Sign-up

ID

VAR-201405-0220


CVE

CVE-2014-1347


TITLE

OS X Run on Apple iTunes File modification vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002533

DESCRIPTION

Apple iTunes before 11.2.1 on OS X sets world-writable permissions for /Users and /Users/Shared during reboots, which allows local users to modify files, and consequently obtain access to arbitrary user accounts, via standard filesystem operations. iTunes is prone to multiple insecure file-permission vulnerabilities. Apple iTunes versions prior to 11.2.1 are vulnerable. Apple Apple iTunes is a set of media player applications of Apple (Apple), which is mainly used for playing and managing digital music and video files. The vulnerability is caused by the program setting global write permissions on the /Users and /Users/Shared directories during restart. This issue was addressed with improved permission handling. For information on the general content of iTunes 11.2.1, see http://support.apple.com/kb/TS5434 CVE-ID CVE-2014-1347 iTunes 11.2.1 may be obtained from: http://www.apple.com/itunes/download/ The download file is named: iTunes11.2.1.dmg Its SHA-1 digest is: d7e00140775bd15069ded529388add2ce6f0b538 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTdvWrAAoJEBcWfLTuOo7t1rgP+gL3Z02WLrsQb66XvuTEz9Ij KHKL/y3yXzMIdwEqFsHvcd8Ls9lBaiSFTkXIWXhgWsW8PZPFZBahprnbbszFmwJ6 P9g2QRWstQFpveImGdrMW3E9yjIf7YvkjD2NNNpG4NUXiejwWANJ1kmfHJ9ny1vs L8bIImea5+mTMt+fvrJp3vWGAhLSfJYc9HQvIqJxhESiAW0dOoprbkTGVPRbR5wE w7d1m5LS8nvmWi8blLKvLtv+AX2HJvLniJwYkZXa4kMUy25nYLrTZ09aRMfP2Ygg 4fjsIphrnpScl9gGaBYbp3vncR/g0Nypw0b3/ahlmBnEFFIXHJNjudoW8vbBdyaM 7x1A4y1iVregs7LKRwExhZGjc85WYJis1asVE4A0L8rjqjj/OskXUyFFZ2wKEwic apZPyeqGOPpdwa3CsHcq7RZZb1Y8aceeLviXKb2iOC37toRMnDkMr2SBd/xD6TfE fWxBbFnxsY+BFbfz9QUpvtmWI3a399vqt6J9RXxve/a/nd8XyCUdgTxhGSf+uUZ4 U6vJppHF+nzXjaua8L7z8RXxQDfjFm2pI9a3VfRjq50hrznCprXSIR148//WSiHJ Y6Ss5s+lHLedmdudW9Fsiywb0ImEK88bQtmHg4WqxOfFbC9X25262WhDN+m7KoGJ 4kQtMB6mjCY/WsU+frOA =P5hZ -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2014-1347 // JVNDB: JVNDB-2014-002533 // BID: 67457 // VULHUB: VHN-69286 // PACKETSTORM: 126720

AFFECTED PRODUCTS

vendor:applemodel:itunesscope:eqversion:11.1.4

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.1.3

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.1.2

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.1.1

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.0.2

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.1

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.0

Trust: 1.9

vendor:applemodel:itunesscope:eqversion:11.1.5

Trust: 1.6

vendor:applemodel:itunesscope:eqversion:11.0.1

Trust: 1.6

vendor:applemodel:itunesscope:eqversion:11.0.5

Trust: 1.3

vendor:applemodel:itunesscope:eqversion:11.0.4

Trust: 1.3

vendor:applemodel:itunesscope:eqversion:11.0.3

Trust: 1.3

vendor:applemodel:itunesscope:lteversion:11.2

Trust: 1.0

vendor:applemodel:itunesscope:eqversion:11.2

Trust: 0.9

vendor:applemodel:itunesscope:ltversion:11.2.1 (mac os x v10.6.8 or later )

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.6.8

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.0.163

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1.42

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1.10

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.0.80

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2.12

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10

Trust: 0.3

vendor:applemodel:itunesscope:neversion:11.2.1

Trust: 0.3

sources: BID: 67457 // JVNDB: JVNDB-2014-002533 // CNNVD: CNNVD-201405-309 // NVD: CVE-2014-1347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1347
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1347
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201405-309
value: MEDIUM

Trust: 0.6

VULHUB: VHN-69286
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-1347
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-69286
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69286 // JVNDB: JVNDB-2014-002533 // CNNVD: CNNVD-201405-309 // NVD: CVE-2014-1347

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-69286 // JVNDB: JVNDB-2014-002533 // NVD: CVE-2014-1347

THREAT TYPE

local

Trust: 0.9

sources: BID: 67457 // CNNVD: CNNVD-201405-309

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201405-309

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002533

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-69286

PATCH
title:HT6251url:http://support.apple.com/kb/HT6251
Trust: 0.8
title:HT6251url:http://support.apple.com/kb/HT6251?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002533

EXTERNAL IDS
db:NVDid:CVE-2014-1347
Trust: 2.9
db:JVNDBid:JVNDB-2014-002533
Trust: 0.8
db:CNNVDid:CNNVD-201405-309
Trust: 0.7
db:BIDid:67457
Trust: 0.4
db:PACKETSTORMid:126720
Trust: 0.2
db:VULHUBid:VHN-69286
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69286 // 
            
            
            
            BID: 67457 // 
            
            
            
            JVNDB: JVNDB-2014-002533 // 
            
            
            
            PACKETSTORM: 126720 // 
            
            
            
            CNNVD: CNNVD-201405-309 // 
            
            
            
            NVD: CVE-2014-1347

REFERENCES
url:http://support.apple.com/kb/ht6251
Trust: 2.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1347
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1347
Trust: 0.8
url:http://www.securityfocus.com/archive/1/532141
Trust: 0.8
url:http://www.apple.com/itunes/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2014-1347
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:http://www.apple.com/itunes/download/
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:http://support.apple.com/kb/ts5434
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69286 // 
            
            
            
            BID: 67457 // 
            
            
            
            JVNDB: JVNDB-2014-002533 // 
            
            
            
            PACKETSTORM: 126720 // 
            
            
            
            CNNVD: CNNVD-201405-309 // 
            
            
            
            NVD: CVE-2014-1347

CREDITS
Apple
Trust: 0.4
sources:
            
            
            BID: 67457 // 
            
            
            
            PACKETSTORM: 126720

SOURCES
db:VULHUBid:VHN-69286
db:BIDid:67457
db:JVNDBid:JVNDB-2014-002533
db:PACKETSTORMid:126720
db:CNNVDid:CNNVD-201405-309
db:NVDid:CVE-2014-1347

LAST UPDATE DATE
2025-04-13T23:34:12.200000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-69286date:2014-05-19T00:00:00
db:BIDid:67457date:2014-05-16T00:00:00
db:JVNDBid:JVNDB-2014-002533date:2014-05-20T00:00:00
db:CNNVDid:CNNVD-201405-309date:2014-05-20T00:00:00
db:NVDid:CVE-2014-1347date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-69286date:2014-05-18T00:00:00
db:BIDid:67457date:2014-05-16T00:00:00
db:JVNDBid:JVNDB-2014-002533date:2014-05-20T00:00:00
db:PACKETSTORMid:126720date:2014-05-20T00:24:33
db:CNNVDid:CNNVD-201405-309date:2014-05-20T00:00:00
db:NVDid:CVE-2014-1347date:2014-05-18T11:12:54.313