Details of VAR-201904-1377

ID

VAR-201904-1377

CVE

CVE-2018-4417

TITLE

plural Apple Updates to product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-008908

DESCRIPTION

A validation issue was addressed with improved input sanitization. This issue affected versions prior to macOS Mojave 10.14. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: Detail is Apple See the information provided by. * HTTP Through the client AFP Server attack * Arbitrary code execution * information leak * Buffer overflow * Privilege escalation * Service operation interruption (DoS) * File system tampering * UI Spoofing * Limit avoidance * Cross-site scripting * Address bar impersonation. This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the handling of log entries. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the kernel. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. AppleGraphicsControl is one of the integrated graphics drivers. A security vulnerability exists in the AppleGraphicsControl component in Apple macOS High Sierra version 10.13.6. An attacker could exploit this vulnerability with an application to read restricted memory

Trust: 3.87

sources: NVD: CVE-2018-4417 // JVNDB: JVNDB-2018-008908 // JVNDB: JVNDB-2018-014895 // JVNDB: JVNDB-2018-007762 // ZDI: ZDI-18-1322 // VULHUB: VHN-134448 // VULMON: CVE-2018-4417

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lt	version:	10.14	Trust: 1.8
vendor:	apple	model:	icloud	scope:	lt	version:	for windows 7.8 earlier	Trust: 0.8
vendor:	apple	model:	ios	scope:	lt	version:	12.1 earlier	Trust: 0.8
vendor:	apple	model:	itunes	scope:	lt	version:	12.9.1 earlier	Trust: 0.8
vendor:	apple	model:	macos high sierra	scope:	eq	version:	(security update 2018-001 not applied )	Trust: 0.8
vendor:	apple	model:	macos mojave	scope:	lt	version:	10.14.1 earlier	Trust: 0.8
vendor:	apple	model:	macos sierra	scope:	eq	version:	(security update 2018-005 not applied )	Trust: 0.8
vendor:	apple	model:	safari	scope:	lt	version:	12.0.1 earlier	Trust: 0.8
vendor:	apple	model:	tvos	scope:	lt	version:	12.1 earlier	Trust: 0.8
vendor:	apple	model:	watchos	scope:	lt	version:	5.1 earlier	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.13.6	Trust: 0.8
vendor:	apple	model:	macos mojave	scope:	lt	version:	10.14 earlier	Trust: 0.8
vendor:	apple	model:	macos	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-18-1322 // JVNDB: JVNDB-2018-008908 // JVNDB: JVNDB-2018-014895 // JVNDB: JVNDB-2018-007762 // NVD: CVE-2018-4417

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-4417
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-4417
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2018-4417
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-201810-1519
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-134448
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-4417
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-4417
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
ZDI:	CVE-2018-4417
severity:	MEDIUM
baseScore:	4.7
vectorString:	AV:L/AC:M/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
VULHUB:	VHN-134448
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-4417
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: ZDI: ZDI-18-1322 // VULHUB: VHN-134448 // VULMON: CVE-2018-4417 // JVNDB: JVNDB-2018-014895 // CNNVD: CNNVD-201810-1519 // NVD: CVE-2018-4417

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-134448 // JVNDB: JVNDB-2018-014895 // NVD: CVE-2018-4417

