98468

1038484

https://support.apple.com/HT207797

https://support.apple.com/HT207798

https://support.apple.com/HT207800

https://support.apple.com/HT207801

Versions of Apple TV earlier than 10.2.1 are affected by multiple vulnerabilities :

 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderLayer objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A logic flaw exists that allows a universal cross-site scripting (UXSS) attack. The issue is triggered when handling WebKit Editor commands. This may allow a context-dependent attacker to create a specially crafted web page that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. 

This product is also affected by vulnerabilities found in the following components:

 - AVEVideoEncoder
 - CoreAudio
 - CoreFoundation
 - Foundation
 - IOSurface
 - Kernel
 - SQLite
 - TextInput
 - WebKit
 - Web Inspector

The remote host is running a version of macOS that is 10.12.x prior to 10.12.5. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist in the Kernel     component that allow a local attacker to gain     kernel-level privileges. (CVE-2017-2494, CVE-2017-2546)

  - A state management flaw exists in the iBooks component     due to improper handling of URLs. An unauthenticated,     remote attacker can exploit this, via a specially     crafted book, to open arbitrary websites without user     permission. (CVE-2017-2497)

  - A local privilege escalation vulnerability exists in the     Kernel component due to a race condition. A local     attacker can exploit this to execute arbitrary code with     kernel-level privileges. (CVE-2017-2501)

  - An information disclosure vulnerability exists in the     CoreAudio component due to improper sanitization of     user-supplied input. A local attacker can exploit this     to read the contents of restricted memory.
    (CVE-2017-2502)

  - A memory corruption issue exists in the Intel graphics     driver component that allows a local attacker to execute     arbitrary code with kernel-level privileges.
    CVE-2017-2503)

  - Multiple information disclosure vulnerabilities exist     in the Kernel component due to improper sanitization of     user-supplied input. A local attacker can exploit these     to read the contents of restricted memory.
    (CVE-2017-2507, CVE-2017-2509, CVE-2017-2516,     CVE-2017-6987)

  - A memory corruption issue exists in the Sandbox     component that allows an unauthenticated, remote     attacker to escape an application sandbox.
    (CVE-2017-2512)

  - A use-after-free error exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this to deference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2017-2513)

  - Multiple buffer overflow conditions exist in the SQLite     component due to the improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit these, via a specially crafted SQL query, to     execute arbitrary code. (CVE-2017-2518, CVE-2017-2520)

  - A memory corruption issue exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this, via a specially crafted SQL     query, to execute arbitrary code. (CVE-2017-2519)

  - An unspecified memory corruption issue exists in the     TextInput component when parsing specially crafted data.
    An unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-2524)

  - A flaw exists in the CoreAnimation component when     handling specially crafted data. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2017-2527)

  - A race condition exists in the DiskArbitration feature     that allow a local attacker to gain system-level     privileges. (CVE-2017-2533)

  - An unspecified flaw exists in the Speech Framework that     allows a local attacker to escape an application     sandbox. (CVE-2017-2534)

  - A resource exhaustion issue exists in the Security     component due to improper validation of user-supplied     input. A local attacker can exploit this to exhaust     resources and escape an application sandbox.
    (CVE-2017-2535)

  - Multiple memory corruption issues exist in the     WindowServer component that allow a local attacker to     execute arbitrary code with system-level privileges.
    (CVE-2017-2537, CVE-2017-2548)

  - An information disclosure vulnerability exists in     WindowServer component in the _XGetConnectionPSN()     function due to improper validation of user-supplied     input. A local attacker can exploit this to read the     contents of restricted memory. (CVE-2017-2540)

  - A stack-based buffer overflow condition exists in the     WindowServer component in the _XGetWindowMovementGroup()     function due to improper validation of user-supplied     input. A local attacker can exploit this to execute     arbitrary code with the privileges of WindowServer.
    (CVE-2017-2541)

  - Multiple memory corruption issues exist in the     Multi-Touch component that allow a local attacker to     execute arbitrary code with kernel-level privileges.
    (CVE-2017-2542, CVE-2017-2543)

  - A use-after-free error exists in the IOGraphic component     that allows a local attacker to execute arbitrary code     with kernel-level privileges. (CVE-2017-2545)

  - A flaw exists in the Speech Framework, specifically     within the speechsynthesisd service, due to improper     validation of unsigned dynamic libraries (.dylib) before     being loaded. A local attacker can exploit this to     bypass the application's sandbox and execute arbitrary     code with elevated privileges. (CVE-2017-6977)

