Sign-up

ID

VAR-201501-0261


CVE

CVE-2014-8824


TITLE

Apple OS X Kernel kernel Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2015-001293

DESCRIPTION

The kernel in Apple OS X before 10.10.2 does not properly validate IODataQueue object metadata fields, which allows attackers to execute arbitrary code in a privileged context via a crafted app. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. The vulnerability stems from the fact that the program does not properly validate the metadata field of the IODataQueue object

Trust: 1.98

sources: NVD: CVE-2014-8824 // JVNDB: JVNDB-2015-001293 // BID: 72328 // VULHUB: VHN-76769

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.8.5

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001293 // CNNVD: CNNVD-201501-749 // NVD: CVE-2014-8824

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8824
value: HIGH

Trust: 1.0

NVD: CVE-2014-8824
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201501-749
value: CRITICAL

Trust: 0.6

VULHUB: VHN-76769
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8824
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76769
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76769 // JVNDB: JVNDB-2015-001293 // CNNVD: CNNVD-201501-749 // NVD: CVE-2014-8824

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-76769 // JVNDB: JVNDB-2015-001293 // NVD: CVE-2014-8824

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-749

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201501-749

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001293

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587
Trust: 0.6
title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001293 // 
            
            
            
            CNNVD: CNNVD-201501-749

EXTERNAL IDS
db:NVDid:CVE-2014-8824
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001293
Trust: 0.8
db:CNNVDid:CNNVD-201501-749
Trust: 0.7
db:VULHUBid:VHN-76769
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76769 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001293 // 
            
            
            
            CNNVD: CNNVD-201501-749 // 
            
            
            
            NVD: CVE-2014-8824

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100516
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8824
Trust: 0.8
url:http://jvn.jp/vu/jvnvu96447236/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8824
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76769 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001293 // 
            
            
            
            CNNVD: CNNVD-201501-749 // 
            
            
            
            NVD: CVE-2014-8824

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-749

SOURCES
db:VULHUBid:VHN-76769
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001293
db:CNNVDid:CNNVD-201501-749
db:NVDid:CVE-2014-8824

LAST UPDATE DATE
2025-04-13T20:57:31.940000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76769date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001293date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-749date:2019-04-19T00:00:00
db:NVDid:CVE-2014-8824date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76769date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001293date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-749date:2015-01-27T00:00:00
db:NVDid:CVE-2014-8824date:2015-01-30T11:59:34.640