An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. iTunes before 12.6.1 on Windows is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

The remote host is affected by the vulnerability described in GLSA-201706-15 (WebKitGTK+: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in WebKitGTK+. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attack can use multiple vectors to execute arbitrary code or       cause a denial of service condition.
  Workaround :

    There is no known workaround at this time.

The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 10.1.1. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the history menu     functionality. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2017-2495)

  - Multiple memory corruption issues exist in the WebKit     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     these issues, by convincing a user to visit a specially     crafted website, to execute arbitrary code.
    (CVE-2017-2496, CVE-2017-2505, CVE-2017-2506,     CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,     CVE-2017-2525, CVE-2017-2526, CVE-2017-2530,     CVE-2017-2531, CVE-2017-2538, CVE-2017-2539,     CVE-2017-2544, CVE-2017-2547, CVE-2017-6980,     CVE-2017-6984)

  - A memory corruption issue exists in the WebKit Web     Inspector component that allows an unauthenticated,     remote attacker to execute arbitrary code.
    (CVE-2017-2499)

  - An address bar spoofing vulnerability exists due to     improper state management. An unauthenticated, remote     attacker can exploit this to spoof the address in the     address bar. (CVE-2017-2500, CVE-2017-2511)

  - Multiple universal cross-site scripting (XSS)     vulnerabilities exist in WebKit due to improper handling     of WebKit Editor commands, container nodes, pageshow     events, frame loading, and cached frames. An     unauthenticated, remote attacker can exploit this, via a     specially crafted web page, to execute arbitrary script     code in a user's browser session. (CVE-2017-2504,     CVE-2017-2508, CVE-2017-2510, CVE-2017-2528,     CVE-2017-2549)

  - Multiple unspecified flaws exist in WebKit that allow     an unauthenticated, remote attacker to corrupt memory     and execute arbitrary code by using specially crafted     web content. (CVE-2017-2536)

The version of Apple iTunes running on the remote host is prior to 12.6.1. It is, therefore, affected by a remote code execution vulnerability due to memory corruption caused by improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to open maliciously crafted web content, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apple iTunes installed on the remote Windows host is prior to 12.6.1. It is, therefore, affected by a remote code execution vulnerability due to memory corruption caused by improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to open maliciously crafted web content, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Versions of Apple TV earlier than 10.2.1 are affected by multiple vulnerabilities :

 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderLayer objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A logic flaw exists that allows a universal cross-site scripting (UXSS) attack. The issue is triggered when handling WebKit Editor commands. This may allow a context-dependent attacker to create a specially crafted web page that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. 

This product is also affected by vulnerabilities found in the following components:

 - AVEVideoEncoder
 - CoreAudio
 - CoreFoundation
 - Foundation
 - IOSurface
 - Kernel
 - SQLite
 - TextInput
 - WebKit
 - Web Inspector

Versions of Safari prior to 10.1.1 are affected by multiple vulnerabilities :

 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderElement objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderLayer objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderInline objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the Safari history menu. With a specially crafted web page, a context-dependent attacker can cause an application denial of service.
 - A flaw exists related to an inconsistent user interface. This may allow a context-dependent attacker to spoof the address bar.
 - A logic flaw exists that allows a UXSS attack. The issue is triggered when handling container nodes. This may allow a context-dependent attacker to create a specially crafted web page that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
 - A flaw exists related to an inconsistent user interface. This may allow a context-dependent attacker to spoof the address bar.

This product is also affected by vulnerabilities found in the following components:

 - WebKit 
 - Web Inspector

The version of Apple iOS running on the mobile device is prior to 10.3.2. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist in the WebKit     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     these issues, by convincing a user to visit a specially     crafted website, to execute arbitrary code.
    (CVE-2017-2496, CVE-2017-2505, CVE-2017-2506,     CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,     CVE-2017-2525, CVE-2017-2526, CVE-2017-2530,     CVE-2017-2531, CVE-2017-2538, CVE-2017-2539,     CVE-2017-2544, CVE-2017-2547, CVE-2017-6980,     CVE-2017-6984)

  - A security bypass vulnerability exists in the Security     component in the certificate trust policy. An     unauthenticated, remote attacker can exploit this to     cause untrusted certificates to be treated at trusted.
    (CVE-2017-2498)

  - A memory corruption issue exists in the WebKit Web     Inspector component that allows an unauthenticated,     remote attacker to execute arbitrary code.
    (CVE-2017-2499)

