Sign-up

ID

VAR-201501-0262


CVE

CVE-2014-8825


TITLE

Apple OS X Privileged vulnerability in Kernel

Trust: 0.8

sources: JVNDB: JVNDB-2015-001301

DESCRIPTION

The kernel in Apple OS X before 10.10.2 does not properly perform identitysvc validation of certain directory-service functionality, which allows local users to gain privileges or spoof directory-service responses via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. The vulnerability stems from the fact that the program does not correctly execute the identitysvc verification of the directory-service function. A local attacker can exploit this vulnerability to obtain permissions or forge directory-service responses

Trust: 1.98

sources: NVD: CVE-2014-8825 // JVNDB: JVNDB-2015-001301 // BID: 72328 // VULHUB: VHN-76770

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001301 // CNNVD: CNNVD-201501-750 // NVD: CVE-2014-8825

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8825
value: HIGH

Trust: 1.0

NVD: CVE-2014-8825
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201501-750
value: HIGH

Trust: 0.6

VULHUB: VHN-76770
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8825
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76770
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76770 // JVNDB: JVNDB-2015-001301 // CNNVD: CNNVD-201501-750 // NVD: CVE-2014-8825

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-76770 // JVNDB: JVNDB-2015-001301 // NVD: CVE-2014-8825

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-750

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201501-750

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001301

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587
Trust: 0.6
title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001301 // 
            
            
            
            CNNVD: CNNVD-201501-750

EXTERNAL IDS
db:NVDid:CVE-2014-8825
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001301
Trust: 0.8
db:CNNVDid:CNNVD-201501-750
Trust: 0.7
db:VULHUBid:VHN-76770
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76770 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001301 // 
            
            
            
            CNNVD: CNNVD-201501-750 // 
            
            
            
            NVD: CVE-2014-8825

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100517
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8825
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8825
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76770 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001301 // 
            
            
            
            CNNVD: CNNVD-201501-750 // 
            
            
            
            NVD: CVE-2014-8825

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-750

SOURCES
db:VULHUBid:VHN-76770
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001301
db:CNNVDid:CNNVD-201501-750
db:NVDid:CVE-2014-8825

LAST UPDATE DATE
2025-04-13T21:02:05.236000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76770date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001301date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-750date:2019-04-19T00:00:00
db:NVDid:CVE-2014-8825date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76770date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001301date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-750date:2015-01-27T00:00:00
db:NVDid:CVE-2014-8825date:2015-01-30T11:59:35.470