Details of VAR-201504-0089

ID

VAR-201504-0089

CVE

CVE-2015-1138

TITLE

Apple OS X Service disruption in Japanese hypervisors (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2015-002188

DESCRIPTION

Hypervisor in Apple OS X before 10.10.3 allows local users to cause a denial of service via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2015-004. The update addresses new vulnerabilities that affect the Admin Framework, ATS, CoreAnimation, Graphics Driver, Hypervisor, ImageIO, IOHIDFamily, Kernel, LaunchServices, UniformTypeIdentifiers, Security - Code Signing, Open Directory Client, and Screen Sharing components. Attackers can exploit these issues to execute arbitrary code with system privileges, gain admin privileges, bypass security restrictions, cause denial-of-service conditions, obtain sensitive information and perform other attacks. These issues affect Mac OS X prior to 10.10.3. Hypervisor (also known as virtual machine monitor, VMM) is an intermediate software layer running between the physical server and the operating system, which allows multiple operating systems and applications to share a set of underlying physical hardware. A local attacker could exploit this vulnerability to cause a denial of service

Trust: 1.98

sources: NVD: CVE-2015-1138 // JVNDB: JVNDB-2015-002188 // BID: 73982 // VULHUB: VHN-79098

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.10.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10 to 10.10.2	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.2	Trust: 0.6

sources: JVNDB: JVNDB-2015-002188 // CNNVD: CNNVD-201504-163 // NVD: CVE-2015-1138

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-1138
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-1138
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201504-163
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-79098
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-1138
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-79098
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-79098 // JVNDB: JVNDB-2015-002188 // CNNVD: CNNVD-201504-163 // NVD: CVE-2015-1138

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-79098 // JVNDB: JVNDB-2015-002188 // NVD: CVE-2015-1138

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201504-163

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201504-163

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002188

PATCH

title:	APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004	url:	http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html	Trust: 0.8
title:	HT204659	url:	http://support.apple.com/en-us/HT204659	Trust: 0.8
title:	HT204659	url:	http://support.apple.com/ja-jp/HT204659	Trust: 0.8

sources: JVNDB: JVNDB-2015-002188

EXTERNAL IDS

db:	NVD	id:	CVE-2015-1138	Trust: 2.8
db:	BID	id:	73982	Trust: 1.4
db:	SECTRACK	id:	1032048	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-002188	Trust: 0.8
db:	CNNVD	id:	CNNVD-201504-163	Trust: 0.7
db:	ZDI	id:	ZDI-15-121	Trust: 0.3
db:	ZDI	id:	ZDI-15-165	Trust: 0.3
db:	VULHUB	id:	VHN-79098	Trust: 0.1

sources: VULHUB: VHN-79098 // BID: 73982 // JVNDB: JVNDB-2015-002188 // CNNVD: CNNVD-201504-163 // NVD: CVE-2015-1138

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2015/apr/msg00001.html	Trust: 1.7
url:	https://support.apple.com/ht204659	Trust: 1.7
url:	http://www.securityfocus.com/bid/73982	Trust: 1.1
url:	http://www.securitytracker.com/id/1032048	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1138	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1138	Trust: 0.8
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	https://support.apple.com/en-us/ht204659	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-15-165/	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-15-121/	Trust: 0.3

sources: VULHUB: VHN-79098 // BID: 73982 // JVNDB: JVNDB-2015-002188 // CNNVD: CNNVD-201504-163 // NVD: CVE-2015-1138

CREDITS

Apple, Emil Kvarnhammar at TrueSec, Ian Beer of Google Project Zero, Frank Graziano and John Villamil of the Yahoo Pentest Team, Izik Eidus and Alex Fishman, lokihardt@ASRT working with HP's Zero Day Initiative, Luca Todesco, and Ole Andre Vadla Ravnas of

Trust: 0.3

sources: BID: 73982

SOURCES

db:	VULHUB	id:	VHN-79098
db:	BID	id:	73982
db:	JVNDB	id:	JVNDB-2015-002188
db:	CNNVD	id:	CNNVD-201504-163
db:	NVD	id:	CVE-2015-1138

LAST UPDATE DATE

2025-04-13T19:41:48.785000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-79098	date:	2015-09-17T00:00:00
db:	BID	id:	73982	date:	2015-05-12T19:47:00
db:	JVNDB	id:	JVNDB-2015-002188	date:	2015-04-14T00:00:00
db:	CNNVD	id:	CNNVD-201504-163	date:	2015-04-14T00:00:00
db:	NVD	id:	CVE-2015-1138	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-79098	date:	2015-04-10T00:00:00
db:	BID	id:	73982	date:	2015-04-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-002188	date:	2015-04-14T00:00:00
db:	CNNVD	id:	CNNVD-201504-163	date:	2015-04-14T00:00:00
db:	NVD	id:	CVE-2015-1138	date:	2015-04-10T14:59:49.573