Details of VAR-201702-0333

ID

VAR-201702-0333

CVE

CVE-2016-4674

TITLE

Apple OS X of ATS Vulnerability gained privileges in components

Trust: 0.8

sources: JVNDB: JVNDB-2016-007366

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ATS" component. It allows local users to gain privileges or cause a denial of service (memory corruption and application crash) via unspecified vectors. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, gain elevated privileges and perform unauthorized actions. This may aid in other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1 macOS Sierra 10.12.1 is now available and addresses the following: AppleGraphicsControl Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved lock state checking. CVE-2016-4662: Apple AppleSMC Available for: macOS Sierra 10.12 Impact: A local user may be able to elevate privileges Description: A null pointer dereference was addressed through improved locking. CVE-2016-4678: daybreaker@Minionz working with Trend Micro's Zero Day Initiative ATS Available for: macOS Sierra 10.12 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4667: Simmon Huang of alipay, Thelongestusernameofall@gmail.com Moony Li of Trend Micro, @Flyic ATS Available for: macOS Sierra 10.12 Impact: A local user may be able to execute arbitrary code with additional privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4674: Shrek_wzw of Qihoo 360 Nirvan Team CFNetwork Proxies Available for: macOS Sierra 10.12 Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts. CVE-2016-7579: Jerry Decime CoreGraphics Available for: macOS Sierra 10.12 Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent FaceTime Available for: macOS Sierra 10.12 Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com FontParser Available for: macOS Sierra 10.12 Impact: Parsing a maliciously crafted font may disclose sensitive user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4660: Ke Liu of Tencent's Xuanwu Lab ImageIO Available for: OS X El Capitan v10.11.6 Impact: Parsing a maliciously crafted PDF may lead to arbitrary code execution Description: An out-of-bounds write was addressed through improved bounds checking. CVE-2016-4671: Ke Liu of Tencent's Xuanwu Lab, Juwei Lin (@fuzzerDOTcn) ImageIO Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: Processing a maliciously crafted image may result in the disclosure of process memory Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking. CVE-2016-4682: Ke Liu of Tencent's Xuanwu Lab libarchive Available for: macOS Sierra 10.12 Impact: A malicious archive may be able to overwrite arbitrary files Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. CVE-2016-4679: Omer Medan of enSilo Ltd libxpc Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12 Impact: An application may be able to execute arbitrary code with root privileges Description: A logic issue was addressed through additional restrictions. CVE-2016-4675: Ian Beer of Google Project Zero ntfs Available for: macOS Sierra 10.12 Impact: An application may be able to cause a denial of service Description: An issue existed in the parsing of disk images. This issue was addressed through improved validation. CVE-2016-4661: Recurity Labs on behalf of BSI (German Federal Office for Information Security) NVIDIA Graphics Drivers Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: An application may be able to cause a denial of service Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4663: Apple System Boot Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12 Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation. CVE-2016-4669: Ian Beer of Google Project Zero macOS Sierra 10.12.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYDlRWAAoJEIOj74w0bLRGFnYP/iy1NY+HgMgJd4OeOakX4sGP 8utQ55plu7WdQ3imNdcP1NYm+tuqFLxSDm7qJMA4zsAakxdUAGWEWYjRmJ9IxTep Gil1qjXZHksX/7lF+VzoMcsAC4CE0yFnaFAw0gHdhQFZyzYryPVsryue56WX5DAD 4/MJUK85U1P2YRDkMW8Mt4TrOW0kgpohpZIFsWKmBocZ4Q/GLybQLzip7mv9w4/K k8L+m9oHUr+Bh7Et+OoM+4oTBC2pIwdb9U5edTHqIMpXp15jScTXbQ/pz+ngjZ6E wUDa8hZC30m6SWSJtFUMZ5+6Gedcafcn/kegRPeFwitQ13EnLOVeGekp25ROsnF1 NwXiDDYuUxTg8ecW6YJm1OktO035nUg3Rjnonx3km2FNDiFgakK78p622B/eJwOA WbD6ahu8qAFTf14pCe7WJVvQz4vnjwiwTQxOTxVgiLfAdFHNm9IpxazwEeW8sN+G cjvoi5VTWL8FiHfUITnJrzeclitgke67vhOs6Ju5+nYiKrUf74NoNnFBPMjD4Qa1 GfvjZ2LWUVBLBahWUl2Nhlr4EWECqF3AEZhBRmcvcHnspcN3f9BBD/kktvpqTAV9 J5TqpiRr2qhrQEV8WLt/GvZSf7hjnSMPUZS4pi27ZKSugkTQsHJs4eWE6awQUgrV E0naX6k6U0S+vJiI0JU7 =eHH+ -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2016-4674 // JVNDB: JVNDB-2016-007366 // BID: 93852 // VULHUB: VHN-93493 // PACKETSTORM: 139320