  - A memory corruption issue exists in the Accessibility     Framework that allows a local attacker to execute     arbitrary code with system-level privileges.
    (CVE-2017-6978)

  - A race condition exists in the IOSurface component that     allows a local attacker to execute arbitrary code with     kernel-level privileges. (CVE-2017-6979)

  - A logic error exists in the iBooks component due to     improper path validation for symlinks. A local attacker     can exploit this to execute arbitrary code with root     privileges. (CVE-2017-6981)

  - Multiple memory corruption issues exist in SQLite due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these, by     convincing a user to visit a specially crafted website,     to execute arbitrary code. (CVE-2017-6983,     CVE-2017-6991)

  - A memory corruption issue exists in the NVIDIA graphics     drivers that allows a local attacker to execute     arbitrary code with kernel-level privileges.
    (CVE-2017-6985)

  - A memory corruption issue exists in the iBooks component     that allows an unauthenticated, remote attacker to     escape an application's sandbox. (CVE-2017-6986)

  - A certificate validation flaw exists in EAP-TLS within     802.1X authentication when a certificate has changed.
    An unauthenticated, adjacent attacker can exploit this,     via a malicious network with 802.1X authentication, to     capture user network credentials. (CVE-2017-6988)

  - An information disclosure vulnerability exists in HFS     component due to improper sanitization of user-supplied     input. A local attacker can exploit this to read the     contents of restricted memory. (CVE-2017-6990)

  - Multiple type confusion flaws exist in SQLite due to     improper validation of user-supplied input to 'snippet',     'offsets', and 'matchinfo'. An unauthenticated, remote     attacker can exploit these, by convincing a user to     visit a specially crafted website, to execute arbitrary     code. (CVE-2017-7000, CVE-2017-7001, CVE-2017-7002)

  - A denial of service vulnerability exists in the     CoreText component due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to crash     an application. (CVE-2017-7003)

  - A race condition exists when performing userspace     entitlement checks. A local attacker can exploit this to     bypass restrictions and send privileged XPC messages     without entitlements. (CVE-2017-7004)

The version of Apple iOS running on the mobile device is prior to 10.3.2. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist in the WebKit     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     these issues, by convincing a user to visit a specially     crafted website, to execute arbitrary code.
    (CVE-2017-2496, CVE-2017-2505, CVE-2017-2506,     CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,     CVE-2017-2525, CVE-2017-2526, CVE-2017-2530,     CVE-2017-2531, CVE-2017-2538, CVE-2017-2539,     CVE-2017-2544, CVE-2017-2547, CVE-2017-6980,     CVE-2017-6984)

  - A security bypass vulnerability exists in the Security     component in the certificate trust policy. An     unauthenticated, remote attacker can exploit this to     cause untrusted certificates to be treated at trusted.
    (CVE-2017-2498)

  - A memory corruption issue exists in the WebKit Web     Inspector component that allows an unauthenticated,     remote attacker to execute arbitrary code.
    (CVE-2017-2499)

  - An unspecified flaw exists in the Safari component in     the history menu functionality. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2017-2495)

  - A state management flaw exists in the iBooks component     due to improper handling of URLs. An unauthenticated,     remote attacker can exploit this, via a specially     crafted book, to open arbitrary websites without user     permission. (CVE-2017-2497)

  - A local privilege escalation vulnerability exists in the     Kernel component due to a race condition. A local     attacker can exploit this to execute arbitrary code with     kernel-level privileges. (CVE-2017-2501)

  - An information disclosure vulnerability exists in the     CoreAudio component due to improper sanitization of     user-supplied input. A local attacker can exploit this     to read the contents of restricted memory.
    (CVE-2017-2502)

  - Multiple universal cross-site scripting (XSS)     vulnerabilities exist in WebKit due to improper handling     of WebKit Editor commands, container nodes, pageshow     events, frame loading, and cached frames. An     unauthenticated, remote attacker can exploit this, via a     specially crafted web page, to execute arbitrary script     code in a user's browser session. (CVE-2017-2504,     CVE-2017-2508, CVE-2017-2510, CVE-2017-2528,     CVE-2017-2549)

  - Multiple information disclosure vulnerabilities exist     in the Kernel component due to improper sanitization of     user-supplied input. A local attacker can exploit these     to read the contents of restricted memory.
    (CVE-2017-2507, CVE-2017-6987)

