Details of VAR-201705-3231

ID

VAR-201705-3231

CVE

CVE-2017-2516

TITLE

Apple OS X Vulnerability in the kernel component that bypasses memory read restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2017-003838

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. Apple OS X Vulnerabilities exist in the kernel component that prevent memory read restrictions.An attacker could bypass memory read restrictions through a crafted application. Apple macOS is prone to multiple security vulnerabilities. An attacker can exploit these issues to gain elevated privileges, perform unauthorized actions and execute arbitrary code with kernel privileges. Failed exploit attempts will likely cause a denial-of-service condition. Apple macOS Sierra is a dedicated operating system developed by Apple for Mac computers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-05-15-1 macOS 10.12.5 macOS 10.12.5 is now available and addresses the following: 802.1X Available for: macOS Sierra 10.12.4 Impact: A malicious network with 802.1X authentication may be able to capture user network credentials Description: A certificate validation issue existed in EAP-TLS when a certificate changed. This issue was addressed through improved certificate validation. CVE-2017-6988: Tim Cappalli of Aruba, a Hewlett Packard Enterprise company Accessibility Framework Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6978: Ian Beer of Google Project Zero CoreAnimation Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: Processing maliciously crafted data may lead to arbitrary code execution Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-2527: Ian Beer of Google Project Zero CoreAudio Available for: macOS Sierra 10.12.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team DiskArbitration Available for: macOS Sierra 10.12.4 and OS X El Capitan v10.11.6 Impact: An application may be able to gain system privileges Description: A race condition was addressed with additional filesystem restrictions. CVE-2017-2533: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative HFS Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-6990: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative iBooks Available for: macOS Sierra 10.12.4 Impact: A maliciously crafted book may open arbitrary websites without user permission Description: A URL handling issue was addressed through improved state management. CVE-2017-2497: Jun Kokatsu (@shhnjk) iBooks Available for: macOS Sierra 10.12.4 Impact: An application may be able to execute arbitrary code with root privileges Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. CVE-2017-6981: evi1m0 of YSRC (sec.ly.com) iBooks Available for: macOS Sierra 10.12.4 Impact: An application may be able to escape its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6986: evi1m0 of YSRC (sec.ly.com) & Heige (SuperHei) of Knownsec 404 Security Team Intel Graphics Driver Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2503: sss and Axis of 360Nirvan team IOGraphics Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2545: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative IOSurface Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6979: Adam Donenfeld of Zimperium zLabs Kernel Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2494: Jann Horn of Google Project Zero Kernel Available for: macOS Sierra 10.12.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-2501: Ian Beer of Google Project Zero Kernel Available for: macOS Sierra 10.12.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2507: Ian Beer of Google Project Zero CVE-2017-2509: Jann Horn of Google Project Zero CVE-2017-6987: Patrick Wardle of Synack Kernel Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2516: Jann Horn of Google Project Zero Kernel Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2546: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative Multi-Touch Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2542: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative CVE-2017-2543: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative NVIDIA Graphics Drivers Available for: macOS Sierra 10.12.4 Impact: An application may be able to gain kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6985: Axis and sss of Nirvan Team of Qihoo 360 and Simon Huang (@HuangShaomang) of IceSword Lab of Qihoo 360 Sandbox Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to escape its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2512: Federico Bento of Faculty of Sciences, University of Porto Security Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to escape its sandbox Description: A resource exhaustion issue was addressed through improved input validation. CVE-2017-2535: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative Speech Framework Available for: macOS Sierra 10.12.4 Impact: An application may be able to escape its sandbox Description: An access issue was addressed through additional sandbox restrictions. CVE-2017-2534: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative Speech Framework Available for: macOS Sierra 10.12.4 Impact: An application may be able to escape its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-6977: Samuel GroA and Niklas Baumstark working with Trend Micro's Zero Day Initiative SQLite Available for: macOS Sierra 10.12.4 Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2513: found by OSS-Fuzz SQLite Available for: macOS Sierra 10.12.4 Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-2518: found by OSS-Fuzz CVE-2017-2520: found by OSS-Fuzz SQLite Available for: macOS Sierra 10.12.4 Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2519: found by OSS-Fuzz SQLite Available for: macOS Sierra 10.12.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative TextInput Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: Parsing maliciously crafted data may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2524: Ian Beer of Google Project Zero WindowServer Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to gain system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2537: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative CVE-2017-2541: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative CVE-2017-2548: Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day Initiative WindowServer Available for: macOS Sierra 10.12.4, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-2540: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative Installation note: macOS 10.12.5 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZGdmLAAoJEIOj74w0bLRGU2cP/2EqdcJ943FWZZLD0q12RgWs K2leunn93aYhkoT8IL2AvZ22mDSs5EIbTPEFfyHlu9GDbSTfUSq3AWsuGVrN8qSW IRkv3herbpZEIU8pNKHVsJBWgQf+pVnAHvJ/uvRQ9ZcseSOPhnmPKSAlpjSi4R4A SzSEzYoW0QaJzSOGvMmbToIgB+s1IcUVBAwrM/MIIO8kmtKo7uCsxX1y9W1PC3kO 4RyW87YomoVHCBN8PC755pMwhgF3mCx/yXoYdHn1b0BN82CqIvKj8SkHu3AJB+Rf ZcEEVbVlEVJHwvYdvd18ugiOdLXbe8hAHmU7YrLj7srhLpob9MC/KdfKxpTjGolS F7ocgZ5UrP8bQeWW9o1I1bpe6HdANl6UWTBjYKTVs4MM9g2UQiiOz4FCH2Ogk4EA rX8aQ62gzTIZp5tjqVvypT1SEf5/VJkM+P+p+ckxtgRWYxv7NLY8kFuVO7IlAC+I VZRpWLUryLSMdype0z0KAhnu+PZS9Rx6vnCrlRU6QZu3OHWjcOu0eF7wmt5lTWhX t4goc89xPIqLgD042B21PTdHlW5umrvDuqNzOzgqUmPHKllSCdZamrN2R4R1rrUu FKS+y2EC2KW41uozZFblHYRHEwAAeXqNhJYqAQAF/E7Tu0wWZzCtNn1XsEOu54pq EYP8FFm3hsrGF6D9D4Sl =MYfD -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2017-2516 // JVNDB: JVNDB-2017-003838 // BID: 98483 // VULHUB: VHN-110719 // PACKETSTORM: 142506

