macOS < 10.11.5 Multiple Vulnerabilities

High Log Correlation Engine Plugin ID 802004

Synopsis

The specific version of Mac OS X that the system is running is reportedly affected by multiple vulnerabilities.

Description

The specific version of Mac OS X that the system is running is reportedly affected by the following vulnerabilities:

- Apple Mac OS X contains a use-after-free error in the WindowServer process that is triggered when handling CFData objects in memory. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2016-1804)

- Apple Mac OS X contains an array indexing flaw in the blit3d_submit_commands() function within the IOAcceleratorFamily component. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1815)

- Multiple Apple products contains a flaw as HTTP and HTTPS requests are not properly handled. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1801)

- Multiple Apple products contain a flaw that is triggered when handling return values related to key lengths in CommonCrypto (CCCrypt). This may allow a local attacker to gain unauthorized access to sensitive user information. (CVE-2016-1802)

- Multiple Apple products contain a NULL pointer dereference flaw in CoreCapture that is triggered as input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1803)

- Multiple Apple products contain a flaw related to disk images that is triggered by a race condition related to locking. This may allow a local attacker to gain unauthorized access to kernel memory information. (CVE-2016-1807)

- Multiple Apple products contain a flaw that is triggered as user-supplied input is not properly validated when handling disk images. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code. (CVE-2016-1808)

- Multiple Apple products contain a NULL pointer dereference flaw in ImageIO that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1811)

- Multiple Apple products contain an overflow condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow and potentially execute arbitrary code with kernel privileges. (CVE-2016-1817)

- Multiple Apple products contains a flaw in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1818)

- Multiple Apple products contain a use-after-free condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to dereference already freed memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1819)

- Multiple Apple products contain a NULL pointer dereference in IOAcceleratorFamily related to improper locking. This may allow a local attacker to cause a denial of service. (CVE-2016-1814)

- Multiple Apple products contain a NULL pointer dereference in the IOAccelSharedUserClient2::page_off_resource() function that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1813)

- Multiple Apple products contains an out-of-bounds access flaw in the IOHIDFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1823)

- Multiple Apple products contains a flaw in the IOHIDFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1824)

- Multiple Apple products contain a flaw in the kernel. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1827, CVE-2016-1828, CVE-2016-1829, CVE-2016-1830, CVE-2016-1831)

- Multiple Apple products contains a flaw in libc. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1832)

- Libxml2 contains an overflow condition in the xmlStrncatNew() function of xmlstring.c . The issue is triggered as user-supplied input is not properly validated when handling a string with a NULL. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1834)

- Libxml2 contains a use-after-free error in the xmlParseStartTag2() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1835)

- Libxml2 contains a use-after-free error in the xmlParseNCNameComplex() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1836)

- Libxml2 contains an overflow condition in the htmlParseSystemLiteral() and htmlParsePubidLiteral() functions of HTMLparser.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1837)

- Libxml2 contains an overflow condition in the xmlFAParseCharRange() function of xmlregexp.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1840)

- Multiple Apple products contains a flaw in libxslt. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted website. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1841)

- Multiple Apple products contain a flaw in MapKit that is triggered as shared links are transferred insecurely over HTTP. This may potentially allow a man-in-the-middle attacker to gain unauthorized access to sensitive information in these links. (CVE-2016-1842)

- Multiple Apple products contains a flaw in the OpenGL component. The issue is triggered as user-supplied input is not properly validated when handling specially crafted web content. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1847)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1792)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as bounds are not properly checked. This may allow a local attacker to determine kernel memory layout. (CVE-2016-1791)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControl component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1793)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControlClient::checkArguments() function in AppleMuxControl.kext that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1794)

- Apple Mac OS X contains a flaw in the AppleGraphicsPowerManagement component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1795)

- Apple Mac OS X contains an out-of-bounds read flaw in the ATS component. This may allow a local attacker to potentially disclose kernel memory layout. (CVE-2016-1796)

- Apple Mac OS X contains a flaw in the ATS component that is triggered the sandbox policy is not properly implemented for FontValidator. This may allow a local attacker to potentially execute arbitrary code with system privileges. (CVE-2016-1797)

- Apple Mac OS X contains a NULL pointer dereference flaw in the Audio component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a denial of service. (CVE-2016-1798)