  - An unspecified flaw exists in the Safari component in     the history menu functionality. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2017-2495)

  - A state management flaw exists in the iBooks component     due to improper handling of URLs. An unauthenticated,     remote attacker can exploit this, via a specially     crafted book, to open arbitrary websites without user     permission. (CVE-2017-2497)

  - A local privilege escalation vulnerability exists in the     Kernel component due to a race condition. A local     attacker can exploit this to execute arbitrary code with     kernel-level privileges. (CVE-2017-2501)

  - An information disclosure vulnerability exists in the     CoreAudio component due to improper sanitization of     user-supplied input. A local attacker can exploit this     to read the contents of restricted memory.
    (CVE-2017-2502)

  - Multiple universal cross-site scripting (XSS)     vulnerabilities exist in WebKit due to improper handling     of WebKit Editor commands, container nodes, pageshow     events, frame loading, and cached frames. An     unauthenticated, remote attacker can exploit this, via a     specially crafted web page, to execute arbitrary script     code in a user's browser session. (CVE-2017-2504,     CVE-2017-2508, CVE-2017-2510, CVE-2017-2528,     CVE-2017-2549)

  - Multiple information disclosure vulnerabilities exist     in the Kernel component due to improper sanitization of     user-supplied input. A local attacker can exploit these     to read the contents of restricted memory.
    (CVE-2017-2507, CVE-2017-6987)

  - A use-after-free error exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this to deference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2017-2513)

  - Multiple buffer overflow conditions exist in the SQLite     component due to the improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit these, via a specially crafted SQL query, to     execute arbitrary code. (CVE-2017-2518, CVE-2017-2520)

  - A memory corruption issue exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this, via a specially crafted SQL     query, to execute arbitrary code. (CVE-2017-2519)

  - An unspecified memory corruption issue exists in the     TextInput component when parsing specially crafted data.
    An unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-2524)

  - Multiple unspecified flaws exist in WebKit that allow     an unauthenticated, remote attacker to corrupt memory     and execute arbitrary code by using specially crafted     web content. (CVE-2017-2536)

  - An unspecified flaw exists in the IOSurface component     that allows a local attacker to corrupt memory and     execute arbitrary code with kernel-level privileges.
    (CVE-2017-6979)

  - A logic error exists in the iBooks component due to     improper path validation for symlinks. A local attacker     can exploit this to execute arbitrary code with root     privileges. (CVE-2017-6981)

  - An unspecified flaw exists in the Notifications     component that allows a local attacker to cause a denial     of service condition via a specially crafted     application. (CVE-2017-6982)

  - Multiple memory corruption issues exist in SQLite due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these, by     convincing a user to visit a specially crafted website,     to execute arbitrary code.
    (CVE-2017-6983, CVE-2017-6991)

  - An unspecified flaw exists in the AVEVideoEncoder     component that allows a local attacker, via a specially     crafted application, to corrupt memory and execute     arbitrary code with kernel-level privileges.
    (CVE-2017-6989)

  - Multiple type confusion flaws exist in SQLite due to     improper validation of user-supplied input to 'snippet',     'offsets', and 'matchinfo'. An unauthenticated, remote     attacker can exploit these, by convincing a user to     visit a specially crafted website, to execute arbitrary     code. (CVE-2017-7000, CVE-2017-7001, CVE-2017-7002)

  - A denial of service vulnerability exists in the     CoreText component due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to crash     an application. (CVE-2017-7003)

  - A race condition exists when performing userspace     entitlement checks. A local attacker can exploit this to     bypass restrictions and send privileged XPC messages     without entitlements. (CVE-2017-7004)

  - A memory corruption issue exists in the JavaScriptCore     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via specially crafted web content, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7005)

The version of iOS running on the mobile device is prior to 10.3.2, and is affected by multiple vulnerabilities :

 - A use-after-free error exists in the handling of RenderElement objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderLayer objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderInline objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to the certificate trust policy that is triggered when handling trust acceptance. This may allow a context-dependent attacker to potentially cause untrusted certificates to be treated as trusted.
 - An unspecified flaw exists in the Safari history menu. With a specially crafted web page, a context-dependent attacker can cause an application denial of service.
 - A logic flaw exists that allows a universal cross-site scripting (UXSS) attack. The issue is triggered when handling WebKit Editor commands. This may allow a context-dependent attacker to create a specially crafted web page that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
 - A type confusion flaw exists in SQLite that is triggered as certain input related to 'snippet' is not properly validated. With specially crafted web content, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.

