Details of VAR-201501-0268

ID

VAR-201501-0268

CVE

CVE-2014-8831

TITLE

Apple OS X of security_taskgate Of any application in group-ACL-restricted Vulnerability to read keychain items

Trust: 0.8

sources: JVNDB: JVNDB-2015-001308

DESCRIPTION

security_taskgate in Apple OS X before 10.10.2 allows attackers to read group-ACL-restricted keychain items of arbitrary apps via a crafted app with a signature from a (1) self-signed certificate or (2) Developer ID certificate. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2

Trust: 1.98

sources: NVD: CVE-2014-8831 // JVNDB: JVNDB-2015-001308 // BID: 72328 // VULHUB: VHN-76776

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.1	Trust: 1.4
vendor:	apple	model:	mac os x	scope:	lte	version:	10.10.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.9.5	Trust: 0.8
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.9.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.8.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.2	Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001308 // CNNVD: CNNVD-201501-736 // NVD: CVE-2014-8831

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8831
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-8831
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201501-736
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-76776
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-8831
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-76776
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-76776 // JVNDB: JVNDB-2015-001308 // CNNVD: CNNVD-201501-736 // NVD: CVE-2014-8831

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-76776 // JVNDB: JVNDB-2015-001308 // NVD: CVE-2014-8831

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-736

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201501-736

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001308

PATCH

title:	APPLE-SA-2015-01-27-4	url:	http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/en-us/HT204244	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/ja-jp/HT204244	Trust: 0.8

sources: JVNDB: JVNDB-2015-001308

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8831	Trust: 2.8
db:	SECTRACK	id:	1031650	Trust: 1.1
db:	BID	id:	72328	Trust: 0.9
db:	JVN	id:	JVNVU96447236	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-001308	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-736	Trust: 0.7
db:	VULHUB	id:	VHN-76776	Trust: 0.1

sources: VULHUB: VHN-76776 // BID: 72328 // JVNDB: JVNDB-2015-001308 // CNNVD: CNNVD-201501-736 // NVD: CVE-2014-8831

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html	Trust: 1.1
url:	http://support.apple.com/ht204244	Trust: 1.1
url:	http://www.securitytracker.com/id/1031650	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/100526	Trust: 1.1
url:	http://www.apple.com/macosx/	Trust: 0.9
url:	https://support.apple.com/en-us/ht204659	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8831	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu96447236/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8831	Trust: 0.8
url:	https://www.securityfocus.com/bid/72328	Trust: 0.6

sources: VULHUB: VHN-76776 // BID: 72328 // JVNDB: JVNDB-2015-001308 // CNNVD: CNNVD-201501-736 // NVD: CVE-2014-8831

CREDITS

Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC

Trust: 0.6

sources: CNNVD: CNNVD-201501-736

SOURCES

db:	VULHUB	id:	VHN-76776
db:	BID	id:	72328
db:	JVNDB	id:	JVNDB-2015-001308
db:	CNNVD	id:	CNNVD-201501-736
db:	NVD	id:	CVE-2014-8831

LAST UPDATE DATE

2025-04-13T21:36:31.747000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-76776	date:	2017-09-08T00:00:00
db:	BID	id:	72328	date:	2019-04-12T18:00:00
db:	JVNDB	id:	JVNDB-2015-001308	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-736	date:	2019-04-19T00:00:00
db:	NVD	id:	CVE-2014-8831	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-76776	date:	2015-01-30T00:00:00
db:	BID	id:	72328	date:	2015-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2015-001308	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-736	date:	2015-01-27T00:00:00
db:	NVD	id:	CVE-2014-8831	date:	2015-01-30T11:59:41.140