- Apple Mac OS X contains a flaw in the Audio component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1799)

- Apple Mac OS X contains a flaw in the Captive Network Assistant component that is triggered as URL schemes are not properly validated. This may allow a user-assisted, man-in-the-middle attacker to potentially execute arbitrary code. (CVE-2016-1800)

- Apple Mac OS X contains an unspecified configuration flaw in the CoreStorage component. This may allow a local attacker to potentially execute arbitrary code with kernel privileges. (CVE-2016-1805)

- Apple Mac OS X contains a flaw in the Crash Reporter component (com.apple.SubmitDiagInfo) that is triggered when handling user-supplied paths when creating directories. This may allow a local attacker to execute arbitrary code with root privileges. (CVE-2016-1806)

- Apple Mac OS X contains a flaw in the Disk Utility component that is triggered as the incorrect keys were used to encrypt disk images. This may result in disk images not being properly compressed and encrypted. (CVE-2016-1809)

- Apple Mac OS X contains a NULL pointer dereference flaw in the ImageIO component that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1810)

- Apple Mac OS X contains an overflow condition in the Intel Graphics Driver component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1812)

- Apple Mac OS X contains a NULL pointer dereference in IOAcceleratorFamily that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1816)

- Apple Mac OS X contains an overflow condition in the IOAudioFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1820)

- Apple Mac OS X contains a NULL pointer dereference in the IOAudioFamily component. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1821)

- Apple Mac OS X contains a flaw in the IOFireWireFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1822)

- Apple Mac OS X contains multiple flaws in the IOHIDFamily component. These issues are triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1825)

- Apple Mac OS X contains an integer overflow condition in its dtrace implementation. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1826)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by a failure to properly validate roster changes. This may allow an authenticated remote attacker, or a malicious server, to manipulate another user's contact list. (CVE-2016-1844)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by an encoding issue in filename parsing. This may allow a remote attacker to gain unauthorized access to potentially sensitive user information. (CVE-2016-1843)

- Apple Mac OS X contains a NULL pointer dereference flaw in the nvCommandQueue::GetHandleIndex() function in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1846)

- Apple Mac OS X contains a flaw in the QuickTime component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1848)

- Apple Mac OS X contains a flaw in the SceneKit component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1850)

- Apple Mac OS X contains a flaw in the management of password profiles. This may allow a physically present attacker to bypass the screen lock and reset an expired password. (CVE-2016-1851)

- Apple Mac OS X contains a flaw in the Tcl component related to the usage of SSLv2. This may potentially allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1853)

- Apple Mac OS X contains an overflow condition in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a stack-based buffer overflow and potentially execute arbitrary code with kernel privileges.Technical Information: This issue was split out from VulnDB ID 138609, as it was assigned a separate CVE ID. (CVE-2016-1861)

- No description supplied (CVE-2016-1833, CVE-2016-1839, CVE-2016-1815, CVE-2016-1804)

Solution

It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.

See Also

https://bugs.chromium.org/p/project-zero/issues/detail?id=724

https://support.apple.com/en-us/HT206567

http://seclists.org/bugtraq/2016/May/76

http://seclists.org/fulldisclosure/2016/May/45

https://support.apple.com/en-us/HT206567

http://blog.trendmicro.com/pwn2own-2016-begun/

http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Closing-out-the-first-day/ba-p/6842359

http://blog.trendmicro.com/pwn2own-day-1-recap/

http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announces-Pwn2Own-2016/ba-p/6831571

http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-The-lineup-and-schedule/ba-p/6841867

http://seclists.org/bugtraq/2016/May/76

http://seclists.org/fulldisclosure/2016/May/45

https://twitter.com/thehpesr/status/710223359137550336

http://www.zerodayinitiative.com/advisories/ZDI-16-358/

https://www.youtube.com/watch?v=Sh8pveFv2DI

http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Day-two-crowning-the-Master-of-Pwn/ba-p/6842863

