Details of VAR-201501-0273

ID

VAR-201501-0273

CVE

CVE-2014-8836

TITLE

Apple OS X of Bluetooth Vulnerability to execute arbitrary code in driver

Trust: 0.8

sources: JVNDB: JVNDB-2015-001313

DESCRIPTION

The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted app. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2

Trust: 1.98

sources: NVD: CVE-2014-8836 // JVNDB: JVNDB-2015-001313 // BID: 72328 // VULHUB: VHN-76781

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.1	Trust: 1.4
vendor:	apple	model:	mac os x	scope:	lte	version:	10.10.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10	Trust: 0.8
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.9.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.8.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.10.2	Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001313 // CNNVD: CNNVD-201501-737 // NVD: CVE-2014-8836

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8836
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8836
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201501-737
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-76781
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-8836
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-76781
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-76781 // JVNDB: JVNDB-2015-001313 // CNNVD: CNNVD-201501-737 // NVD: CVE-2014-8836

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-76781 // JVNDB: JVNDB-2015-001313 // NVD: CVE-2014-8836

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-737

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201501-737

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001313

PATCH

title:	APPLE-SA-2015-01-27-4	url:	http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/en-us/HT204244	Trust: 0.8
title:	HT204244	url:	http://support.apple.com/ja-jp/HT204244	Trust: 0.8

sources: JVNDB: JVNDB-2015-001313

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8836	Trust: 2.8
db:	SECTRACK	id:	1031626	Trust: 1.1
db:	BID	id:	72328	Trust: 0.9
db:	JVN	id:	JVNVU96447236	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-001313	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-737	Trust: 0.7
db:	PACKETSTORM	id:	133602	Trust: 0.1
db:	VULHUB	id:	VHN-76781	Trust: 0.1

sources: VULHUB: VHN-76781 // BID: 72328 // JVNDB: JVNDB-2015-001313 // CNNVD: CNNVD-201501-737 // NVD: CVE-2014-8836

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html	Trust: 1.1
url:	http://support.apple.com/ht204244	Trust: 1.1
url:	http://code.google.com/p/google-security-research/issues/detail?id=136	Trust: 1.1
url:	http://www.securitytracker.com/id/1031626	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/100490	Trust: 1.1
url:	http://www.apple.com/macosx/	Trust: 0.9
url:	https://support.apple.com/en-us/ht204659	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8836	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu96447236/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8836	Trust: 0.8
url:	https://www.securityfocus.com/bid/72328	Trust: 0.6

sources: VULHUB: VHN-76781 // BID: 72328 // JVNDB: JVNDB-2015-001313 // CNNVD: CNNVD-201501-737 // NVD: CVE-2014-8836

CREDITS

Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC

Trust: 0.6

sources: CNNVD: CNNVD-201501-737

SOURCES

db:	VULHUB	id:	VHN-76781
db:	BID	id:	72328
db:	JVNDB	id:	JVNDB-2015-001313
db:	CNNVD	id:	CNNVD-201501-737
db:	NVD	id:	CVE-2014-8836

LAST UPDATE DATE

2025-04-13T20:24:27.487000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-76781	date:	2017-09-08T00:00:00
db:	BID	id:	72328	date:	2019-04-12T18:00:00
db:	JVNDB	id:	JVNDB-2015-001313	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-737	date:	2019-04-19T00:00:00
db:	NVD	id:	CVE-2014-8836	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-76781	date:	2015-01-30T00:00:00
db:	BID	id:	72328	date:	2015-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2015-001313	date:	2015-02-12T00:00:00
db:	CNNVD	id:	CNNVD-201501-737	date:	2015-01-27T00:00:00
db:	NVD	id:	CVE-2014-8836	date:	2015-01-30T11:59:45.750