Sign-up

ID

VAR-201702-0887


CVE

CVE-2017-2374


TITLE

Apple GarageBand and Logic Pro X Update for vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-001449

DESCRIPTION

An issue was discovered in certain Apple products. GarageBand before 10.1.6 is affected. The issue involves the "Projects" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted GarageBand project file. Apple From GarageBand and Logic Pro X An update for has been released.Crafted GarageBand An arbitrary code may be executed by opening the project file. Apple GarageBand is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code on the affected system. Failed exploit attempts may result in a denial-of-service condition. Apple GarageBand is a set of music production software from Apple (Apple). A memory corruption vulnerability exists in versions of Apple GarageBand prior to 10.1.6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-02-21-1 GarageBand 10.1.6 GarageBand 10.1.6 is now available and addresses the following: Projects Available for: OS X Yosemite v10.10 or later Impact: Opening a maliciously crafted GarageBand Project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2374: Tyler Bohan of Cisco Talos Installation note: GarageBand may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYrImXAAoJEIOj74w0bLRGyr0QAILapV0W5UfNAcFn8FeZIXKw H10/c+doJ41Y3QQH+4qo+Y0eMVlKLc8zkQk0Ocz+e3RYtScFCELVysX037qczPuW Znr9lvycMgpuYfIosWmde+1FF7nvSiN7RvAVRMBN4OIOmFT82h+vFxZf2Zeka4JL Ali8kh6uK3W3A8kNJiO0sM/r0G8nRf6OvgtH5YL9gjBc9e6J1m4upx4KEMPRlaiY Ykn7Y03gYk11LwTlB1Q5f+b88VTMtItPLadal3ICQONXGGBu6GyvjOLQVAxVvggn K4pgPRSDh/YvRlCcXl319sJigg+0Fa6gFk/NHcMI4YzOhxWHNUWDzrG721aJCRer 6YWcD6LgHsJODi8yp4yuJ3DbESh3WFiWS4ATVJThOuW8hATGhukbPHvwcoPaM3rN 5MLhImi9QpT2rE92DpQ5X0m/KzLdhOrgk3CnyR1aKmP2L2qD4ZbKlwdMwIKByxlW ypcv+C9BP31KcPLbLhsQGOuNb4NGeTbKv/yQvHB3KeN/w750WtMamT2CE8sFkPnu +X5wQk6pZi6e4Xc5nQbLkIHEPtZNo4O8qUoPPmaTsK6lwcvB1C5/09Zcfc3pOBy7 +Cp+6dimx/nbCcK4dW8QzIZIEd88hXhk9I441lBUGE4AMXU6l5npV/DaZTZOj6Ga b9ZTShls177KyTLSw0CW =gmwM -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2017-2374 // JVNDB: JVNDB-2017-001449 // BID: 96171 // VULHUB: VHN-110577 // PACKETSTORM: 141290 // PACKETSTORM: 141291

AFFECTED PRODUCTS

vendor:applemodel:garagebandscope:lteversion:10.1.5

Trust: 1.0

vendor:applemodel:garagebandscope:eqversion:10.1.5

Trust: 0.9

vendor:applemodel:garagebandscope:ltversion:10.1.6 earlier

Trust: 0.8

vendor:applemodel:logic pro xscope:ltversion:10.3.1 earlier

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.12.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.12.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.12.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11

Trust: 0.3

vendor:applemodel:logic proscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:logic proscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:logic proscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:garagebandscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:garagebandscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:garagebandscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:logic proscope:neversion:x10.3.1

Trust: 0.3

vendor:applemodel:garagebandscope:neversion:10.1.6

Trust: 0.3

sources: BID: 96171 // JVNDB: JVNDB-2017-001449 // NVD: CVE-2017-2374 // CNNVD: CNNVD-201702-650

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-2374
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201702-650
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110577
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.0

NVD: CVE-2017-2374
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-110577
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2017-2374
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-110577 // JVNDB: JVNDB-2017-001449 // NVD: CVE-2017-2374 // CNNVD: CNNVD-201702-650

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-110577 // JVNDB: JVNDB-2017-001449 // NVD: CVE-2017-2374