http://blog.trendmicro.com/pwn2own-day-2-event-wrap/

https://twitter.com/thehpesr/status/710518333511114752

https://twitter.com/thezdi/status/710518327479635968

http://www.zerodayinitiative.com/advisories/ZDI-16-345/

https://support.apple.com/en-us/HT206568

https://support.apple.com/en-us/HT206564

http://seclists.org/bugtraq/2016/May/74

http://seclists.org/fulldisclosure/2016/May/41

http://seclists.org/fulldisclosure/2016/May/43

http://jvn.jp/vu/JVNVU91632741/index.html

http://jvn.jp/vu/JVNVU90289707/index.html

https://support.apple.com/en-us/HT206566

http://seclists.org/bugtraq/2016/May/73

http://seclists.org/bugtraq/2016/May/75

http://seclists.org/fulldisclosure/2016/May/44

https://bugs.chromium.org/p/project-zero/issues/detail?id=777

https://www.google.com/about/appsecurity/research/

http://www.zerodayinitiative.com/advisories/ZDI-16-339/

https://bugs.chromium.org/p/project-zero/issues/detail?id=732

https://bugs.chromium.org/p/project-zero/issues/detail?id=730

http://www.zerodayinitiative.com/advisories/ZDI-16-340/

https://bugs.chromium.org/p/project-zero/issues/detail?id=772

https://bugs.chromium.org/p/project-zero/issues/detail?id=778

https://bugs.chromium.org/p/project-zero/issues/detail?id=774

http://www.scmagazine.com/gchq-infosec-group-disclosed-kernel-privilege-exploit-to-apple/article/498288/

http://xmlsoft.org/news.html

http://bugzilla.gnome.org/show_bug.cgi?id=763071

https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc

http://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-8-5/ba-p/1591710

https://bugs.chromium.org/p/chromium/issues/detail?id=629852

https://bugs.chromium.org/p/chromium/issues/detail?id=614405

http://www-01.ibm.com/support/docview.wss?uid=swg21989043

https://www.debian.org/security/2016/dsa-3593

https://www.alienvault.com/forums/discussion/7243/security-advisory-alienvault-v5-2-5-addresses-26-vulnerabilities

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00012.html

http://www.ubuntu.com/usn/usn-2994-1/

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00026.html

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00029.html

https://www.suse.com/support/update/announcement/2016/suse-su-20161538-1.html

http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

http://www.splunk.com/view/SP-CAAAPQM

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://seclists.org/bugtraq/2016/Jun/14

https://bugzilla.gnome.org/show_bug.cgi?id=759020

https://bugzilla.gnome.org/show_bug.cgi?id=759398

https://support.apple.com/en-us/HT206903

https://support.apple.com/en-us/HT206902

https://support.apple.com/en-us/HT206904

https://support.apple.com/en-us/HT206905

https://support.apple.com/en-us/HT206901

https://support.apple.com/en-us/HT206899

http://seclists.org/bugtraq/2016/Jul/75

http://seclists.org/bugtraq/2016/Jul/76

http://seclists.org/bugtraq/2016/Jul/77

http://seclists.org/bugtraq/2016/Jul/78

http://seclists.org/bugtraq/2016/Jul/79

http://seclists.org/bugtraq/2016/Jul/80

http://jvn.jp/vu/JVNVU94844193/index.html

https://bugzilla.gnome.org/show_bug.cgi?id=760263

https://bugzilla.gnome.org/show_bug.cgi?id=758605

https://bugzilla.gnome.org/show_bug.cgi?id=757711

https://bugs.chromium.org/p/project-zero/issues/detail?id=782

https://bugs.chromium.org/p/project-zero/issues/detail?id=783

http://www.zerodayinitiative.com/advisories/ZDI-16-361/

http://www.zerodayinitiative.com/advisories/ZDI-16-360/

http://www.zerodayinitiative.com/advisories/ZDI-16-346/

http://www.zerodayinitiative.com/advisories/ZDI-16-347/

https://bugs.chromium.org/p/project-zero/issues/detail?id=776

http://www.zerodayinitiative.com/advisories/ZDI-16-344/

https://bugs.chromium.org/p/project-zero/issues/detail?id=784

http://protekresearchlab.com/cosig-2016-19/

http://www.theregister.co.uk/2016/07/21/wavering_about_apples_latest_security_fix_dont_says_talos/

http://www.infosecurity-magazine.com/news/stagefright-returns-users-urged-to/

http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/

http://www.talosintelligence.com/reports/TALOS-2016-0183/