VARIoT IoT vulnerabilities database

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action. TP-Link TL-WR840N and TL-WR841N Contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TP-LinkTL-WR840N and TL-WR841N are both wireless router products of China TP-LINK. A security vulnerability exists in the TP-LinkTL-WR840N and TL-WR841N that caused the program to fail to process the session correctly. An attacker could exploit this vulnerability to perform arbitrary operations

An issue was discovered on Canon LBP6650, LBP3370, LBP3460, and LBP7750C devices. It is possible to bypass the Administrator Mode authentication for /tlogin.cgi via vectors involving frame.cgi?page=DevStatus. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the default settings without using the countermeasures and best practices shown in the documentation. ** Unsettled ** This case has not been confirmed as a vulnerability. plural Canon The product contains authentication vulnerabilities. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2018-11692Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CanonLBP6650 and other printers are all Canon's printers. Canon LBP6650, etc. are all printers produced by Japan's Canon (Canon)

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A security vulnerability exists in several Yokogawa products due to improper protection of credentials by web applications. The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A security vulnerability exists in several Yokogawa products. Attackers can exploit this vulnerability to make the controller unable to run stably (memory exhaustion). The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information. This attack can be executed only during maintenance work. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A security vulnerability exists in several Yokogawa products due to the use of hard-coded credentials in the controller. The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions. Provided by Yokogawa Electric Corporation STARDOM There are multiple vulnerabilities in the controller. Provided by Yokogawa Electric Corporation STARDOM For small and medium-sized factories PLC Instrumentation system. STARDOM The controller contains several vulnerabilities: * * account ID And password information is hard-coded (CWE-798) - CVE-2018-10592 * * information leak (CWE-200) - CVE-2018-17900 * * Service disruption to remote management functions (DoS) (CWE-119) - CVE-2018-17902 * * Problems with hardcoded authentication information for maintenance functions (CWE-798) - CVE-2018-17896 * * Controller HTTP Service disruption to services (DoS) (CWE-119) - CVE-2018-17898The expected impact depends on each vulnerability, but can be affected as follows: * * A remote attacker can log into the controller and execute arbitrary commands - CVE-2018-10592 * * Authentication information for accessing the remote management function of the controller can be obtained by a remote third party - CVE-2018-17900 * * Remote operation by the remote party to the remote management function of the controller (DoS) Attack is done - CVE-2018-17902 * * A remote attacker logs in to the controller's maintenance function, acquires information, and falsifies - CVE-2018-17896 * * By a remote third party HTTP Service disruption to services (DoS) Attack is done - CVE-2018-17898. Yokogawa STARDOM Controllers FCJ, etc. are the controllers used in the basic network control system of Yokogawa Corporation of Japan. A session fixation vulnerability exists in several Yokogawa products. An attacker could exploit this vulnerability to cause a denial of service. The following products and versions are affected: Yokogawa STARDOM Controllers FCJ R4.10 and earlier; FCN-100 R4.10 and earlier; FCN-RTUR 4.10 and earlier; FCN-500 R4.10 and earlier

Tplink ER5110G, Tplink ER5120G and Tplink WAR1300L are all enterprise VPN routers and enterprise wireless VPN routers. A code execution vulnerability exists in the TP-Link enterprise router. An attacker can use the vulnerability to obtain the administrator username and password of the router, or hijack a session (get session stok).

Tplink ER5110G, Tplink ER5120G and Tplink WAR1300L are all enterprise VPN routers and enterprise wireless VPN routers. A code execution vulnerability exists in the TP-Link enterprise router. An attacker can use the vulnerability to obtain the administrator username and password of the router, or hijack a session (get session stok).

