ID

VAR-201501-0637


CVE

CVE-2014-4494


TITLE

Apple iOS of Springboard Vulnerabilities that can bypass restrictions on initial startup

Trust: 0.8

sources: JVNDB: JVNDB-2015-001290

DESCRIPTION

Springboard in Apple iOS before 8.1.3 does not properly validate signatures when determining whether to solicit an app trust decision from the user, which allows attackers to bypass intended first-launch restrictions by leveraging access to an enterprise distribution certificate for signing a crafted app. Apple iOS is prone to multiple security vulnerabilities. The update addresses new vulnerabilities that affect iTunes Store, MobileInstallation, Springboard, and WebKit components. Attackers can exploit these issues to gain unauthorized access, perform unauthorized actions, bypass security restrictions, and perform other attacks. These issues affect iOS versions prior to 8.1.3. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Springboard is a desktop for Apple iDevice. The vulnerability stems from the fact that the program does not properly verify digital signatures

Trust: 1.98

sources: NVD: CVE-2014-4494 // JVNDB: JVNDB-2015-001290 // BID: 72333 // VULHUB: VHN-72434

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:lteversion:8.1.2

Trust: 1.0

vendor:applemodel:iosscope:ltversion:8.1.3 (ipad 2 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:8.1.3 (iphone 4s or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:8.1.3 (ipod touch first 5 after generation )

Trust: 0.8

vendor:applemodel:iphone osscope:eqversion:8.1.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:0

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.10

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.0

Trust: 0.3

sources: BID: 72333 // JVNDB: JVNDB-2015-001290 // CNNVD: CNNVD-201501-714 // NVD: CVE-2014-4494

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4494
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4494
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201501-714
value: MEDIUM

Trust: 0.6

VULHUB: VHN-72434
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-4494
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-72434
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-72434 // JVNDB: JVNDB-2015-001290 // CNNVD: CNNVD-201501-714 // NVD: CVE-2014-4494

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-72434 // JVNDB: JVNDB-2015-001290 // NVD: CVE-2014-4494

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201501-714

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201501-714

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001290

PATCH

title:APPLE-SA-2015-01-27-2url:http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.html

Trust: 0.8

title:HT204245url:http://support.apple.com/en-us/HT204245

Trust: 0.8

title:HT204245url:http://support.apple.com/ja-jp/HT204245

Trust: 0.8

title:osxupd10.10.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53587

Trust: 0.6

title:iPhone7,1_8.1.3_12B466_Restoreurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53586

Trust: 0.6

sources: JVNDB: JVNDB-2015-001290 // CNNVD: CNNVD-201501-714

EXTERNAL IDS

db:NVDid:CVE-2014-4494

Trust: 2.8

db:SECTRACKid:1031652

Trust: 1.1

db:BIDid:72333

Trust: 0.9

db:JVNid:JVNVU96447236

Trust: 0.8

db:JVNDBid:JVNDB-2015-001290

Trust: 0.8

db:CNNVDid:CNNVD-201501-714

Trust: 0.7

db:VULHUBid:VHN-72434

Trust: 0.1

sources: VULHUB: VHN-72434 // BID: 72333 // JVNDB: JVNDB-2015-001290 // CNNVD: CNNVD-201501-714 // NVD: CVE-2014-4494

REFERENCES

url:http://lists.apple.com/archives/security-announce/2015/jan/msg00001.html

Trust: 1.7

url:http://support.apple.com/ht204245

Trust: 1.7

url:http://www.securitytracker.com/id/1031652

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4494

Trust: 0.8

url:http://jvn.jp/vu/jvnvu96447236/index.html

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4494

Trust: 0.8

url:http://www.securityfocus.com/bid/72333

Trust: 0.6

url:http://www.apple.com/ios/

Trust: 0.3

url:http://www.apple.com/ipad/

Trust: 0.3

url:http://www.apple.com/iphone/

Trust: 0.3

url:http://www.apple.com/ipodtouch/

Trust: 0.3

sources: VULHUB: VHN-72434 // BID: 72333 // JVNDB: JVNDB-2015-001290 // CNNVD: CNNVD-201501-714 // NVD: CVE-2014-4494

CREDITS

lokihardt@ASRT working with HP's Zero Day Initiative , Jordan Milne, Song Jin, Hui Xue, and Tao Wei of FireEye, Inc.

Trust: 0.9

sources: BID: 72333 // CNNVD: CNNVD-201501-714

SOURCES

db:VULHUBid:VHN-72434
db:BIDid:72333
db:JVNDBid:JVNDB-2015-001290
db:CNNVDid:CNNVD-201501-714
db:NVDid:CVE-2014-4494

LAST UPDATE DATE

2025-04-12T20:58:45.305000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-72434date:2015-11-17T00:00:00
db:BIDid:72333date:2015-02-04T00:01:00
db:JVNDBid:JVNDB-2015-001290date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-714date:2015-02-02T00:00:00
db:NVDid:CVE-2014-4494date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:VULHUBid:VHN-72434date:2015-01-30T00:00:00
db:BIDid:72333date:2015-01-27T00:00:00
db:JVNDBid:JVNDB-2015-001290date:2015-02-12T00:00:00
db:CNNVDid:CNNVD-201501-714date:2015-01-27T00:00:00
db:NVDid:CVE-2014-4494date:2015-01-30T11:59:23.453