Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apple TV < 7.0.3 Multiple Vulnerabilities

Critical

Synopsis

The remote host is missing a critical Apple TV patch update.

Description

According to its banner, the remote Apple TV device is missing a security update. It is, therefore, affected by the following vulnerabilities :

- Apple TV is bundled with Apple WebKit. Apple WebKit is affected by several vulnerabilities which would allow a remote attacker to execute arbitrary code or crash the application. (CVE-2014-4476, CVE-2014-4477, CVE-2014-4459, CVE-2014-4479) - There is a directory-traversal flaw in the 'afc' component which can allow an attacker to access unintended files. (CVE-2014-4480) - There is a flaw in the 'mach_port_kobject' kernel interface which can allow an attacker to bypass the ASLR protection mechanism. (CVE-2014-4491, CVE-2014-4496) - There is an integer overflow in CoreGraphics which allows remote code execution. (CVE-2014-4481) - There is a buffer overflow in FontParser which allows remote code execution. (CVE-2014-4483) - There is a flaw in the way that FontParser handles crafted .dfont file which can lead to remote code execution. (CVE-2014-4484) - There is a buffer overflow in the XML parser portion of the Foundation component. (CVE-2014-4485) - The IOAcceleratorFamily invalidly handles certain types which can lead to a NULL pointer dereference. (CVE-2014-4486) - There is a buffer overflow in the IOHIDFamily component. (CVE-2014-4487) - The IOHIDFamily does not properly validate resource-queue metadata, allowing remote code execution. (CVE-2014-4488) - The IOHIDFamily fails to properly sanitize event queues. This can lead to remote code execution. (CVE-2014-4489) - The kernel does not enforce read-only attributes which can allow attackers to bypass access restrictions. (CVE-2014-4495) - The libnetcore module fails to verify certain data types which can allow remote code execution in the _networkd context. (CVE-2014-4492)

Solution

Upgrade to Apple TV 7.0.3 or later.