  - A use-after-free error exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this to deference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2017-2513)

  - Multiple buffer overflow conditions exist in the SQLite     component due to the improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit these, via a specially crafted SQL query, to     execute arbitrary code. (CVE-2017-2518, CVE-2017-2520)

  - A memory corruption issue exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this, via a specially crafted SQL     query, to execute arbitrary code. (CVE-2017-2519)

  - An unspecified memory corruption issue exists in the     TextInput component when parsing specially crafted data.
    An unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-2524)

  - Multiple unspecified flaws exist in WebKit that allow     an unauthenticated, remote attacker to corrupt memory     and execute arbitrary code by using specially crafted     web content. (CVE-2017-2536)

  - An unspecified flaw exists in the IOSurface component     that allows a local attacker to corrupt memory and     execute arbitrary code with kernel-level privileges.
    (CVE-2017-6979)

  - A logic error exists in the iBooks component due to     improper path validation for symlinks. A local attacker     can exploit this to execute arbitrary code with root     privileges. (CVE-2017-6981)

  - An unspecified flaw exists in the Notifications     component that allows a local attacker to cause a denial     of service condition via a specially crafted     application. (CVE-2017-6982)

  - Multiple memory corruption issues exist in SQLite due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these, by     convincing a user to visit a specially crafted website,     to execute arbitrary code.
    (CVE-2017-6983, CVE-2017-6991)

  - An unspecified flaw exists in the AVEVideoEncoder     component that allows a local attacker, via a specially     crafted application, to corrupt memory and execute     arbitrary code with kernel-level privileges.
    (CVE-2017-6989)

  - Multiple type confusion flaws exist in SQLite due to     improper validation of user-supplied input to 'snippet',     'offsets', and 'matchinfo'. An unauthenticated, remote     attacker can exploit these, by convincing a user to     visit a specially crafted website, to execute arbitrary     code. (CVE-2017-7000, CVE-2017-7001, CVE-2017-7002)

  - A denial of service vulnerability exists in the     CoreText component due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to crash     an application. (CVE-2017-7003)

  - A race condition exists when performing userspace     entitlement checks. A local attacker can exploit this to     bypass restrictions and send privileged XPC messages     without entitlements. (CVE-2017-7004)

  - A memory corruption issue exists in the JavaScriptCore     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via specially crafted web content, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7005)

The remote host is running a version of Mac OS X version 10.x prior to 10.12.5, and is affected by multiple vulnerabilities :

 - An overflow condition exists in the '_XGetWindowMovementGroup()' function within the WindowServer component that is triggered as certain input is not properly validated. This may allow a local attacker to cause a stack-based buffer overflow and potentially execute arbitrary code with the privileges of WindowServer.
 - An unspecified flaw exists in the Intel graphics driver. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel-level privileges.
 - An unspecified flaw exists in the NVIDIA graphics drivers. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel-level privileges.
 - A flaw exists in the speechsynthesisd service, as unsigned dynamic libraries (.dylib) are improperly validated before being loaded. This may allow a local attacker to bypass an application's sandbox and execute arbitrary code with elevated privileges.
 - An unspecified flaw exists in the Speech Framework. This may allow an attacker to escape an application sandbox.
 - A certificate validation flaw exists in 802.1X authentication that is triggered in EAP-TLS when a certificate has changed. This may allow a context-dependent attacker to disclose user network credentials.
 - A type confusion flaw exists in SQLite that is triggered as certain input related to 'snippet' is not properly validated. With specially crafted web content, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.

This product is also affected by vulnerabilities found in the following components:

 - Accessibility
 - CoreAnimation
 - CoreAudio
 - CoreFoundation
 - DiskArbitration
 - Foundation
 - HFS
 - iBooks
 - IOSurface
 - Kernel)
 - Multi-Touch 
 - SQLite
 - Sandbox
 - Security
 - TextInput
 - WindowServer

The version of iOS running on the mobile device is prior to 10.3.2, and is affected by multiple vulnerabilities :

 - A use-after-free error exists in the handling of RenderElement objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderLayer objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of RenderInline objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to the certificate trust policy that is triggered when handling trust acceptance. This may allow a context-dependent attacker to potentially cause untrusted certificates to be treated as trusted.
 - An unspecified flaw exists in the Safari history menu. With a specially crafted web page, a context-dependent attacker can cause an application denial of service.
 - A logic flaw exists that allows a universal cross-site scripting (UXSS) attack. The issue is triggered when handling WebKit Editor commands. This may allow a context-dependent attacker to create a specially crafted web page that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
 - A type confusion flaw exists in SQLite that is triggered as certain input related to 'snippet' is not properly validated. With specially crafted web content, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.