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1519

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201810-1519

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008908

PATCH

title:	About the security content of macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra	url:	https://support.apple.com/en-us/HT209193	Trust: 1.6
title:	HT209139	url:	https://support.apple.com/en-us/HT209139	Trust: 1.6
title:	About the security content of iTunes 12.9.1	url:	https://support.apple.com/en-us/HT209197	Trust: 0.8
title:	About the security content of iCloud for Windows 7.8	url:	https://support.apple.com/en-us/HT209198	Trust: 0.8
title:	About the security content of Safari 12.0.1	url:	https://support.apple.com/en-us/HT209196	Trust: 0.8
title:	About the security content of tvOS 12.1	url:	https://support.apple.com/en-us/HT209194	Trust: 0.8
title:	About the security content of iOS 12.1	url:	https://support.apple.com/en-us/HT209192	Trust: 0.8
title:	About the security content of watchOS 5.1	url:	https://support.apple.com/en-us/HT209195	Trust: 0.8
title:	HT209139	url:	https://support.apple.com/ja-jp/HT209139	Trust: 0.8
title:	HT209193	url:	https://support.apple.com/ja-jp/HT209193	Trust: 0.8
title:	Apple has issued an update to correct this vulnerability.	url:	https://support.apple.com/kb/HT201222	Trust: 0.7
title:	Apple macOS High Sierra AppleGraphicsControl Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86497	Trust: 0.6

sources: ZDI: ZDI-18-1322 // JVNDB: JVNDB-2018-008908 // JVNDB: JVNDB-2018-014895 // JVNDB: JVNDB-2018-007762 // CNNVD: CNNVD-201810-1519

EXTERNAL IDS

db:	NVD	id:	CVE-2018-4417	Trust: 3.3
db:	JVN	id:	JVNVU96365720	Trust: 1.6
db:	JVN	id:	JVNVU99356481	Trust: 1.6
db:	JVNDB	id:	JVNDB-2018-008908	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-014895	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-007762	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-6149	Trust: 0.7
db:	ZDI	id:	ZDI-18-1322	Trust: 0.7
db:	CNNVD	id:	CNNVD-201810-1519	Trust: 0.7
db:	VULHUB	id:	VHN-134448	Trust: 0.1
db:	VULMON	id:	CVE-2018-4417	Trust: 0.1

sources: ZDI: ZDI-18-1322 // VULHUB: VHN-134448 // VULMON: CVE-2018-4417 // JVNDB: JVNDB-2018-008908 // JVNDB: JVNDB-2018-014895 // JVNDB: JVNDB-2018-007762 // CNNVD: CNNVD-201810-1519 // NVD: CVE-2018-4417

REFERENCES

url:	https://support.apple.com/kb/ht209139	Trust: 1.8
url:	https://support.apple.com/kb/ht209193	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-4417	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96365720/	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4417	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99356481/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu96365720/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99356481/	Trust: 0.8
url:	https://support.apple.com/kb/ht201222	Trust: 0.7
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/fulldisclosure/2018/nov/16	Trust: 0.1

CREDITS

Lee of the Information Security Lab Yonsei University.

Trust: 0.7

sources: ZDI: ZDI-18-1322

SOURCES

db:	ZDI	id:	ZDI-18-1322
db:	VULHUB	id:	VHN-134448
db:	VULMON	id:	CVE-2018-4417
db:	JVNDB	id:	JVNDB-2018-008908
db:	JVNDB	id:	JVNDB-2018-014895
db:	JVNDB	id:	JVNDB-2018-007762
db:	CNNVD	id:	CNNVD-201810-1519
db:	NVD	id:	CVE-2018-4417

LAST UPDATE DATE

2024-11-23T21:01:12.962000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-18-1322	date:	2018-10-30T00:00:00
db:	VULHUB	id:	VHN-134448	date:	2019-04-05T00:00:00
db:	VULMON	id:	CVE-2018-4417	date:	2019-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-008908	date:	2018-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-014895	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-007762	date:	2018-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201810-1519	date:	2019-04-09T00:00:00
db:	NVD	id:	CVE-2018-4417	date:	2024-11-21T04:07:22.420

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-18-1322	date:	2018-10-30T00:00:00
db:	VULHUB	id:	VHN-134448	date:	2019-04-03T00:00:00
db:	VULMON	id:	CVE-2018-4417	date:	2019-04-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-008908	date:	2018-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-014895	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-007762	date:	2018-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201810-1519	date:	2018-10-31T00:00:00
db:	NVD	id:	CVE-2018-4417	date:	2019-04-03T18:29:14.643