Skyworth Group Co., Ltd. is a technology listed company that produces consumer electronics, networking and communications products. Skyworth Smart TV has a smart hardware vulnerability. The vulnerability is due to Skyworth Smart TV's no restrictions on third-party applications. Attackers can use the vulnerability to play arbitrary videos; call the system's sensitive interface and upload the collected system data.

hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside the current directory by sending `../` in the url path for GET requests. hostr Contains a path traversal vulnerability.Information may be obtained

`hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. hftp Contains a path traversal vulnerability.Information may be obtained. Hftp is a static HTTP and FTP server

`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run. f2e-server Contains a path traversal vulnerability.Information may be obtained. F2e-server is an HTTP server based on the Node.js platform

`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. badjs-sourcemap-server Contains a path traversal vulnerability.Information may be obtained. Badjs-sourcemap-server is a file backup server mainly used for badjs-sourcemap

A remote attacker can bypass the System Manager Mode on the Canon MF210 and MF220 web interface without knowing the PIN for /login.html via vectors involving /portal_top.html to get full access to the device. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the default settings without using the countermeasures and best practices shown in the documentation. ** Unsettled ** This case has not been confirmed as a vulnerability. Canon MF210 and MF220 Contains an authentication vulnerability. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2018-11711Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both the Canon MF210 and the MF220 are printers from Canon, Japan. There are security holes in the web interface in CanonMF210 and MF220

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. node-jose Contains information disclosure vulnerabilities and key management errors.Information may be obtained. There is a security vulnerability in node-jose versions prior to 0.9.3. An attacker could exploit this vulnerability to obtain sensitive information

Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. HomeWorks QS Lutron integration Products that use the protocol are vulnerable to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lutron Electronics radioRA2 and so on are a set of lighting control systems of Lutron Electronics of the United States. There is a trust management vulnerability in Lutron radioRA2, stanza, and HomeworkQS, which originates from the program with default credentials that cannot be removed (user: lutron, password: integration). An attacker could use this vulnerability to control IoT devices as a superuser

Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. RadioRA 2 Lutron integration Products that use the protocol are vulnerable to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lutron Electronics radioRA2 and so on are a set of lighting control systems of Lutron Electronics (Lutron Electronics) in the United States. A trust management issue vulnerability exists in Lutron radioRA2, stanza, and HomeworkQS due to the user's inability to disable the default hard-coded credentials in products using this protocol. An attacker could exploit this vulnerability to take control of the device through a TELNET session

Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine. Stanza Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lutron Electronics radioRA2 and so on are a set of lighting control systems of Lutron Electronics (Lutron Electronics) in the United States. A trust management issue vulnerability exists in Lutron radioRA2, stanza, and HomeworkQS due to the user's inability to disable the default hard-coded credentials in products using this protocol. An attacker could exploit this vulnerability to take control of the device through a TELNET session

