Sign-up

ID

VAR-201704-0717


CVE

CVE-2017-2383


TITLE

Windows for Apple iCloud and iTunes of APNs User-tracked vulnerability in server component

Trust: 0.8

sources: JVNDB: JVNDB-2017-002416

DESCRIPTION

An issue was discovered in certain Apple products. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. The issue involves cleartext client-certificate transmission in the "APNs Server" component. It allows man-in-the-middle attackers to track users via correlation with this certificate. Windows for Apple iCloud and iTunes of APNs The server component sends the client certificate in plain text, which could allow a user to be tracked.Man-in-the-middle attack (man-in-the-middle attack) May allow users to be tracked through correlation with client certificates. Apple iCloud/iTunes for Windows are prone to a security bypass vulnerability. Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. The former is a cloud service based on the Windows platform, which supports storage of music, photos, Apps and contacts, etc., and the latter is a set of media player applications. APNs Server is one of the servers used for message push. The vulnerability stems from the fact that the program sends user certificates in plain text. An attacker could exploit this vulnerability to track user activity. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-03-28-2 Additional information for APPLE-SA-2017-03-22-1 iTunes for Windows 12.6 iTunes for Windows 12.6 addresses the following: APNs Server Available for: Windows 7 and later Impact: An attacker in a privileged network position can track a user's activity Description: A client certificate was sent in plaintext. This issue was addressed through improved certificate handling. CVE-2017-2383: Matthias Wachs and Quirin Scheitle of Technical University Munich (TUM) Entry added March 28, 2017 iTunes Available for: Windows 7 and later Impact: Multiple issues in SQLite Description: Multiple issues existed in SQLite. These issues were addressed by updating SQLite to version 3.15.2. CVE-2013-7443 CVE-2015-3414 CVE-2015-3415 CVE-2015-3416 CVE-2015-3717 CVE-2015-6607 CVE-2016-6153 iTunes Available for: Windows 7 and later Impact: Multiple issues in expat Description: Multiple issues existed in expat. These issues were addressed by updating expat to version 2.2.0. CVE-2009-3270 CVE-2009-3560 CVE-2009-3720 CVE-2012-1147 CVE-2012-1148 CVE-2012-6702 CVE-2015-1283 CVE-2016-0718 CVE-2016-4472 CVE-2016-5300 libxslt Available for: Windows 7 and later Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-5029: Holger Fuhrmannek Entry added March 28, 2017 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2463: Kai Kang (4B5F5F4B) of Tencent's Xuanwu Lab (tencent.com) working with Trend Micro's Zero Day Initiative Entry added March 28, 2017 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A validation issue existed in element handling. This issue was addressed through improved validation. CVE-2017-2479: lokihardt of Google Project Zero CVE-2017-2480: lokihardt of Google Project Zero Entry added March 28, 2017 Installation note: iTunes for Windows 12.6 may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJY2sl6AAoJEIOj74w0bLRGEMAQAJjPU9+iTIEs0o4EfazvmkXj /zLRgzdfr1kp9Iu90U/ZxgnAO3ZUqEF/6FWy6dN3zSA7AlP7q+zFlxXqbkoJB+eX sE+vGilHWZ8p2Qud9EikwDKCvLNn/4xYQ9Nm0jCwA14VBS1dBlOrFUlsnM9EoS9/ YKks/NSYV9jtLgKvc42SeTks62tLL5ZQGMKv+Gg0HH2Yeug2eAHGb+u5vYCHTcER AMTKKQtr57IJyz2tg7YZGWvbKIS2690CpIyZGxpbUCKv+dNdEPsDTNHjjpzwMBtc diSIIX8AC6T0nWbrOFtWqhhFyWk6rZAWb8RvDYYd/a6ro7hxYq8xZATBS2BJFskp esMHBuFYgDwIeJiGaCW07UyJzyzDck7pesJeq7gqF+O5Fl6bdHN4b8rNmVtBvDom g7tkwSE9+ZmiPUMJGF2NUWNb4+yY0OPm3Uq2kvoyXl5KGmEaFMoDnPzKIdPmE+b+ lJZUYgQSXlO6B7uz+MBx2ntH1uhIrAdKhFiePYj/lujNB3lTij5zpCOLyivdEXZw iJHX211+FpS8VV1/dHOjgbYnvnw4wofbPN63dkYvwgwwWy7VISThXQuMqtDW/wOE 9h0me2NkZRxQ845p4MaLPqZQFi1WcU4/PbcBBb0CvBwlnonYP/YRnyQrNWx+36Fo VkUmhXDNi0csm+QTi7ZP =hPjT -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2017-2383 // JVNDB: JVNDB-2017-002416 // BID: 97175 // VULHUB: VHN-110586 // PACKETSTORM: 141936 // PACKETSTORM: 141937

AFFECTED PRODUCTS

vendor:applemodel:itunesscope:lteversion:12.5.5.5

Trust: 1.0

vendor:applemodel:icloudscope:lteversion:6.1.1

Trust: 1.0

vendor:applemodel:icloudscope:eqversion:6.1.1

Trust: 0.9

vendor:applemodel:icloudscope:ltversion:6.2 (windows 7 or later )

Trust: 0.8

vendor:applemodel:itunesscope:ltversion:for windows 12.6 (windows 7 or later )

Trust: 0.8

vendor:applemodel:itunesscope:eqversion:12.5.5.5

Trust: 0.6

vendor:esignalmodel:esignalscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.1.8

