Sign-up

ID

VAR-201309-0400


CVE

CVE-2013-5160


TITLE

iPhone Runs on the device Apple iOS Vulnerabilities that bypass the passcode requirement in passcode lock

Trust: 0.8

sources: JVNDB: JVNDB-2013-004351

DESCRIPTION

Passcode Lock in Apple iOS before 7.0.2 on iPhone devices allows physically proximate attackers to bypass an intended passcode requirement, and dial arbitrary telephone numbers, by making a series of taps of the emergency-call button to trigger a NULL pointer dereference. Apple iOS for iPhone is prone to a local security-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. The vulnerability stems from the program not properly managing the lock state. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference. CVE-ID CVE-2013-5160 : Karam Daoud of PART - Marketing & Business Development, Andrew Chung, Mariusz Rysz Passcode Lock Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to see recently used apps, see, edit, and share photos Description: The list of apps you opened could be accessed during some transitions while the device was locked, and the Camera app could be opened while the device was locked. CVE-ID CVE-2013-5161 : videosdebarraquito Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "7.0.2". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSQ2o5AAoJEPefwLHPlZEwmj8P/04PIEJuGhf8hv/IdYIHMLol chQHK/MXigk+aH9BriQbFpqAyByqyh9x4+6hJeywWdtF7u6SzfbRgBNoPWEZw0d8 VrtVBMi2VeNRTxOJWV+rivA7xA2doxkLSIILHzDVenj8JeNO87q85KsrhRmzmeaa jUojdE9o/0OGjjF1WuDM4UDGx/TzhpUoqzFR1hSP41g87xsYp/gRTV/R3821lxG6 8sUSeJ4l8qHFQKIUPAxJaSie8JbbK8Yeturix6sMCvYZdougtd7oMV5TxJVZXbC1 ePZUvhfVwuD7y5bFx2VKYvci5oFMgOlNyFZMDrkpM8BF2UsfEmvoHQPLwzYSdXXs 5wY/nwbuKm57Wq8PH0H3hyt4ycH0YB1YqxtY8oPjREJioA6mLHNGs70HFHvf+zjW 7ukGnI7c2efMMjoM0+UCmo03/5Wh8ji0tjrDjvM3gybm8keXH/cZPF13/kihXrs/ M6QVgWWjCO/IqhUh4MGDWzfzCqg+hlNJLAR/r1TocuDb4/NWj/nI2FHIoDIsNYjR XZ9qw0sIqsTF3nqf3zKhxEtXENEpSnGR7xGJ6xjcy8BCobHn81m7XKpnQFaNBido C669zPmyF0B6W0LiRmwvCp0Z6ielE0Tu3f9jsikOT/NUEqGFPtBhqR238G1rmHzH 6vDxXI1d8H2uZqoShAaZ =Nryx -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-5160 // JVNDB: JVNDB-2013-004351 // BID: 62599 // VULHUB: VHN-65162 // PACKETSTORM: 123427

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:eqversion:7.0

Trust: 1.6

vendor:applemodel:iphone osscope:lteversion:7.0.1

Trust: 1.0

vendor:applemodel:iosscope:ltversion:7.0.2 (iphone 4 or later )

Trust: 0.8

vendor:applemodel:iphone osscope:eqversion:7.0.1

Trust: 0.6

sources: JVNDB: JVNDB-2013-004351 // CNNVD: CNNVD-201309-442 // NVD: CVE-2013-5160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-5160
value: LOW

Trust: 1.0

NVD: CVE-2013-5160
value: LOW

Trust: 0.8

CNNVD: CNNVD-201309-442
value: LOW

Trust: 0.6

VULHUB: VHN-65162
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2013-5160
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-65162
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-65162 // JVNDB: JVNDB-2013-004351 // CNNVD: CNNVD-201309-442 // NVD: CVE-2013-5160

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-65162 // JVNDB: JVNDB-2013-004351 // NVD: CVE-2013-5160

THREAT TYPE

local

Trust: 0.9

sources: BID: 62599 // CNNVD: CNNVD-201309-442

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201309-442

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-004351

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-65162

PATCH
title:APPLE-SA-2013-09-26-1url:http://lists.apple.com/archives/security-announce/2013/Sep/msg00009.html
Trust: 0.8
title:HT5957url:http://support.apple.com/kb/HT5957
Trust: 0.8
title:HT5957url:http://support.apple.com/kb/HT5957?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-004351

EXTERNAL IDS
db:NVDid:CVE-2013-5160
Trust: 2.9
db:BIDid:62599
Trust: 1.0
db:JVNDBid:JVNDB-2013-004351
Trust: 0.8
db:CNNVDid:CNNVD-201309-442
Trust: 0.7
db:APPLEid:APPLE-SA-2013-09-26-1
Trust: 0.6
db:PACKETSTORMid:123427
Trust: 0.2
db:SEEBUGid:SSVID-61051
Trust: 0.1
db:VULHUBid:VHN-65162
Trust: 0.1
sources:
            
            
            VULHUB: VHN-65162 // 
            
            
            
            BID: 62599 // 
            
            
            
            JVNDB: JVNDB-2013-004351 // 
            
            
            
            PACKETSTORM: 123427 // 
            
            
            
            CNNVD: CNNVD-201309-442 // 
            
            
            
            NVD: CVE-2013-5160

REFERENCES
url:http://lists.apple.com/archives/security-announce/2013/sep/msg00009.html
Trust: 1.7
url:http://support.apple.com/kb/ht5957
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5160
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5160
Trust: 0.8
url:http://www.securityfocus.com/bid/62599
Trust: 0.6
url:http://www.apple.com/ios/
Trust: 0.3
url:http://www.apple.com/iphone/
Trust: 0.3
url:https://www.apple.com/itunes/
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-5161
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-5160
Trust: 0.1
sources:
            
            
            VULHUB: VHN-65162 // 
            
            
            
            BID: 62599 // 
            
            
            
            JVNDB: JVNDB-2013-004351 // 
            
            
            
            PACKETSTORM: 123427 // 
            
            
            
            CNNVD: CNNVD-201309-442 // 
            
            
            
            NVD: CVE-2013-5160

CREDITS
Karam Daoud
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201309-442

SOURCES
db:VULHUBid:VHN-65162
db:BIDid:62599
db:JVNDBid:JVNDB-2013-004351
db:PACKETSTORMid:123427
db:CNNVDid:CNNVD-201309-442
db:NVDid:CVE-2013-5160

LAST UPDATE DATE
2025-04-11T23:04:04.512000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-65162date:2013-10-07T00:00:00
db:BIDid:62599date:2013-09-28T00:13:00
db:JVNDBid:JVNDB-2013-004351date:2013-10-01T00:00:00
db:CNNVDid:CNNVD-201309-442date:2013-09-29T00:00:00
db:NVDid:CVE-2013-5160date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-65162date:2013-09-28T00:00:00
db:BIDid:62599date:2013-09-20T00:00:00
db:JVNDBid:JVNDB-2013-004351date:2013-10-01T00:00:00
db:PACKETSTORMid:123427date:2013-09-27T22:28:33
db:CNNVDid:CNNVD-201309-442date:2013-09-26T00:00:00
db:NVDid:CVE-2013-5160date:2013-09-28T03:40:55.417