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.12.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.12	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.12.0	Trust: 0.6
vendor:	apple	model:	macos	scope:	eq	version:	10.12	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11	Trust: 0.3
vendor:	apple	model:	macos	scope:	ne	version:	10.12.1	Trust: 0.3

sources: BID: 93852 // JVNDB: JVNDB-2016-007366 // CNNVD: CNNVD-201610-708 // NVD: CVE-2016-4674

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4674
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-4674
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201610-708
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-93493
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-4674
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-93493
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4674
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-93493 // JVNDB: JVNDB-2016-007366 // CNNVD: CNNVD-201610-708 // NVD: CVE-2016-4674

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-93493 // JVNDB: JVNDB-2016-007366 // NVD: CVE-2016-4674

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201610-708

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201610-708

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007366

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1	url:	https://lists.apple.com/archives/security-announce/2016/Oct/msg00001.html	Trust: 0.8
title:	HT207275	url:	https://support.apple.com/en-us/HT207275	Trust: 0.8
title:	HT207275	url:	https://support.apple.com/ja-jp/HT207275	Trust: 0.8
title:	Apple macOS Sierra ATS Repair measures for memory corruption vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65071	Trust: 0.6

sources: JVNDB: JVNDB-2016-007366 // CNNVD: CNNVD-201610-708

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4674	Trust: 2.9
db:	BID	id:	93852	Trust: 2.0
db:	SECTRACK	id:	1037086	Trust: 1.1
db:	JVN	id:	JVNVU90743185	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-007366	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-708	Trust: 0.7
db:	ZDI	id:	ZDI-16-589	Trust: 0.3
db:	VULHUB	id:	VHN-93493	Trust: 0.1
db:	PACKETSTORM	id:	139320	Trust: 0.1

sources: VULHUB: VHN-93493 // BID: 93852 // JVNDB: JVNDB-2016-007366 // PACKETSTORM: 139320 // CNNVD: CNNVD-201610-708 // NVD: CVE-2016-4674

REFERENCES

url:	http://www.securityfocus.com/bid/93852	Trust: 1.7
url:	https://support.apple.com/ht207275	Trust: 1.7
url:	http://www.securitytracker.com/id/1037086	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4674	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90743185/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4674	Trust: 0.8
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	https://support.apple.com/en-ie/ht207275	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-16-589/	Trust: 0.3
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4682	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4661	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4678	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4667	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4662	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4669	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4660	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4635	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4674	Trust: 0.1
url:	https://www.apple.com/support/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4679	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7579	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4663	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4673	Trust: 0.1

sources: VULHUB: VHN-93493 // BID: 93852 // JVNDB: JVNDB-2016-007366 // PACKETSTORM: 139320 // CNNVD: CNNVD-201610-708 // NVD: CVE-2016-4674

CREDITS

Recurity Labs on behalf of BSI (German Federal Office for Information Security), Simmon Huang of alipay, Thelongestusernameofall@gmail.com, Moony Li of TrendMicro, @Flyic, Ke Liu of Tencent's Xuanwu Lab, Juwei Lin (@fuzzerDOTcn), Shrek_wzw of Qihoo 360 Ni

Trust: 0.6

sources: CNNVD: CNNVD-201610-708

SOURCES

db:	VULHUB	id:	VHN-93493
db:	BID	id:	93852
db:	JVNDB	id:	JVNDB-2016-007366
db:	PACKETSTORM	id:	139320
db:	CNNVD	id:	CNNVD-201610-708
db:	NVD	id:	CVE-2016-4674

LAST UPDATE DATE

2025-04-20T20:05:55.514000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-93493	date:	2017-07-29T00:00:00
db:	BID	id:	93852	date:	2016-11-24T01:08:00
db:	JVNDB	id:	JVNDB-2016-007366	date:	2017-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201610-708	date:	2017-03-13T00:00:00
db:	NVD	id:	CVE-2016-4674	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-93493	date:	2017-02-20T00:00:00
db:	BID	id:	93852	date:	2016-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2016-007366	date:	2017-02-28T00:00:00
db:	PACKETSTORM	id:	139320	date:	2016-10-24T21:46:59
db:	CNNVD	id:	CNNVD-201610-708	date:	2016-10-25T00:00:00
db:	NVD	id:	CVE-2016-4674	date:	2017-02-20T08:59:00.667