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.3.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:6.0.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:6.0.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:6.0.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.8

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.7.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.6

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:4.2.72

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.0.2.20

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:7.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.0.163

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1.42

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1.10

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.0.80

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2.12

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:itunesscope:neversion:12.6

Trust: 0.3

vendor:applemodel:icloudscope:neversion:6.2

Trust: 0.3

sources: BID: 97175 // JVNDB: JVNDB-2017-002416 // CNNVD: CNNVD-201703-1355 // NVD: CVE-2017-2383

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2383
value: LOW

Trust: 1.0

NVD: CVE-2017-2383
value: LOW

Trust: 0.8

CNNVD: CNNVD-201703-1355
value: LOW

Trust: 0.6

VULHUB: VHN-110586
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-2383
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-110586
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2383
baseSeverity: LOW
baseScore: 3.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-110586 // JVNDB: JVNDB-2017-002416 // CNNVD: CNNVD-201703-1355 // NVD: CVE-2017-2383

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2017-002416 // NVD: CVE-2017-2383

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1355

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201703-1355

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002416

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:HT207599url:https://support.apple.com/en-us/HT207599
Trust: 0.8
title:HT207607url:https://support.apple.com/en-us/HT207607
Trust: 0.8
title:HT207599url:https://support.apple.com/ja-jp/HT207599
Trust: 0.8
title:HT207607url:https://support.apple.com/ja-jp/HT207607
Trust: 0.8
title:Apple iCloud for Windows APNs Server Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68882
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-002416 // 
            
            
            
            CNNVD: CNNVD-201703-1355

EXTERNAL IDS
db:NVDid:CVE-2017-2383
Trust: 3.0
db:BIDid:97175
Trust: 2.0
db:SECTRACKid:1038157
Trust: 1.1
db:JVNid:JVNVU90482935
Trust: 0.8
db:JVNDBid:JVNDB-2017-002416
Trust: 0.8
db:CNNVDid:CNNVD-201703-1355
Trust: 0.7
db:PACKETSTORMid:141936
Trust: 0.2
db:VULHUBid:VHN-110586
Trust: 0.1
db:PACKETSTORMid:141937
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110586 // 
            
            
            
            BID: 97175 // 
            
            
            
            JVNDB: JVNDB-2017-002416 // 
            
            
            
            PACKETSTORM: 141936 // 
            
            
            
            PACKETSTORM: 141937 // 
            
            
            
            CNNVD: CNNVD-201703-1355 // 
            
            
            
            NVD: CVE-2017-2383

REFERENCES
url:http://www.securityfocus.com/bid/97175
Trust: 1.7
url:https://support.apple.com/ht207599
Trust: 1.7
url:https://support.apple.com/ht207607
Trust: 1.7
url:http://www.securitytracker.com/id/1038157
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-2383
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2383
Trust: 0.8
url:http://jvn.jp/vu/jvnvu90482935/index.html
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:http://www.apple.com/in/icloud/
Trust: 0.3
url:http://www.apple.com/itunes/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-2480
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2479
Trust: 0.2
url:https://support.apple.com/kb/ht201222
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2463
Trust: 0.2
url:https://www.apple.com/support/security/pgp/
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-5029
Trust: 0.2
url:http://gpgtools.org
Trust: 0.2
url:https://support.apple.com/ht204283
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-5300
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-0718
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2009-3720
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-6153
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-3415
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2009-3270
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-6607
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2009-3560
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-3416
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-1283
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-3717
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-3414
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-7443
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-6702
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4472
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-1148
Trust: 0.1
url:https://www.apple.com/itunes/download/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2012-1147
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110586 // 
            
            
            
            BID: 97175 // 
            
            
            
            JVNDB: JVNDB-2017-002416 // 
            
            
            
            PACKETSTORM: 141936 // 
            
            
            
            PACKETSTORM: 141937 // 
            
            
            
            CNNVD: CNNVD-201703-1355 // 
            
            
            
            NVD: CVE-2017-2383

CREDITS
Matthias Wachs and Quirin Scheitle of TechnicalUniversity Munich (TUM)
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201703-1355

SOURCES
db:VULHUBid:VHN-110586
db:BIDid:97175
db:JVNDBid:JVNDB-2017-002416
db:PACKETSTORMid:141936
db:PACKETSTORMid:141937
db:CNNVDid:CNNVD-201703-1355
db:NVDid:CVE-2017-2383

LAST UPDATE DATE
2025-04-20T22:03:11.967000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110586date:2017-07-12T00:00:00
db:BIDid:97175date:2017-03-28T00:00:00
db:JVNDBid:JVNDB-2017-002416date:2017-04-13T00:00:00
db:CNNVDid:CNNVD-201703-1355date:2017-04-05T00:00:00
db:NVDid:CVE-2017-2383date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-110586date:2017-04-02T00:00:00
db:BIDid:97175date:2017-03-28T00:00:00
db:JVNDBid:JVNDB-2017-002416date:2017-04-13T00:00:00
db:PACKETSTORMid:141936date:2017-03-28T23:02:22
db:PACKETSTORMid:141937date:2017-03-28T23:44:44
db:CNNVDid:CNNVD-201703-1355date:2017-03-31T00:00:00
db:NVDid:CVE-2017-2383date:2017-04-02T01:59:00.450