This product is also affected by vulnerabilities found in the following components:

 - AVEVideoEncoder
 - CoreAudio
 - CoreFoundation
 - Foundation
 - iBooks 
 - IOSurface
 - Kernel
 - TextInput
 - Notifications
 - SQLite
 - WebKit
 - Web Inspector 

According to its banner, the version of Apple TV on the remote device is prior to 10.2.1. It is, therefore, affected by multiple vulnerabilities :

  - A memory corruption issue exists in the WebKit Web     Inspector component that allows an unauthenticated,     remote attacker to execute arbitrary code.
    (CVE-2017-2499)

  - An unspecified race condition exists in the Kernel     component that allows a local attacker to execute     arbitrary code with kernel-level privileges.
    (CVE-2017-2501)

  - An information disclosure vulnerability exists in the     CoreAudio component due to improper sanitization of     certain input. A local attacker can exploit this to read     the contents of restricted memory. (CVE-2017-2502)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit due to a logic flaw when handling     WebKit Editor commands. An unauthenticated, remote     attacker can exploit this, via a specially crafted web     page, to execute arbitrary script code in a user's     browser session. (CVE-2017-2504)

  - Multiple memory corruption issues exist in WebKit due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit these to     execute arbitrary code. (CVE-2017-2505, CVE-2017-2515,     CVE-2017-2521, CVE-2017-2530, CVE-2017-2531,     CVE-2017-6980, CVE-2017-6984)

  - Multiple information disclosure vulnerabilities exist     in the Kernel component due to improper sanitization of     certain input. A local attacker can exploit these to     read the contents of restricted memory. (CVE-2017-2507,     CVE-2017-6987)

  - A use-after-free error exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this to deference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2017-2513)

  - Multiple buffer overflow conditions exist in the SQLite     component due to the improper validation of certain     input. An unauthenticated, remote attacker can exploit     these, via a specially crafted SQL query, to execute     arbitrary code. (CVE-2017-2518, CVE-2017-2520)

  - A memory corruption issue exists in the SQLite component     when handling SQL queries. An unauthenticated, remote     attacker can exploit this, via a specially crafted     query, to execute arbitrary code. (CVE-2017-2519)

  - An unspecified memory corruption issue exists in the     TextInput component when parsing specially crafted data.
    An unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2017-2524)

  - A use-after-free error exists in WebKit when handling     RenderLayer objects. An unauthenticated, remote attacker     can exploit this, via a specially crafted web page, to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2525)

  - Multiple unspecified flaws exist in WebKit that allow     an unauthenticated, remote attacker to corrupt memory     and execute arbitrary code by using specially crafted     web content. (CVE-2017-2536)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit due to a logic error when handling     frame loading. An unauthenticated, remote attacker can     exploit this, via a specially crafted web page, to     execute arbitrary code in a user's browser session.
    (CVE-2017-2549)

  - An unspecified flaw exists in the IOSurface component     that allows a local attacker to corrupt memory and     execute arbitrary code with kernel-level privileges.
    (CVE-2017-6979)

  - An unspecified flaw exists in the AVEVideoEncoder     component that allows a local attacker, via a specially     crafted application, to corrupt memory and execute     arbitrary code with kernel-level privileges.
    (CVE-2017-6989)

  - A denial of service vulnerability exists in the     CoreText component due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to crash     an application. (CVE-2017-7003)

  - A memory corruption issue exists in the JavaScriptCore     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via specially crafted web content, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-7005)

Note that only 4th generation models are affected by these vulnerabilities.

ID	Name	Product	Family	Severity
700118	Apple TV < 10.2.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	critical
100270	macOS 10.12.x < 10.12.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
100269	Apple iOS < 10.3.2 Multiple Vulnerabilities	Nessus	Mobile Devices	high
700119	Mac OS X 10.x < 10.12.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
700116	Apple iOS < 10.3.2 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	critical
100256	Apple TV < 10.2.1 Multiple Vulnerabilities	Nessus	Misc.	high

CVE-2017-6987

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

critical

critical

high