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the WindowServer process. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges under the context of the WindowServer. Apple macOS are prone to a memory-corruption vulnerability. Failed exploit attempts will result in a denial-of-service condition. Apple macOS High Sierra is a set of dedicated operating systems developed by Apple (Apple) for Mac computers. A security vulnerability exists in Windows Server components in versions of Apple macOS High Sierra prior to 10.13.5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-23-2 Additional information for APPLE-SA-2018-06-01-1 macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and Security Update 2018-003 El Capitan address the following: Accessibility Framework Available for: macOS High Sierra 10.13.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An information disclosure issue existed in Accessibility Framework. This issue was addressed with improved memory management. CVE-2018-4196: G. Geshev working with Trend Micro's Zero Day Initiative, an anonymous researcher AMD Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team apache_mod_php Available for: macOS High Sierra 10.13.4 Impact: Issues in php were addressed in this update Description: This issue was addressed by updating to php version 7.1.16. CVE-2018-7584: Wei Lei and Liu Yang of Nanyang Technological University ATS Available for: macOS High Sierra 10.13.4 Impact: A malicious application may be able to elevate privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4219: Mohamed Ghannam (@_simo36) Bluetooth Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: A malicious application may be able to determine kernel memory layout. Description: An information disclosure issue existed in device properties. This issue was addressed with improved object management. CVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team Bluetooth Available for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro (Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015), MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016), MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports), MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports), MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports), MacBook (Retina, 12-inch, Early 2016), MacBook (Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017), iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac (Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015), iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and iMac (21.5-inch, 2017) Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2018-5383: Lior Neumann and Eli Biham Entry added July 23, 2018 Firmware Available for: macOS High Sierra 10.13.4 Impact: A malicious application with root privileges may be able to modify the EFI flash memory region Description: A device configuration issue was addressed with an updated configuration. CVE-2018-4251: Maxim Goryachy and Mark Ermolov FontParser Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team Grand Central Dispatch Available for: macOS High Sierra 10.13.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An issue existed in parsing entitlement plists. This issue was addressed with improved input validation. CVE-2018-4229: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg Graphics Drivers Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team iBooks Available for: macOS High Sierra 10.13.4 Impact: An attacker in a privileged network position may be able to spoof password prompts in iBooks Description: An input validation issue was addressed with improved input validation. CVE-2018-4202: Jerry Decime Intel Graphics Driver Available for: macOS High Sierra 10.13.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4141: an anonymous researcher, Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team IOFireWireAVC Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2018-4234: Proteas of Qihoo 360 Nirvan Team Kernel Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4249: Kevin Backhouse of Semmle Ltd. Kernel Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: In some circumstances, some operating systems may not expect or properly handle an Intel architecture debug exception after certain instructions. The issue appears to be from an undocumented side effect of the instructions. An attacker might utilize this exception handling to gain access to Ring 0 and access sensitive memory or control operating system processes. CVE-2018-8897: Andy Lutomirski, Nick Peterson (linkedin.com/in/everdox) of Everdox Tech LLC Kernel Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2018-4241: Ian Beer of Google Project Zero CVE-2018-4243: Ian Beer of Google Project Zero libxpc Available for: macOS High Sierra 10.13.4 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved validation. CVE-2018-4237: Samuel GroA (@5aelo) working with Trend Micro's Zero Day Initiative Mail Available for: macOS High Sierra 10.13.4 Impact: An attacker may be able to exfiltrate the contents of S/MIME-encrypted e-mail Description: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail. CVE-2018-4227: Damian Poddebniak of MA1/4nster University of Applied Sciences, Christian Dresen of MA1/4nster University of Applied Sciences , Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster University of Applied Sciences, Sebastian Schinzel of MA1/4nster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University Bochum Messages Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to conduct impersonation attacks Description: An injection issue was addressed with improved input validation. CVE-2018-4235: Anurodh Pokharel of Salesforce.com Messages Available for: macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted message may lead to a denial of service Description: This issue was addressed with improved message validation. CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd NVIDIA Graphics Drivers Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2018-4230: Ian Beer of Google Project Zero Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read a persistent account identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4223: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: Users may be tracked by malicious websites using client certificates Description: An issue existed in the handling of S-MIME certificaties. This issue was addressed with improved validation of S-MIME certificates. CVE-2018-4221: Damian Poddebniak of MA1/4nster University of Applied Sciences, Christian Dresen of MA1/4nster University of Applied Sciences , Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster University of Applied Sciences, Sebastian Schinzel of MA1/4nster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University Bochum Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read a persistent device identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4224: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to modify the state of the Keychain Description: An authorization issue was addressed with improved state management. CVE-2018-4225: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to view sensitive user information Description: An authorization issue was addressed with improved state management. CVE-2018-4226: Abraham Masri (@cheesecakeufo) Speech Available for: macOS High Sierra 10.13.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A sandbox issue existed in the handling of microphone access. This issue was addressed with improved handling of microphone access. CVE-2018-4184: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg UIKit Available for: macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A validation issue existed in the handling of text. This issue was addressed with improved validation of text. CVE-2018-4193: Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative Installation note: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and Security Update 2018-003 El Capitan may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUsfgACgkQ8ecVjteJ iCafWxAAhgLQIu5BifHdgdN31zuPc8tIhsIAuDiAOXJX9JopRhlbs9KrQCNdz/x2 qDiCmneKttwVIhu9Os3WHLNrSxiWCphz7zhD2WIhN3H7/eF9CE2Po8BJHeZGm22K grdfcc27eGN8AusFxRZ1HfhtCToDVNVDkbwO2nnZ0odEO1cZS8Ray2vcgcX0tRD/ X44amocIlVmC67GgwCH4+MSCdjyXcr6HSYiUcRSOuUFTWD3Q6FF3w5CfS6DMb3UO eUUJxExueT82InZHpL6qeuQprncqsJdtZqvK++YlAfMiFm6ePJHS4sQpvoxHIWv5 yDycGl0hc+pzO8icM1ayTFh8Ei+Txv69QKdUC8rTdiqvFh4/Le4dbh4rcmP3EXb5 JMaeIuuB7Pvvm2YXoRjz0HhIG6874lci7YX0fS/+IbkSuadd4F6TOiMnFNnO9IuC jvu9/f/+HA3e7meFA4Ori4TKW6UALPgpl9X6ohCzFDRVD7kHHmmWn4sCgcnovr8Q BJZCapHtS7cS6vGHk0auj2wLgeEUbyRGhI3F1WPIm/+e6y+cAiWqBmUBjVTOp5S+ KZEtw/BaRjFbgx97hwB+QA0AY8yzevAQMdyzqanUNhGCfWp3WfChUNESmRdrNUWy HDu7kphbN9EUETBHBEdA7ZE4qsP+70a6JTJ+SZ+7vB+YkrOabLU= =kM8d -----END PGP SIGNATURE-----

