Sign-up

ID

VAR-201501-0275


CVE

CVE-2014-8838


TITLE

Apple OS X of Security In the component Gatekeeper Vulnerabilities bypassing protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2015-001315

DESCRIPTION

The Security component in Apple OS X before 10.10.2 does not properly process cached information about app certificates, which allows attackers to bypass the Gatekeeper protection mechanism by leveraging access to a revoked Developer ID certificate for signing a crafted app. Apple Mac OS X is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect Bluetooth, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, Intel Graphics Driver, IOHIDFamily, IOUSBFamily, Kernel, LaunchServices, LoginWindow, Sandbox, SceneKit, security, security_taskgate, Spotlight, SpotlightIndex, sysmond, and UserAccountUpdater components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, disclose sensitive information and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X prior to 10.10.2. Security is one of the security components

Trust: 1.98

sources: NVD: CVE-2014-8838 // JVNDB: JVNDB-2015-001315 // BID: 72328 // VULHUB: VHN-76783

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.10.1

Trust: 1.4

vendor:applemodel:mac os xscope:lteversion:10.10.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.10

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.9.5

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.9.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.8.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.10.2

Trust: 0.3

sources: BID: 72328 // JVNDB: JVNDB-2015-001315 // CNNVD: CNNVD-201501-729 // NVD: CVE-2014-8838

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8838
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8838
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201501-729
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76783
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-8838
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76783
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-76783 // JVNDB: JVNDB-2015-001315 // CNNVD: CNNVD-201501-729 // NVD: CVE-2014-8838

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-76783 // JVNDB: JVNDB-2015-001315 // NVD: CVE-2014-8838

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201501-729

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201501-729

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001315

PATCH
title:APPLE-SA-2015-01-27-4url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Trust: 0.8
title:HT204244url:http://support.apple.com/en-us/HT204244
Trust: 0.8
title:HT204244url:http://support.apple.com/ja-jp/HT204244
Trust: 0.8
title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587
Trust: 0.6
title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001315 // 
            
            
            
            CNNVD: CNNVD-201501-729

EXTERNAL IDS
db:NVDid:CVE-2014-8838
Trust: 2.8
db:SECTRACKid:1031650
Trust: 1.1
db:BIDid:72328
Trust: 0.9
db:JVNid:JVNVU96447236
Trust: 0.8
db:JVNDBid:JVNDB-2015-001315
Trust: 0.8
db:CNNVDid:CNNVD-201501-729
Trust: 0.7
db:VULHUBid:VHN-76783
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76783 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001315 // 
            
            
            
            CNNVD: CNNVD-201501-729 // 
            
            
            
            NVD: CVE-2014-8838

REFERENCES
url:http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html
Trust: 1.1
url:http://support.apple.com/ht204244
Trust: 1.1
url:http://www.securitytracker.com/id/1031650
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100525
Trust: 1.1
url:http://www.apple.com/macosx/
Trust: 0.9
url:https://support.apple.com/en-us/ht204659
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8838
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96447236/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8838
Trust: 0.8
url:https://www.securityfocus.com/bid/72328
Trust: 0.6
sources:
            
            
            VULHUB: VHN-76783 // 
            
            
            
            BID: 72328 // 
            
            
            
            JVNDB: JVNDB-2015-001315 // 
            
            
            
            CNNVD: CNNVD-201501-729 // 
            
            
            
            NVD: CVE-2014-8838

CREDITS
Vitaliy Toropov working with HP's Zero Day Initiative, Roberto Paleari and Aristide Fattori of Emaze Networks, Sten Petersen, Mike Myers,Ian Beer of Google Project Zero, Ale, @PanguTeam, Trammell Hudson of Two Sigma Investments, Alex, of Digital Operatives LLC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201501-729

SOURCES
db:VULHUBid:VHN-76783
db:BIDid:72328
db:JVNDBid:JVNDB-2015-001315
db:CNNVDid:CNNVD-201501-729
db:NVDid:CVE-2014-8838

LAST UPDATE DATE
2025-04-13T21:58:24.223000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76783date:2017-09-08T00:00:00
db:BIDid:72328date:2019-04-12T18:00:00
db:JVNDBid:JVNDB-2015-001315date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-729date:2019-04-19T00:00:00
db:NVDid:CVE-2014-8838date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-76783date:2015-01-30T00:00:00
db:BIDid:72328date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001315date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-729date:2015-01-30T00:00:00
db:NVDid:CVE-2014-8838date:2015-01-30T11:59:47.627