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-650

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201702-650

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-2374

PATCH
title:HT207519url:https://support.apple.com/en-us/ht207519
Trust: 0.8
title:HT207518url:https://support.apple.com/en-us/ht207518
Trust: 0.8
title:HT207519url:https://support.apple.com/ja-jp/ht207519
Trust: 0.8
title:HT207518url:https://support.apple.com/ja-jp/ht207518
Trust: 0.8
title:Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerabilityurl:http://blog.talosintelligence.com/2017/02/apple-garageband.html
Trust: 0.8
title:Apple GarageBand Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68180
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-001449 // 
            
            
            
            CNNVD: CNNVD-201702-650

EXTERNAL IDS
db:NVDid:CVE-2017-2374
Trust: 3.0
db:BIDid:96171
Trust: 2.0
db:TALOSid:TALOS-2017-0275
Trust: 1.1
db:SECTRACKid:1037868
Trust: 1.1
db:JVNid:JVNVU99002156
Trust: 0.8
db:JVNDBid:JVNDB-2017-001449
Trust: 0.8
db:CNNVDid:CNNVD-201702-650
Trust: 0.7
db:PACKETSTORMid:141290
Trust: 0.2
db:PACKETSTORMid:141291
Trust: 0.2
db:SEEBUGid:SSVID-96572
Trust: 0.1
db:VULHUBid:VHN-110577
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110577 // 
            
            
            
            BID: 96171 // 
            
            
            
            JVNDB: JVNDB-2017-001449 // 
            
            
            
            PACKETSTORM: 141290 // 
            
            
            
            PACKETSTORM: 141291 // 
            
            
            
            NVD: CVE-2017-2374 // 
            
            
            
            CNNVD: CNNVD-201702-650

REFERENCES
url:http://www.securityfocus.com/bid/96171
Trust: 1.7
url:https://support.apple.com/ht207518
Trust: 1.7
url:http://www.talosintelligence.com/reports/talos-2017-0275/
Trust: 1.1
url:http://www.securitytracker.com/id/1037868
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2374
Trust: 0.8
url:http://jvn.jp/vu/jvnvu99002156/index.html
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-2374
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:http://www.apple.com/in/mac/garageband/
Trust: 0.3
url:https://support.apple.com/en-us/ht207519
Trust: 0.3
url:https://support.apple.com/en-us/ht207518
Trust: 0.3
url:https://support.apple.com/kb/ht201222
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2374
Trust: 0.2
url:https://www.apple.com/support/security/pgp/
Trust: 0.2
url:https://gpgtools.org
Trust: 0.2
sources:
            
            
            VULHUB: VHN-110577 // 
            
            
            
            BID: 96171 // 
            
            
            
            JVNDB: JVNDB-2017-001449 // 
            
            
            
            PACKETSTORM: 141290 // 
            
            
            
            PACKETSTORM: 141291 // 
            
            
            
            NVD: CVE-2017-2374 // 
            
            
            
            CNNVD: CNNVD-201702-650

CREDITS
Tyler Bohan of Cisco Talos
Trust: 0.9
sources:
            
            
            BID: 96171 // 
            
            
            
            CNNVD: CNNVD-201702-650

SOURCES
db:VULHUBid:VHN-110577
db:BIDid:96171
db:JVNDBid:JVNDB-2017-001449
db:PACKETSTORMid:141290
db:PACKETSTORMid:141291
db:NVDid:CVE-2017-2374
db:CNNVDid:CNNVD-201702-650

LAST UPDATE DATE
2023-12-18T12:20:03.022000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110577date:2017-07-25T00:00:00
db:BIDid:96171date:2017-03-07T02:06:00
db:JVNDBid:JVNDB-2017-001449date:2017-02-23T00:00:00
db:NVDid:CVE-2017-2374date:2017-07-25T01:29:06.717
db:CNNVDid:CNNVD-201702-650date:2017-02-22T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-110577date:2017-02-20T00:00:00
db:BIDid:96171date:2017-02-13T00:00:00
db:JVNDBid:JVNDB-2017-001449date:2017-02-20T00:00:00
db:PACKETSTORMid:141290date:2017-02-24T01:20:10
db:PACKETSTORMid:141291date:2017-02-24T01:22:37
db:NVDid:CVE-2017-2374date:2017-02-20T08:59:05.463
db:CNNVDid:CNNVD-201702-650date:2017-02-22T00:00:00