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Bluetooth" component. It allows attackers to obtain sensitive kernel memory-layout information via a crafted app that leverages device properties. Apple macOS High Sierra is a dedicated operating system developed by Apple for Mac computers. A security vulnerability exists in the device properties of the Bluetooth component in Apple macOS High Sierra versions prior to 10.13.5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-23-2 Additional information for APPLE-SA-2018-06-01-1 macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and Security Update 2018-003 El Capitan address the following: Accessibility Framework Available for: macOS High Sierra 10.13.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An information disclosure issue existed in Accessibility Framework. This issue was addressed with improved memory management. CVE-2018-4196: G. Geshev working with Trend Micro's Zero Day Initiative, an anonymous researcher AMD Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team apache_mod_php Available for: macOS High Sierra 10.13.4 Impact: Issues in php were addressed in this update Description: This issue was addressed by updating to php version 7.1.16. CVE-2018-7584: Wei Lei and Liu Yang of Nanyang Technological University ATS Available for: macOS High Sierra 10.13.4 Impact: A malicious application may be able to elevate privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4219: Mohamed Ghannam (@_simo36) Bluetooth Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: A malicious application may be able to determine kernel memory layout. Description: An information disclosure issue existed in device properties. This issue was addressed with improved object management. CVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team Bluetooth Available for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro (Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015), MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016), MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports), MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports), MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports), MacBook (Retina, 12-inch, Early 2016), MacBook (Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017), iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac (Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015), iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and iMac (21.5-inch, 2017) Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation. CVE-2018-5383: Lior Neumann and Eli Biham Entry added July 23, 2018 Firmware Available for: macOS High Sierra 10.13.4 Impact: A malicious application with root privileges may be able to modify the EFI flash memory region Description: A device configuration issue was addressed with an updated configuration. CVE-2018-4251: Maxim Goryachy and Mark Ermolov FontParser Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team Grand Central Dispatch Available for: macOS High Sierra 10.13.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An issue existed in parsing entitlement plists. This issue was addressed with improved input validation. CVE-2018-4229: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg Graphics Drivers Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4159: Axis and pjf of IceSword Lab of Qihoo 360 Hypervisor Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team iBooks Available for: macOS High Sierra 10.13.4 Impact: An attacker in a privileged network position may be able to spoof password prompts in iBooks Description: An input validation issue was addressed with improved input validation. CVE-2018-4202: Jerry Decime Intel Graphics Driver Available for: macOS High Sierra 10.13.4 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4141: an anonymous researcher, Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team IOFireWireAVC Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2018-4228: Benjamin Gnahm (@mitp0sh) of Mentor Graphics IOGraphics Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4236: Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team IOHIDFamily Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4234: Proteas of Qihoo 360 Nirvan Team Kernel Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4249: Kevin Backhouse of Semmle Ltd. Kernel Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: In some circumstances, some operating systems may not expect or properly handle an Intel architecture debug exception after certain instructions. The issue appears to be from an undocumented side effect of the instructions. An attacker might