Sign-up

ID

VAR-201804-1154


CVE

CVE-2018-4152


TITLE

Apple macOS Memo component vulnerable to arbitrary code execution in privileged context

Trust: 0.8

sources: JVNDB: JVNDB-2018-003716

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Notes" component. A race condition allows attackers to execute arbitrary code in a privileged context via a crafted app. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. A race condition vulnerability exists in the Notes component of Apple macOS High Sierra prior to 10.13.4

Trust: 1.98

sources: NVD: CVE-2018-4152 // JVNDB: JVNDB-2018-003716 // BID: 103582 // VULHUB: VHN-134183

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.13.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.6

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.11.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.2

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.11.6

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.5

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.12.4

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003716 // CNNVD: CNNVD-201804-157 // NVD: CVE-2018-4152

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4152
value: HIGH

Trust: 1.0

NVD: CVE-2018-4152
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201804-157
value: HIGH

Trust: 0.6

VULHUB: VHN-134183
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-4152
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134183
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4152
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134183 // JVNDB: JVNDB-2018-003716 // CNNVD: CNNVD-201804-157 // NVD: CVE-2018-4152

PROBLEMTYPE DATA

problemtype:CWE-362

Trust: 1.9

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-134183 // JVNDB: JVNDB-2018-003716 // NVD: CVE-2018-4152

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201804-157

TYPE

competition condition problem

Trust: 0.6

sources: CNNVD: CNNVD-201804-157

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003716

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra Notes Repair measures for competitive conditionsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83009
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003716 // 
            
            
            
            CNNVD: CNNVD-201804-157

EXTERNAL IDS
db:NVDid:CVE-2018-4152
Trust: 2.8
db:BIDid:103582
Trust: 2.0
db:SECTRACKid:1040608
Trust: 1.7
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003716
Trust: 0.8
db:CNNVDid:CNNVD-201804-157
Trust: 0.6
db:VULHUBid:VHN-134183
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134183 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003716 // 
            
            
            
            CNNVD: CNNVD-201804-157 // 
            
            
            
            NVD: CVE-2018-4152

REFERENCES
url:http://www.securityfocus.com/bid/103582
Trust: 1.7
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securitytracker.com/id/1040608
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4152
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4152
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134183 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003716 // 
            
            
            
            CNNVD: CNNVD-201804-157 // 
            
            
            
            NVD: CVE-2018-4152

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134183
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003716
db:CNNVDid:CNNVD-201804-157
db:NVDid:CVE-2018-4152

LAST UPDATE DATE
2024-11-23T19:30:21.104000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134183date:2019-10-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003716date:2018-06-01T00:00:00
db:CNNVDid:CNNVD-201804-157date:2019-10-23T00:00:00
db:NVDid:CVE-2018-4152date:2024-11-21T04:06:51.987

SOURCES RELEASE DATE
db:VULHUBid:VHN-134183date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003716date:2018-06-01T00:00:00
db:CNNVDid:CNNVD-201804-157date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4152date:2018-04-03T06:29:06.967