execute     arbitrary code in a user's browser session.
    (CVE-2017-2492)

Note that only 4th generation models are affected by these vulnerabilities.

Versions of Apple TV earlier than 10.2 are affected by multiple vulnerabilities :

 - An unspecified flaw exists related to 'nghttp2' and 'LibreSSL' that is triggered during the handling of a malicious HTTP/2 server. This may allow an attacker to have multiple unspecified impacts. (CVE-2017-2428)
 - A type confusion flaw exists that is triggered as certain input is not properly validated when parsing specially crafted M4A audio files. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2430)
 - A use-after-free flaw exists in 'libc++' that is triggered when demangling C++ applications. This may allow a malicious application to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-2441)
 - A flaw exists as OTR packets are not properly validated. By spoofing the TLS/SSL server via a packet that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (CVE-2017-2448)
 - An overflow condition exists that is triggered as certain input is not properly validated when parsing specially crafted M4A audio files. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing execution of arbitrary code. (CVE-2017-2462)
 - An unspecified flaw exists that is triggered as certain input is not properly validated when parsing X.509 certificates. This may allow a context dependent-attacker to corrupt memory and potentially execute arbitrary code.

Additional flaws exist in the following components :

 - Carbon (CVE-2017-2379)
 - Carbon (CVE-2017-2379)
 - CoreGraphics (CVE-2017-2417, CVE-2017-2444)
 - CoreText (CVE-2017-2435, CVE-2017-2450, CVE-2017-2461)
 - FontParser (CVE-2017-2406, CVE-2017-2407, CVE-2017-2439, CVE-2017-2487)
 - ImageIO (CVE-2017-2416, CVE-2017-2432, CVE-2017-2467)
 - Kernel (CVE-2017-2401, CVE-2017-2440, CVE-2017-2456, CVE-2017-2472, CVE-2017-2473, CVE-2017-2474, CVE-2017-2478, CVE-2017-2482, CVE-2017-2483, CVE-2017-2490)
 - Keyboards (CVE-2017-2458)
 - libarchive (CVE-2017-2390)
 - Security (CVE-2017-2451)
 - Webkit (CVE-2017-2367, CVE-2017-2378, CVE-2017-2386, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2424, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2476, CVE-2017-2481)

The version of iOS running on the mobile device is prior to 10.3, and is affected by multiple vulnerabilities :

 - An unspecified state management flaw exists that may allow a context-dependent attacker to spoof the address bar. No further details have been provided. (CVE-2017-2376)
 - An unspecified flaw exists in the handling of HTTP authentication. This may allow a context-dependent attacker to display authentication sheets on arbitrary web sites and cause a denial of service. (CVE-2017-2389)
 - A flaw exists in the password-protected PDF export feature that is triggered as a weak encryption algorithm is used. This may allow an attacker with access to a password-protected document to potentially disclose the document content. (CVE-2017-2391)
 - A flaw exists in the 'SecKeyRawVerify()' function that is triggered as parameters are not properly validated during the handling of cryptographic API calls. This may allow a remote attacker to have an empty signature be accepted as valid. (CVE-2017-2423)

Additional flaws exist in the following components :

 - Carbon (CVE-2017-2379)
 - CoreGraphics (CVE-2017-2417)
 - DataAccess (CVE-2017-2414)
 - FontParser (CVE-2017-2406, CVE-2017-2407)
 - iCloud (CVE-2017-2397)
 - ImageIO (CVE-2017-2416)
 - iTunes Store (CVE-2017-2412)
 - Kernel (CVE-2017-2398, CVE-2017-2401, CVE-2017-2490)
 - libarchive (CVE-2017-2390)
 - Pasteboard (CVE-2017-2399)
 - Quick Look (CVE-2017-2404)
 - Safari (CVE-2017-2384, CVE-2017-2393, CVE-2017-2400)
 - Webkit (CVE-2017-2367, CVE-2017-2378, CVE-2017-2386, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2424, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2476, CVE-2017-2481)

The remote host is running a version of Mac OS X version 10.x prior to 10.12.4 , and is affected by multiple vulnerabilities :

