Sign-up

ID

VAR-201804-1169


CVE

CVE-2018-4170


TITLE

Apple macOS of Admin Framework Component password retrieval vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-003659

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Admin Framework" component. It allows local users to discover a password by listing a process and its arguments during sysadminctl execution. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. The vulnerability stems from the fact that the program requires passwords to be passed through parameters

Trust: 1.98

sources: NVD: CVE-2018-4170 // JVNDB: JVNDB-2018-003659 // BID: 103582 // VULHUB: VHN-134201

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.0.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion: -

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.2

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003659 // CNNVD: CNNVD-201804-142 // NVD: CVE-2018-4170

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4170
value: HIGH

Trust: 1.0

NVD: CVE-2018-4170
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201804-142
value: HIGH

Trust: 0.6

VULHUB: VHN-134201
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-4170
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134201
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4170
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134201 // JVNDB: JVNDB-2018-003659 // CNNVD: CNNVD-201804-142 // NVD: CVE-2018-4170

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.1

problemtype:CWE-255

Trust: 0.9

sources: VULHUB: VHN-134201 // JVNDB: JVNDB-2018-003659 // NVD: CVE-2018-4170

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201804-142

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201804-142

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003659

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra Admin Framework Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82994
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003659 // 
            
            
            
            CNNVD: CNNVD-201804-142

EXTERNAL IDS
db:NVDid:CVE-2018-4170
Trust: 2.8
db:BIDid:103582
Trust: 2.0
db:SECTRACKid:1040608
Trust: 1.7
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003659
Trust: 0.8
db:CNNVDid:CNNVD-201804-142
Trust: 0.6
db:VULHUBid:VHN-134201
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134201 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003659 // 
            
            
            
            CNNVD: CNNVD-201804-142 // 
            
            
            
            NVD: CVE-2018-4170

REFERENCES
url:http://www.securityfocus.com/bid/103582
Trust: 1.7
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securitytracker.com/id/1040608
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4170
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4170
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134201 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003659 // 
            
            
            
            CNNVD: CNNVD-201804-142 // 
            
            
            
            NVD: CVE-2018-4170

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134201
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003659
db:CNNVDid:CNNVD-201804-142
db:NVDid:CVE-2018-4170

LAST UPDATE DATE
2024-11-23T21:06:52.429000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134201date:2019-10-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003659date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-142date:2019-10-23T00:00:00
db:NVDid:CVE-2018-4170date:2024-11-21T04:06:54.087

SOURCES RELEASE DATE
db:VULHUBid:VHN-134201date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003659date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-142date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4170date:2018-04-03T06:29:07.920