Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities

critical Nessus Plugin ID 90096

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Mac OS X host is affected by multiple vulnerabilities.

Description

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.4. It is, therefore, affected by multiple vulnerabilities in the following components :

 - apache_mod_php
 - AppleRAID
 - AppleUSBNetworking
 - Bluetooth
 - Carbon
 - dyld
 - FontParser
 - HTTPProtocol
 - Intel Graphics Driver
 - IOFireWireFamily
 - IOGraphics
 - IOHIDFamily
 - IOUSBFamily
 - Kernel
 - libxml2
 - Messages
 - NVIDIA Graphics Drivers
 - OpenSSH
 - OpenSSL
 - Python
 - QuickTime
 - Reminders
 - Ruby
 - Security
 - Tcl
 - TrueTypeScaler
 - Wi-Fi

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Solution

Upgrade to Mac OS X version 10.11.4 or later.

See Also

https://support.apple.com/en-us/HT206167

http://www.nessus.org/u?6c87f79a

Plugin Details

Severity: Critical

ID: 90096

File Name: macosx_10_11_4.nasl

Version: 1.17

Type: combined

Agent: macosx

Published: 3/22/2016

Updated: 11/20/2019

Dependencies: ssh_get_info.nasl, os_fingerprint.nasl

Risk Information

CVSS Score Source: CVE-2016-1761

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:apple:mac_os_x

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/21/2016

Vulnerability Publication Date: 12/18/2014

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2014-9495, CVE-2015-0973, CVE-2015-1819, CVE-2015-3195, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500, CVE-2015-7551, CVE-2015-7942, CVE-2015-8035, CVE-2015-8126, CVE-2015-8242, CVE-2015-8472, CVE-2015-8659, CVE-2016-0777, CVE-2016-0778, CVE-2016-0801, CVE-2016-0802, CVE-2016-1732, CVE-2016-1733, CVE-2016-1734, CVE-2016-1735, CVE-2016-1736, CVE-2016-1737, CVE-2016-1738, CVE-2016-1740, CVE-2016-1741, CVE-2016-1743, CVE-2016-1744, CVE-2016-1745, CVE-2016-1746, CVE-2016-1747, CVE-2016-1748, CVE-2016-1749, CVE-2016-1750, CVE-2016-1752, CVE-2016-1753, CVE-2016-1754, CVE-2016-1755, CVE-2016-1756, CVE-2016-1757, CVE-2016-1758, CVE-2016-1759, CVE-2016-1761, CVE-2016-1762, CVE-2016-1764, CVE-2016-1767, CVE-2016-1768, CVE-2016-1769, CVE-2016-1770, CVE-2016-1773, CVE-2016-1775, CVE-2016-1788, CVE-2016-1950

BID: 71820, 71994, 75570, 77390, 77568, 77681, 78624, 78626, 79507, 79509, 79536, 79562, 80438, 80695, 80698

APPLE-SA: APPLE-SA-2016-03-21-5