Sign-up

ID

VAR-201804-1174


CVE

CVE-2018-4176


TITLE

Apple macOS Vulnerabilities that could trigger application launch in disk image component

Trust: 0.8

sources: JVNDB: JVNDB-2018-003663

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Images" component. It allows attackers to trigger an app launch upon mounting a crafted disk image. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to obtain sensitive information, bypass security restrictions, execute arbitrary code, obtain elevated privileges and perform unauthorized action; this may aid in launching further attacks. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers

Trust: 1.98

sources: NVD: CVE-2018-4176 // JVNDB: JVNDB-2018-003663 // BID: 103582 // VULHUB: VHN-134207

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:ltversion:10.13.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.11.6

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.12.6

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.13.3

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.0.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion: -

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.2

Trust: 0.6

vendor:applemodel:macosscope:eqversion:10.13.1

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.3

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13.2

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.13

Trust: 0.3

vendor:applemodel:macosscope:eqversion:10.12.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.6

Trust: 0.3

vendor:applemodel:macosscope:neversion:10.13.4

Trust: 0.3

sources: BID: 103582 // JVNDB: JVNDB-2018-003663 // CNNVD: CNNVD-201804-138 // NVD: CVE-2018-4176

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-4176
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-4176
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201804-138
value: MEDIUM

Trust: 0.6

VULHUB: VHN-134207
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-4176
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-134207
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-4176
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-134207 // JVNDB: JVNDB-2018-003663 // CNNVD: CNNVD-201804-138 // NVD: CVE-2018-4176

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-134207 // JVNDB: JVNDB-2018-003663 // NVD: CVE-2018-4176

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-138

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201804-138

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003663

PATCH
title:HT208692url:https://support.apple.com/en-us/HT208692
Trust: 0.8
title:HT208692url:https://support.apple.com/ja-jp/HT208692
Trust: 0.8
title:Apple macOS High Sierra Disk Images Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82990
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003663 // 
            
            
            
            CNNVD: CNNVD-201804-138

EXTERNAL IDS
db:NVDid:CVE-2018-4176
Trust: 2.8
db:BIDid:103582
Trust: 1.4
db:SECTRACKid:1040608
Trust: 1.1
db:JVNid:JVNVU92378299
Trust: 0.8
db:JVNDBid:JVNDB-2018-003663
Trust: 0.8
db:CNNVDid:CNNVD-201804-138
Trust: 0.7
db:VULHUBid:VHN-134207
Trust: 0.1
sources:
            
            
            VULHUB: VHN-134207 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003663 // 
            
            
            
            CNNVD: CNNVD-201804-138 // 
            
            
            
            NVD: CVE-2018-4176

REFERENCES
url:https://support.apple.com/ht208692
Trust: 1.7
url:http://www.securityfocus.com/bid/103582
Trust: 1.1
url:http://www.securitytracker.com/id/1040608
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4176
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92378299/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-4176
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/en-ie/ht208692
Trust: 0.3
sources:
            
            
            VULHUB: VHN-134207 // 
            
            
            
            BID: 103582 // 
            
            
            
            JVNDB: JVNDB-2018-003663 // 
            
            
            
            CNNVD: CNNVD-201804-138 // 
            
            
            
            NVD: CVE-2018-4176

CREDITS
David J Beitey (@davidjb_), Geoffrey Bugniot, Simon Hosie, an anonymous researcher, Kamatham Chaitanya of ShiftLeft Inc., Haik Aftandilian of Mozilla, Axis and pjf of IceSword Lab of Qihoo 360, Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., Jonas Jens
Trust: 0.3
sources:
            
            
            BID: 103582

SOURCES
db:VULHUBid:VHN-134207
db:BIDid:103582
db:JVNDBid:JVNDB-2018-003663
db:CNNVDid:CNNVD-201804-138
db:NVDid:CVE-2018-4176

LAST UPDATE DATE
2024-11-23T20:48:02.680000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-134207date:2018-05-04T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003663date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-138date:2018-04-09T00:00:00
db:NVDid:CVE-2018-4176date:2024-11-21T04:06:54.747

SOURCES RELEASE DATE
db:VULHUBid:VHN-134207date:2018-04-03T00:00:00
db:BIDid:103582date:2018-03-29T00:00:00
db:JVNDBid:JVNDB-2018-003663date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201804-138date:2018-04-03T00:00:00
db:NVDid:CVE-2018-4176date:2018-04-03T06:29:08.140