Sign-up

ID

VAR-201804-1173


CVE

CVE-2018-4175


TITLE

Apple macOS of LaunchServices Vulnerabilities that bypass code signing protection mechanisms in components

Trust: 0.8

sources: JVNDB: JVNDB-2018-003662

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "LaunchServices" component. It allows attackers to bypass the code-signing protection mechanism via a crafted app. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. LaunchServices is one of the components that uses a running application to open other applications or documents

Trust: 1.98

sources: NVD: CVE-2018-4175 // JVNDB: JVNDB-2018-003662 // BID: 103582 // VULHUB: VHN-134206

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.11.6

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.12.6

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.0.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion: -

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.2

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003662 // CNNVD: CNNVD-201804-139 // NVD: CVE-2018-4175

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4175
value: HIGH

Trust: 1.0

NVD: CVE-2018-4175
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201804-139
value: MEDIUM

Trust: 0.6

VULHUB: VHN-134206
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-4175
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134206
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4175
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134206 // JVNDB: JVNDB-2018-003662 // CNNVD: CNNVD-201804-139 // NVD: CVE-2018-4175

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-134206 // JVNDB: JVNDB-2018-003662 // NVD: CVE-2018-4175

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-139

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201804-139

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003662

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra LaunchServices Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82991
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003662 // 
            
            
            
            CNNVD: CNNVD-201804-139

EXTERNAL IDS
db:NVDid:CVE-2018-4175
Trust: 2.8
db:BIDid:103582
Trust: 1.4
db:SECTRACKid:1040608
Trust: 1.1
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003662
Trust: 0.8
db:CNNVDid:CNNVD-201804-139
Trust: 0.6
db:VULHUBid:VHN-134206
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134206 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003662 // 
            
            
            
            CNNVD: CNNVD-201804-139 // 
            
            
            
            NVD: CVE-2018-4175

REFERENCES
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securityfocus.com/bid/103582
Trust: 1.1
url:http://www.securitytracker.com/id/1040608
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4175
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4175
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134206 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003662 // 
            
            
            
            CNNVD: CNNVD-201804-139 // 
            
            
            
            NVD: CVE-2018-4175

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134206
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003662
db:CNNVDid:CNNVD-201804-139
db:NVDid:CVE-2018-4175

LAST UPDATE DATE
2024-11-23T19:27:46.460000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134206date:2018-05-04T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003662date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-139date:2018-04-09T00:00:00
db:NVDid:CVE-2018-4175date:2024-11-21T04:06:54.637

SOURCES RELEASE DATE
db:VULHUBid:VHN-134206date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003662date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-139date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4175date:2018-04-03T06:29:08.093