macOS 10.12.x < 10.12.5 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote host is missing a macOS update that fixes multiple security
vulnerabilities.

Description :

The remote host is running a version of macOS that is 10.12.x prior to
10.12.5. It is, therefore, affected by multiple vulnerabilities :

- Multiple memory corruption issues exist in the Kernel
component that allow a local attacker to gain
kernel-level privileges. (CVE-2017-2494, CVE-2017-2546)

- A state management flaw exists in the iBooks component
due to improper handling of URLs. An unauthenticated,
remote attacker can exploit this, via a specially
crafted book, to open arbitrary websites without user
permission. (CVE-2017-2497)

- A local privilege escalation vulnerability exists in the
Kernel component due to a race condition. A local
attacker can exploit this to execute arbitrary code with
kernel-level privileges. (CVE-2017-2501)

- An information disclosure vulnerability exists in the
CoreAudio component due to improper sanitization of
user-supplied input. A local attacker can exploit this
to read the contents of restricted memory.
(CVE-2017-2502)

- A memory corruption issue exists in the Intel graphics
driver component that allows a local attacker to execute
arbitrary code with kernel-level privileges.
CVE-2017-2503)

- Multiple information disclosure vulnerabilities exist
in the Kernel component due to improper sanitization of
user-supplied input. A local attacker can exploit these
to read the contents of restricted memory.
(CVE-2017-2507, CVE-2017-2509, CVE-2017-2516,
CVE-2017-6987)

- A memory corruption issue exists in the Sandbox
component that allows an unauthenticated, remote
attacker to escape an application sandbox.
(CVE-2017-2512)

- A use-after-free error exists in the SQLite component
when handling SQL queries. An unauthenticated, remote
attacker can exploit this to deference already freed
memory, resulting in the execution of arbitrary code.
(CVE-2017-2513)

- Multiple buffer overflow conditions exist in the SQLite
component due to the improper validation of
user-supplied input. An unauthenticated, remote attacker
can exploit these, via a specially crafted SQL query, to
execute arbitrary code. (CVE-2017-2518, CVE-2017-2520)

- A memory corruption issue exists in the SQLite component
when handling SQL queries. An unauthenticated, remote
attacker can exploit this, via a specially crafted SQL
query, to execute arbitrary code. (CVE-2017-2519)

- An unspecified memory corruption issue exists in the
TextInput component when parsing specially crafted data.
An unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2017-2524)

- A flaw exists in the CoreAnimation component when
handling specially crafted data. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code. (CVE-2017-2527)

- A race condition exists in the DiskArbitration feature
that allow a local attacker to gain system-level
privileges. (CVE-2017-2533)

- An unspecified flaw exists in the Speech Framework that
allows a local attacker to escape an application
sandbox. (CVE-2017-2534)

- A resource exhaustion issue exists in the Security
component due to improper validation of user-supplied
input. A local attacker can exploit this to exhaust
resources and escape an application sandbox.
(CVE-2017-2535)

- Multiple memory corruption issues exist in the
WindowServer component that allow a local attacker to
execute arbitrary code with system-level privileges.
(CVE-2017-2537, CVE-2017-2548)

- An information disclosure vulnerability exists in
WindowServer component in the _XGetConnectionPSN()
function due to improper validation of user-supplied
input. A local attacker can exploit this to read the
contents of restricted memory. (CVE-2017-2540)

- A stack-based buffer overflow condition exists in the
WindowServer component in the _XGetWindowMovementGroup()
function due to improper validation of user-supplied
input. A local attacker can exploit this to execute
arbitrary code with the privileges of WindowServer.
(CVE-2017-2541)

- Multiple memory corruption issues exist in the
Multi-Touch component that allow a local attacker to
execute arbitrary code with kernel-level privileges.
(CVE-2017-2542, CVE-2017-2543)

- A use-after-free error exists in the IOGraphic component
that allows a local attacker to execute arbitrary code
with kernel-level privileges. (CVE-2017-2545)

- A flaw exists in the Speech Framework, specifically
within the speechsynthesisd service, due to improper
validation of unsigned dynamic libraries (.dylib) before
being loaded. A local attacker can exploit this to
bypass the application's sandbox and execute arbitrary
code with elevated privileges. (CVE-2017-6977)

- A memory corruption issue exists in the Accessibility
Framework that allows a local attacker to execute
arbitrary code with system-level privileges.
(CVE-2017-6978)

- A race condition exists in the IOSurface component that
allows a local attacker to execute arbitrary code with
kernel-level privileges. (CVE-2017-6979)

- A logic error exists in the iBooks component due to
improper path validation for symlinks. A local attacker
can exploit this to execute arbitrary code with root
privileges. (CVE-2017-6981)

- Multiple memory corruption issues exist in SQLite due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit these, by
convincing a user to visit a specially crafted website,
to execute arbitrary code. (CVE-2017-6983,
CVE-2017-6991)

- A memory corruption issue exists in the NVIDIA graphics
drivers that allows a local attacker to execute
arbitrary code with kernel-level privileges.
(CVE-2017-6985)

- A memory corruption issue exists in the iBooks component
that allows an unauthenticated, remote attacker to
escape an application's sandbox. (CVE-2017-6986)

- A certificate validation flaw exists in EAP-TLS within
802.1X authentication when a certificate has changed.
An unauthenticated, adjacent attacker can exploit this,
via a malicious network with 802.1X authentication, to
capture user network credentials. (CVE-2017-6988)

- An information disclosure vulnerability exists in HFS
component due to improper sanitization of user-supplied
input. A local attacker can exploit this to read the
contents of restricted memory. (CVE-2017-6990)

- Multiple type confusion flaws exist in SQLite due to
improper validation of user-supplied input to 'snippet',
'offsets', and 'matchinfo'. An unauthenticated, remote
attacker can exploit these, by convincing a user to
visit a specially crafted website, to execute arbitrary
code. (CVE-2017-7000, CVE-2017-7001, CVE-2017-7002)

- An denial of service vulnerability exists in the
CoreText component due to improper validation of
user-supplied input. An unauthenticated, remote attacker
can exploit this, via a specially crafted file, to crash
an application. (CVE-2017-7003)

- A race condition exists when performing userspace
entitlement checks. A local attacker can exploit this to
bypass restrictions and send privileged XPC messages
without entitlements. (CVE-2017-7004)

See also :

https://support.apple.com/en-us/HT207797
http://seclists.org/fulldisclosure/2017/May/47

Solution :

Upgrade to macOS version 10.12.5 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true