 - A format string flaw exists that is triggered as string format specifiers (e.g. %s and %x) are not properly used when handling IPP(S) links. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-2403)
 - A flaw exists in the 'SecKeyRawVerify()' function that is triggered as parameters are not properly validated during the handling of cryptographic API call. This may allow a remote attacker to have an empty signature be accepted as valid. (CVE-2017-2423)
 - A type confusion flaw exists that is triggered as certain input is not properly validated when parsing specially crafted M4A audio files. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2430)
 - A use-after-free flaw exists in 'libc++' that is triggered when demangling C++ applications. This may allow a malicious application to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-2441)
 - A flaw exists as OTR packets are not properly validated. By spoofing the TLS/SSL server via a packet that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (CVE-2017-2448)
 - An overflow condition exists that is triggered as certain input is not properly validated when parsing specially crafted M4A audio files. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing execution of arbitrary code. (CVE-2017-2462)
 - An unspecified flaw exists that is triggered as certain input is not properly validated when parsing X.509 certificates. This may allow a context dependent-attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2485)

Additional flaws exist in the following components :

 - AppleGraphicsPowerManagement (CVE-2017-2421)
 - AppleRAID (CVE-2017-2438)
 - Bluetooth (CVE-2017-2420, CVE-2017-2427, CVE-2017-2449)
 - Carbon (CVE-2017-2379)
 - CoreGraphics (CVE-2017-2417)
 - CoreMedia (2017-2431)
 - CoreText (CVE-2017-2435, CVE-2017-2450, CVE-2017-2461)
 - EFI (CVE-2016-7585)
 - Finderkit (CVE-2017-2429)
 - FontParser (CVE-2017-2406, CVE-2017-2407, CVE-2017-2439, CVE-2017-2487)
 - Hypervisor (CVE-2017-2418)
 - iBooks (CVE-2017-2426)
 - IOATAFamily (CVE-2017-2408)
 - IOFireWireAVC (CVE-2017-2436, CVE-2017-2437)
 - IOFireWireFamily (CVE-2017-2388)
 - ImageIO (CVE-2017-2416, CVE-2017-2432, CVE-2017-2467)
 - Intel Graphics (CVE-2017-2443)
 - Kernel (CVE-2017-2398, CVE-2017-2401, CVE-2017-2410, 2017-2440, 2017-2456, CVE-2017-2472, CVE-2017-2473, CVE-2017-2474, CVE-2017-2478, CVE-2017-2482, CVE-2017-2483, CVE-2017-2489, CVE-2017-2490)
 - Keyboards (CVE-2017-2458)
 - libarchive (CVE-2017-2390)
 - libxslt (CVE-2017-2477)
 - MCX (CVE-2017-2402)
 - Menus (CVE-2017-2409)
 - Multi-touch (CVE-2017-2422)
 - nghttp2 (CVE-2017-2428)
 - QuickTime (2017-2413)
 - Security (2017-2451, 2017-6974)
 - SecurityFoundation (CVE-2017-2425)
 - sudo (CVE-2017-2381)
 - WebKit (CVE-2017-2392, CVE-2017-2457, CVE-2017-2486)

The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - apache
  - apache_mod_php
  - AppleGraphicsPowerManagement
  - AppleRAID
  - Audio
  - Bluetooth
  - Carbon
  - CoreGraphics
  - CoreMedia
  - CoreText
  - curl
  - EFI
  - FinderKit
  - FontParser
  - HTTPProtocol
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOATAFamily
  - IOFireWireAVC
  - IOFireWireFamily
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - LibreSSL
  - MCX Client
  - Menus
  - Multi-Touch
  - OpenSSH
  - OpenSSL
  - Printing
  - python
  - QuickTime
  - Security
  - SecurityFoundation
  - sudo
  - System Integrity Protection
  - tcpdump
  - tiffutil
  - WebKit

The version of Apple iOS running on the mobile device is prior to 10.3. It is, therefore, affected by multiple vulnerabilities in multiple components, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - Accounts
  - Audio
  - Carbon
  - CoreGraphics
  - CoreText
  - DataAccess
  - FontParser
  - HomeKit
  - HTTPProtocol
  - ImageIO
  - iTunes Store
  - JavaScriptCore
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - libxslt
  - Pasteboard
  - Phone
  - Profiles
  - Quick Look
  - Safari
  - Safari Reader
  - SafariViewController
  - Security
  - Siri
  - WebKit
  - WebKit JavaScript Bindings
  - WebKit Web Inspector

ID	Name	Product	Family	Severity
99264	Apple TV < 10.2 Multiple Vulnerabilities	Nessus	Misc.	high
700035	Apple TV < 10.2 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	high
700034	Apple iOS < 10.3 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
700032	Mac OS X 10.x < 10.12.4 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
99134	macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)	Nessus	MacOS X Local Security Checks	critical
99127	Apple iOS < 10.3 Multiple Vulnerabilities	Nessus	Mobile Devices	critical

CVE-2017-2485

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins