Apple TV < 7.2 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote device is affected by multiple vulnerabilities.

Description :

According to its banner, the remote Apple TV device is a version prior
to 7.2. It is, therefore, affected by the following vulnerabilities :

- Multiple memory corruption vulnerabilities exist in
WebKit due to improperly validated user-supplied input.
A remote attacker, using a specially crafted website,
can exploit these to execute arbitrary code.
(CVE-2015-1068, CVE-2015-1069, CVE-2015-1070,
CVE-2015-1071, CVE-2015-1072, CVE-2015-1073,
CVE-2015-1074, CVE-2015-1076, CVE-2015-1077,
CVE-2015-1078, CVE-2015-1079, CVE-2015-1080,
CVE-2015-1081, CVE-2015-1082, CVE-2015-1083,
CVE-2015-1119, CVE-2015-1120, CVE-2015-1121,
CVE-2015-1122, CVE-2015-1123, CVE-2015-1124)

- An error exists in the IOKit objects due to improper
validation of metadata used by an audio driver, which
allows arbitrary code execution. (CVE-2015-1086)

- An XML External Entity (XXE) injection vulnerability
exists in the NSXMLParser due to improper handling of
XML files, which allows information disclosure.
(CVE-2015-1092)

- An error exists in the IOAcceleratorFamily that allows
the kernel memory layout to be disclosed.
(CVE-2015-1094)

- A memory corruption vulnerability exists in the
IOHIDFamily API that allows arbitrary code execution.
(CVE-2015-1095)

- An error exists in the IOHIDFamily due to improper
bounds checking, which allows the kernel memory layout
to be disclosed. (CVE-2015-1096)

- An error exists in the MobileFrameBuffer due to improper
bounds checking, which allows the kernel memory layout
to be disclosed. (CVE-2015-1097)

- A denial of service vulnerability exists in the
setreuid() system call due to a race condition.
(CVE-2015-1099)

- An out-of-bounds memory error exists in the kernel that
allows a denial of service attack or information
disclosure. (CVE-2015-1100)

- A memory corruption vulnerability exists in the kernel
that allows arbitrary code execution. (CVE-2015-1101)

- A denial of service vulnerability exists due to a state
inconsistency in the processing of TCP headers, which
can only be exploited from an adjacent network.
(CVE-2015-1102)

- A vulnerability exists that allows a man-in-the-middle
attacker to redirect traffic via ICMP redirects.
(CVE-2015-1103)

- A security bypass vulnerability exists due to the
system treating remote IPv6 packets as local packets,
which allows an attacker to bypass network filters.
(CVE-2015-1104)

- A denial of service vulnerability exists due to improper
processing of TCP out-of-band data, which allows a
denial of service by a remote attacker. (CVE-2015-1105)

- An information disclosure vulnerability exists due to
unique identifiers being sent to remote servers when
downloading assets for a podcast. (CVE-2015-1110)

- An information disclosure vulnerability exists in the
third-party application sandbox that allows hardware
identifiers to be accessible by other applications.
(CVE-2015-1114)

- A privilege escalation vulnerability exists in the
setreuid() and setregid() system calls due to a failure
to drop privileges permanently. (CVE-2015-1117)

- A memory corruption vulnerability exists due to improper
bounds checking when processing configuration profiles,
which allows a denial of service attack. (CVE-2015-1118)

See also :

https://support.apple.com/en-us/HT204662
http://www.nessus.org/u?a7d3541a

Solution :

Upgrade to Apple TV 7.2 or later. Note that this update is only
available for 3rd generation and later models.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true