utilize this exception handling to gain access to Ring 0 and access sensitive memory or control operating system processes. CVE-2018-8897: Andy Lutomirski, Nick Peterson (linkedin.com/in/everdox) of Everdox Tech LLC Kernel Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2018-4241: Ian Beer of Google Project Zero CVE-2018-4243: Ian Beer of Google Project Zero libxpc Available for: macOS High Sierra 10.13.4 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved validation. CVE-2018-4237: Samuel GroA (@5aelo) working with Trend Micro's Zero Day Initiative Mail Available for: macOS High Sierra 10.13.4 Impact: An attacker may be able to exfiltrate the contents of S/MIME-encrypted e-mail Description: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail. CVE-2018-4227: Damian Poddebniak of MA1/4nster University of Applied Sciences, Christian Dresen of MA1/4nster University of Applied Sciences , Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster University of Applied Sciences, Sebastian Schinzel of MA1/4nster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University Bochum Messages Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to conduct impersonation attacks Description: An injection issue was addressed with improved input validation. CVE-2018-4235: Anurodh Pokharel of Salesforce.com Messages Available for: macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted message may lead to a denial of service Description: This issue was addressed with improved message validation. CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd NVIDIA Graphics Drivers Available for: macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2018-4230: Ian Beer of Google Project Zero Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read a persistent account identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4223: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: Users may be tracked by malicious websites using client certificates Description: An issue existed in the handling of S-MIME certificaties. This issue was addressed with improved validation of S-MIME certificates. CVE-2018-4221: Damian Poddebniak of MA1/4nster University of Applied Sciences, Christian Dresen of MA1/4nster University of Applied Sciences , Jens MA1/4ller of Ruhr University Bochum, Fabian Ising of MA1/4nster University of Applied Sciences, Sebastian Schinzel of MA1/4nster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, JAPrg Schwenk of Ruhr University Bochum Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to read a persistent device identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4224: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to modify the state of the Keychain Description: An authorization issue was addressed with improved state management. CVE-2018-4225: Abraham Masri (@cheesecakeufo) Security Available for: macOS High Sierra 10.13.4 Impact: A local user may be able to view sensitive user information Description: An authorization issue was addressed with improved state management. CVE-2018-4226: Abraham Masri (@cheesecakeufo) Speech Available for: macOS High Sierra 10.13.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A sandbox issue existed in the handling of microphone access. This issue was addressed with improved handling of microphone access. CVE-2018-4184: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg UIKit Available for: macOS High Sierra 10.13.4 Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A validation issue existed in the handling of text. This issue was addressed with improved validation of text. CVE-2018-4198: Hunter Byrnes Windows Server Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4193: Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative Installation note: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and Security Update 2018-003 El Capitan may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUsfgACgkQ8ecVjteJ iCafWxAAhgLQIu5BifHdgdN31zuPc8tIhsIAuDiAOXJX9JopRhlbs9KrQCNdz/x2 qDiCmneKttwVIhu9Os3WHLNrSxiWCphz7zhD2WIhN3H7/eF9CE2Po8BJHeZGm22K grdfcc27eGN8AusFxRZ1HfhtCToDVNVDkbwO2nnZ0odEO1cZS8Ray2vcgcX0tRD/ X44amocIlVmC67GgwCH4+MSCdjyXcr6HSYiUcRSOuUFTWD3Q6FF3w5CfS6DMb3UO eUUJxExueT82InZHpL6qeuQprncqsJdtZqvK++YlAfMiFm6ePJHS4sQpvoxHIWv5 yDycGl0hc+pzO8icM1ayTFh8Ei+Txv69QKdUC8rTdiqvFh4/Le4dbh4rcmP3EXb5 JMaeIuuB7Pvvm2YXoRjz0HhIG6874lci7YX0fS/+IbkSuadd4F6TOiMnFNnO9IuC jvu9/f/+HA3e7meFA4Ori4TKW6UALPgpl9X6ohCzFDRVD7kHHmmWn4sCgcnovr8Q BJZCapHtS7cS6vGHk0auj2wLgeEUbyRGhI3F1WPIm/+e6y+cAiWqBmUBjVTOp5S+ KZEtw/BaRjFbgx97hwB+QA0AY8yzevAQMdyzqanUNhGCfWp3WfChUNESmRdrNUWy HDu7kphbN9EUETBHBEdA7ZE4qsP+70a6JTJ+SZ+7vB+YkrOabLU= =kM8d -----END PGP SIGNATURE-----