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.12.4	Trust: 1.4
vendor:	apple	model:	mac os x	scope:	lte	version:	10.12.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.10.5	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.11.6	Trust: 0.8
vendor:	apple	model:	macos	scope:	eq	version:	10.12.4	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.3	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.2	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12.1	Trust: 0.3
vendor:	apple	model:	macos	scope:	eq	version:	10.12	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.5	Trust: 0.3
vendor:	apple	model:	macos	scope:	ne	version:	10.12.5	Trust: 0.3

sources: BID: 98483 // JVNDB: JVNDB-2017-003838 // CNNVD: CNNVD-201705-1004 // NVD: CVE-2017-2516

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2516
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-2516
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201705-1004
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-110719
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-2516
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-110719
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-2516
baseSeverity:	MEDIUM
baseScore:	5.0
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.3
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-110719 // JVNDB: JVNDB-2017-003838 // CNNVD: CNNVD-201705-1004 // NVD: CVE-2017-2516

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-110719 // JVNDB: JVNDB-2017-003838 // NVD: CVE-2017-2516

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201705-1004

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201705-1004

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003838

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-110719

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	HT207797	url:	https://support.apple.com/en-us/HT207797	Trust: 0.8
title:	HT207797	url:	https://support.apple.com/ja-jp/HT207797	Trust: 0.8
title:	Apple macOS Sierra Kernel Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70480	Trust: 0.6

sources: JVNDB: JVNDB-2017-003838 // CNNVD: CNNVD-201705-1004

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2516	Trust: 2.9
db:	SECTRACK	id:	1038484	Trust: 1.7
db:	EXPLOIT-DB	id:	42047	Trust: 1.7
db:	JVN	id:	JVNVU98089541	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-003838	Trust: 0.8
db:	CNNVD	id:	CNNVD-201705-1004	Trust: 0.7
db:	BID	id:	98483	Trust: 0.3
db:	PACKETSTORM	id:	142629	Trust: 0.1
db:	SEEBUG	id:	SSVID-93161	Trust: 0.1
db:	VULHUB	id:	VHN-110719	Trust: 0.1
db:	PACKETSTORM	id:	142506	Trust: 0.1

sources: VULHUB: VHN-110719 // BID: 98483 // JVNDB: JVNDB-2017-003838 // PACKETSTORM: 142506 // CNNVD: CNNVD-201705-1004 // NVD: CVE-2017-2516

REFERENCES

url:	https://support.apple.com/ht207797	Trust: 1.7
url:	https://www.exploit-db.com/exploits/42047/	Trust: 1.7
url:	http://www.securitytracker.com/id/1038484	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2516	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2516	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu98089541/index.html	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2509	Trust: 0.1
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2542	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2548	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6978	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2502	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2545	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2520	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2519	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2543	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2535	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2507	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2533	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2494	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2546	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2518	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2537	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2513	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2540	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6977	Trust: 0.1
url:	https://www.apple.com/support/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2527	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2534	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2512	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2524	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2501	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2541	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2503	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2497	Trust: 0.1

sources: VULHUB: VHN-110719 // BID: 98483 // JVNDB: JVNDB-2017-003838 // PACKETSTORM: 142506 // CNNVD: CNNVD-201705-1004 // NVD: CVE-2017-2516

CREDITS

Tim Cappalli of Aruba, Ian Beer of Google Project Zero, Samuel Gro? and Niklas Baumstark, Chaitin Security Research Lab, evi1m0 of YSRC, sss and Axis of 360Nirvan team, 360 Security, Jann Horn, Federico Bento of Faculty of Sciences, Richard Zhu, and Team

Trust: 0.3

sources: BID: 98483

SOURCES

db:	VULHUB	id:	VHN-110719
db:	BID	id:	98483
db:	JVNDB	id:	JVNDB-2017-003838
db:	PACKETSTORM	id:	142506
db:	CNNVD	id:	CNNVD-201705-1004
db:	NVD	id:	CVE-2017-2516

LAST UPDATE DATE

2025-04-20T21:24:52.002000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-110719	date:	2019-10-03T00:00:00
db:	BID	id:	98483	date:	2017-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-003838	date:	2017-06-08T00:00:00
db:	CNNVD	id:	CNNVD-201705-1004	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-2516	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-110719	date:	2017-05-22T00:00:00
db:	BID	id:	98483	date:	2017-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-003838	date:	2017-06-08T00:00:00
db:	PACKETSTORM	id:	142506	date:	2017-05-15T13:02:22
db:	CNNVD	id:	CNNVD-201705-1004	date:	2017-05-24T00:00:00
db:	NVD	id:	CVE-2017-2516	date:	2017-05-22T05:29:01.177