This product is also affected by vulnerabilities found in the following components:

 - AVEVideoEncoder
 - CoreAudio
 - CoreFoundation
 - Foundation
 - iBooks 
 - IOSurface
 - Kernel
 - TextInput
 - Notifications
 - SQLite
 - WebKit
 - Web Inspector 

According to its banner, the version of Apple TV on the remote device is prior to 10.2.1. It is, therefore, affected by multiple vulnerabilities :

  - A memory corruption issue exists in the WebKit Web     Inspector component that allows an unauthenticated,     remote attacker to execute arbitrary code.
    (CVE-2017-2499)

  - An unspecified race condition exists in the Kernel     component that allows a local attacker to execute     arbitrary code with kernel-level privileges.
    (CVE-2017-2501)

  - An information disclosure vulnerability exists in the     CoreAudio component due to improper sanitization of     certain input. A local attacker can exploit this to read     the contents of restricted memory. (CVE-2017-2502)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit due to a logic flaw when handling     WebKit Editor commands. An unauthenticated, remote     attacker can exploit this, via a specially crafted web     page, to execute arbitrary script code in a user's     browser session. (CVE-2017-2504)

  - Multiple memory corruption issues exist in WebKit due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2017-2505, CVE-2017-2515,     CVE-2017-2521, CVE-2017-2530, CVE-2017-2531,     CVE-2017-6980, CVE-2017-6984)

  - Multiple information disclosure vulnerabilities exist     in the Kernel component due to improper sanitization of     certain input. A local attacker can exploit these to     read the contents of restricted memory. (CVE-2017-2507,     CVE-2017-6987)

  - A use-after-free error exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this to deference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2017-2513)

  - Multiple buffer overflow conditions exist in the SQLite     component due to the improper validation of certain     input. An unauthenticated, remote attacker can exploit     these, via a specially crafted SQL query, to execute     arbitrary code. (CVE-2017-2518, CVE-2017-2520)

  - A memory corruption issue exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this, via a specially crafted     query, to execute arbitrary code. (CVE-2017-2519)

  - An unspecified memory corruption issue exists in the     TextInput component when parsing specially crafted data.
    An unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-2524)

  - A use-after-free error exists in WebKit when handling     RenderLayer objects. An unauthenticated, remote attacker     can exploit this, via a specially crafted web page, to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2525)

  - Multiple unspecified flaws exist in WebKit that allow     an unauthenticated, remote attacker to corrupt memory     and execute arbitrary code by using specially crafted     web content. (CVE-2017-2536)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit due to a logic error when handling     frame loading. An unauthenticated, remote attacker can     exploit this, via a specially crafted web page, to     execute arbitrary code in a user's browser session.
    (CVE-2017-2549)

  - An unspecified flaw exists in the IOSurface component     that allows a local attacker to corrupt memory and     execute arbitrary code with kernel-level privileges.
    (CVE-2017-6979)

  - An unspecified flaw exists in the AVEVideoEncoder     component that allows a local attacker, via a specially     crafted application, to corrupt memory and execute     arbitrary code with kernel-level privileges.
    (CVE-2017-6989)

  - A denial of service vulnerability exists in the     CoreText component due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to crash     an application. (CVE-2017-7003)

  - A memory corruption issue exists in the JavaScriptCore     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via specially crafted web content, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7005)

Note that only 4th generation models are affected by these vulnerabilities.

ID	Name	Product	Family	Severity
100675	GLSA-201706-15 : WebKitGTK+: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
100355	macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
100301	Apple iTunes < 12.6.1 WebKit Memory Corruption RCE (uncredentialed check)	Nessus	Peer-To-Peer File Sharing	high
100300	Apple iTunes < 12.6.1 WebKit Memory Corruption RCE (credentialed check)	Nessus	Windows	high
700118	Apple TV < 10.2.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	critical
700117	Safari < 10.1.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
100269	Apple iOS < 10.3.2 Multiple Vulnerabilities	Nessus	Mobile Devices	high
700116	Apple iOS < 10.3.2 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	critical
100256	Apple TV < 10.2.1 Multiple Vulnerabilities	Nessus	Misc.	high

Detections

Analytics

CVE-2017-6984

high

Tenable Plugins

high

high

high

high

critical

medium

high

critical

high