Sign-up

ID

VAR-201710-1347


CVE

CVE-2017-7147


TITLE

iOS for Apple Vulnerabilities that capture important analysis information in support analysis components

Trust: 0.8

sources: JVNDB: JVNDB-2017-009303

DESCRIPTION

An issue was discovered in certain Apple products. The Apple Support app before 1.2 for iOS is affected. The issue involves the "Analytics" component. It allows remote attackers to obtain sensitive analytics information by leveraging its presence in a cleartext HTTP transmission to an Adobe Marketing Cloud server operated for Apple, as demonstrated by information about the installation date and time. An attacker can exploit this issue to perform man-in-the-middle attacks to obtain sensitive information, and perform unauthorized actions. Successful exploits will lead to other attacks. This vulnerability could be exploited remotely to obtain sensitive analytics information. Find answers with articles tailored to your products and questions. Call, chat or email with an expert right away, or schedule a callback when itas convenient. Get a repair at an Apple Store or a nearby Apple Authorized Service Provider. Apple Support is here to help." (https://itunes.apple.com/us/app/apple-support/id1130498044) Issue The Apple Support iOS application (version 1.1.1 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, iOS version and screen resolution, unencrypted to a third party site (Adobe Marketing Cloud). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the iOS device without the user's knowledge. Timeline June 16, 2017 - Notified Apple via product-security@apple.com June 16, 2017 - Apple sent an auto acknowledgment June 16, 2017 - Apple responded stating that they are investigating July 10, 2017 - Asked for a status update July 10, 2017 - Apple responded stating that they are still investigating August 21, 2017 - Asked for a status update August 21, 2017 - Apple responded stating that they are still investigating August 30, 2017 - Apple released version 1.2 which sends the analytics data over an encrypted connection October 17, 2017 - Apple published a security advisory to document the issue Solution Upgrade to version 1.2 or later https://support.apple.com/en-ca/HT208201 https://support.apple.com/en-us/HT201222 CVE-ID: CVE-2017-7147

Trust: 2.07

sources: NVD: CVE-2017-7147 // JVNDB: JVNDB-2017-009303 // BID: 101533 // VULHUB: VHN-115350 // PACKETSTORM: 144724

AFFECTED PRODUCTS

vendor:applemodel:supportscope:lteversion:1.1.1

Trust: 1.0

vendor:applemodel:supportscope:eqversion:1.1.1

Trust: 0.9

vendor:applemodel:supportscope:ltversion:1.2 (ios 9.0 or later )

Trust: 0.8

vendor:applemodel:supportscope:eqversion:1.0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:11

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10

Trust: 0.3

vendor:applemodel:supportscope:neversion:1.2

Trust: 0.3

sources: BID: 101533 // JVNDB: JVNDB-2017-009303 // CNNVD: CNNVD-201703-927 // NVD: CVE-2017-7147

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7147
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7147
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-927
value: MEDIUM

Trust: 0.6

VULHUB: VHN-115350
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-7147
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-115350
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7147
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115350 // JVNDB: JVNDB-2017-009303 // CNNVD: CNNVD-201703-927 // NVD: CVE-2017-7147

PROBLEMTYPE DATA

problemtype:CWE-319

Trust: 1.1

problemtype:CWE-200

Trust: 0.9

sources: VULHUB: VHN-115350 // JVNDB: JVNDB-2017-009303 // NVD: CVE-2017-7147

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-927

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201703-927

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009303

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:HT208201url:https://support.apple.com/en-us/HT208201
Trust: 0.8
title:HT208201url:https://support.apple.com/ja-jp/HT208201
Trust: 0.8
title:Apple Support Analytics Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99689
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-009303 // 
            
            
            
            CNNVD: CNNVD-201703-927

EXTERNAL IDS
db:NVDid:CVE-2017-7147
Trust: 2.9
db:BIDid:101533
Trust: 2.0
db:JVNDBid:JVNDB-2017-009303
Trust: 0.8
db:CNNVDid:CNNVD-201703-927
Trust: 0.7
db:PACKETSTORMid:144724
Trust: 0.2
db:VULHUBid:VHN-115350
Trust: 0.1
sources:
            
            
            VULHUB: VHN-115350 // 
            
            
            
            BID: 101533 // 
            
            
            
            JVNDB: JVNDB-2017-009303 // 
            
            
            
            PACKETSTORM: 144724 // 
            
            
            
            CNNVD: CNNVD-201703-927 // 
            
            
            
            NVD: CVE-2017-7147

REFERENCES
url:https://www.info-sec.ca/advisories/apple-support.html
Trust: 2.0
url:http://www.securityfocus.com/bid/101533
Trust: 1.7
url:https://support.apple.com/ht208201
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-7147
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7147
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-in/ht208201
Trust: 0.3
url:https://support.apple.com/en-ca/ht208201
Trust: 0.1
url:https://support.apple.com/en-us/ht201222
Trust: 0.1
url:https://itunes.apple.com/us/app/apple-support/id1130498044)
Trust: 0.1
sources:
            
            
            VULHUB: VHN-115350 // 
            
            
            
            BID: 101533 // 
            
            
            
            JVNDB: JVNDB-2017-009303 // 
            
            
            
            PACKETSTORM: 144724 // 
            
            
            
            CNNVD: CNNVD-201703-927 // 
            
            
            
            NVD: CVE-2017-7147

CREDITS
David Coomber of Info-Sec.CA
Trust: 0.3
sources:
            
            
            BID: 101533

SOURCES
db:VULHUBid:VHN-115350
db:BIDid:101533
db:JVNDBid:JVNDB-2017-009303
db:PACKETSTORMid:144724
db:CNNVDid:CNNVD-201703-927
db:NVDid:CVE-2017-7147

LAST UPDATE DATE
2025-04-20T23:15:52.627000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-115350date:2019-10-03T00:00:00
db:BIDid:101533date:2017-10-17T00:00:00
db:JVNDBid:JVNDB-2017-009303date:2017-11-08T00:00:00
db:CNNVDid:CNNVD-201703-927date:2019-10-23T00:00:00
db:NVDid:CVE-2017-7147date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-115350date:2017-10-23T00:00:00
db:BIDid:101533date:2017-10-17T00:00:00
db:JVNDBid:JVNDB-2017-009303date:2017-11-08T00:00:00
db:PACKETSTORMid:144724date:2017-10-24T12:11:11
db:CNNVDid:CNNVD-201703-927date:2017-03-22T00:00:00
db:NVDid:CVE-2017-7147date:2017-10-23T01:29:14.080