Sign-up

ID

VAR-201309-0401


CVE

CVE-2013-5161


TITLE

Apple iOS Vulnerabilities that bypass the passcode requirement in passcode lock

Trust: 0.8

sources: JVNDB: JVNDB-2013-004352

DESCRIPTION

Passcode Lock in Apple iOS before 7.0.2 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement, and open the Camera app or read the list of all recently opened apps, by leveraging unspecified transition errors. there is a possibility. Apple iOS is prone to a security-bypass vulnerability due to a failure to restrict access to locked devices. An attacker with physical access to a locked device can leverage this issue to bypass the lock screen and gain unauthorized access to the device's application, thereby disclosing sensitive information. Apple iOS 7 is vulnerable; other versions may also be affected. The vulnerability stems from the program not properly managing the locking state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-09-26-1 iOS 7.0.2 iOS 7.0.2 is now available and addresses the following: Passcode Lock Available for: iPhone 4 and later Impact: A person with physical access to the device may be able to make calls to any number Description: A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped repeatedly. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference. CVE-ID CVE-2013-5160 : Karam Daoud of PART - Marketing & Business Development, Andrew Chung, Mariusz Rysz Passcode Lock Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to see recently used apps, see, edit, and share photos Description: The list of apps you opened could be accessed during some transitions while the device was locked, and the Camera app could be opened while the device was locked. CVE-ID CVE-2013-5161 : videosdebarraquito Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "7.0.2". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSQ2o5AAoJEPefwLHPlZEwmj8P/04PIEJuGhf8hv/IdYIHMLol chQHK/MXigk+aH9BriQbFpqAyByqyh9x4+6hJeywWdtF7u6SzfbRgBNoPWEZw0d8 VrtVBMi2VeNRTxOJWV+rivA7xA2doxkLSIILHzDVenj8JeNO87q85KsrhRmzmeaa jUojdE9o/0OGjjF1WuDM4UDGx/TzhpUoqzFR1hSP41g87xsYp/gRTV/R3821lxG6 8sUSeJ4l8qHFQKIUPAxJaSie8JbbK8Yeturix6sMCvYZdougtd7oMV5TxJVZXbC1 ePZUvhfVwuD7y5bFx2VKYvci5oFMgOlNyFZMDrkpM8BF2UsfEmvoHQPLwzYSdXXs 5wY/nwbuKm57Wq8PH0H3hyt4ycH0YB1YqxtY8oPjREJioA6mLHNGs70HFHvf+zjW 7ukGnI7c2efMMjoM0+UCmo03/5Wh8ji0tjrDjvM3gybm8keXH/cZPF13/kihXrs/ M6QVgWWjCO/IqhUh4MGDWzfzCqg+hlNJLAR/r1TocuDb4/NWj/nI2FHIoDIsNYjR XZ9qw0sIqsTF3nqf3zKhxEtXENEpSnGR7xGJ6xjcy8BCobHn81m7XKpnQFaNBido C669zPmyF0B6W0LiRmwvCp0Z6ielE0Tu3f9jsikOT/NUEqGFPtBhqR238G1rmHzH 6vDxXI1d8H2uZqoShAaZ =Nryx -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-5161 // JVNDB: JVNDB-2013-004352 // BID: 62579 // VULHUB: VHN-65163 // PACKETSTORM: 123427

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:eqversion:7.0

Trust: 1.6

vendor:applemodel:iphone osscope:lteversion:7.0.1

Trust: 1.0

vendor:applemodel:iosscope:ltversion:7.0.2 (ipad 2 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:7.0.2 (iphone 4 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:7.0.2 (ipod touch first 5 after generation )

Trust: 0.8

vendor:applemodel:iphone osscope:eqversion:7.0.1

Trust: 0.6

sources: JVNDB: JVNDB-2013-004352 // CNNVD: CNNVD-201309-441 // NVD: CVE-2013-5161

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-5161
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-5161
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201309-441
value: MEDIUM

Trust: 0.6

VULHUB: VHN-65163
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-5161
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-65163
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-65163 // JVNDB: JVNDB-2013-004352 // CNNVD: CNNVD-201309-441 // NVD: CVE-2013-5161

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-65163 // JVNDB: JVNDB-2013-004352 // NVD: CVE-2013-5161

THREAT TYPE

local

Trust: 0.9

sources: BID: 62579 // CNNVD: CNNVD-201309-441

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201309-441

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-004352

PATCH
title:APPLE-SA-2013-09-26-1url:http://lists.apple.com/archives/security-announce/2013/Sep/msg00009.html
Trust: 0.8
title:HT5957url:http://support.apple.com/kb/HT5957
Trust: 0.8
title:HT5957url:http://support.apple.com/kb/HT5957?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-004352

EXTERNAL IDS
db:NVDid:CVE-2013-5161
Trust: 2.9
db:BIDid:62579
Trust: 1.0
db:JVNDBid:JVNDB-2013-004352
Trust: 0.8
db:CNNVDid:CNNVD-201309-441
Trust: 0.7
db:APPLEid:APPLE-SA-2013-09-26-1
Trust: 0.6
db:SEEBUGid:SSVID-61052
Trust: 0.1
db:VULHUBid:VHN-65163
Trust: 0.1
db:PACKETSTORMid:123427
Trust: 0.1
sources:
            
            
            VULHUB: VHN-65163 // 
            
            
            
            BID: 62579 // 
            
            
            
            JVNDB: JVNDB-2013-004352 // 
            
            
            
            PACKETSTORM: 123427 // 
            
            
            
            CNNVD: CNNVD-201309-441 // 
            
            
            
            NVD: CVE-2013-5161

REFERENCES
url:http://lists.apple.com/archives/security-announce/2013/sep/msg00009.html
Trust: 1.7
url:http://support.apple.com/kb/ht5957
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5161
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5161
Trust: 0.8
url:http://www.securityfocus.com/bid/62579
Trust: 0.6
url:http://www.apple.com/iphone/
Trust: 0.3
url:https://www.apple.com/itunes/
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-5161
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-5160
Trust: 0.1
sources:
            
            
            VULHUB: VHN-65163 // 
            
            
            
            BID: 62579 // 
            
            
            
            JVNDB: JVNDB-2013-004352 // 
            
            
            
            PACKETSTORM: 123427 // 
            
            
            
            CNNVD: CNNVD-201309-441 // 
            
            
            
            NVD: CVE-2013-5161

CREDITS
Jose Rodriguez
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201309-441

SOURCES
db:VULHUBid:VHN-65163
db:BIDid:62579
db:JVNDBid:JVNDB-2013-004352
db:PACKETSTORMid:123427
db:CNNVDid:CNNVD-201309-441
db:NVDid:CVE-2013-5161

LAST UPDATE DATE
2025-04-11T23:04:04.479000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-65163date:2013-10-07T00:00:00
db:BIDid:62579date:2013-09-28T00:13:00
db:JVNDBid:JVNDB-2013-004352date:2013-10-01T00:00:00
db:CNNVDid:CNNVD-201309-441date:2013-09-29T00:00:00
db:NVDid:CVE-2013-5161date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-65163date:2013-09-28T00:00:00
db:BIDid:62579date:2013-09-19T00:00:00
db:JVNDBid:JVNDB-2013-004352date:2013-10-01T00:00:00
db:PACKETSTORMid:123427date:2013-09-27T22:28:33
db:CNNVDid:CNNVD-201309-441date:2013-09-26T00:00:00
db:NVDid:CVE-2013-5161date:2013-09-28T03:40:55.433