Mac OS X Multiple Vulnerabilities (Security Update 2017-002)

high Nessus Plugin ID 100271
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities.

Description

The remote host is running a version of Mac OS X 10.10.5 or 10.11.6 that is missing a security update. It is therefore, affected by multiple vulnerabilities :

- A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox.
(CVE-2017-2512)

- An information disclosure vulnerability exists in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory.
(CVE-2017-2516)

- An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data.
An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524)

- A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527)

- A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533)

- A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox.
(CVE-2017-2535)

- Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges.
(CVE-2017-2537, CVE-2017-2548)

- An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540)

- A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer.
(CVE-2017-2541)

- A memory corruption issue exists in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2546)

- A race condition exists in the IOSurface component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-6979)

- An information disclosure vulnerability exists in HFS component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-6990)

Solution

Install Security Update 2017-002 or later.

See Also

https://support.apple.com/en-us/HT207797

http://seclists.org/fulldisclosure/2017/May/47

Plugin Details

Severity: High

ID: 100271

File Name: macosx_SecUpd_10_11_6_2017-002__10_10_5_2017-002.nasl

Version: 1.6

Type: local

Agent: macosx

Published: 5/18/2017

Updated: 11/13/2019

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2017-2548

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:apple:mac_os_x

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, Host/MacOSX/packages/boms

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2017

Vulnerability Publication Date: 5/15/2017

Reference Information

CVE: CVE-2017-2512, CVE-2017-2516, CVE-2017-2524, CVE-2017-2527, CVE-2017-2533, CVE-2017-2535, CVE-2017-2537, CVE-2017-2540, CVE-2017-2541, CVE-2017-2546, CVE-2017-2548, CVE-2017-6979, CVE-2017-6990

BID: 98483

APPLE-SA: APPLE-SA-2017-05-15-1