Details of VAR-201702-0331

ID

VAR-201702-0331

CVE

CVE-2016-4671

TITLE

Apple OS X of ImageIO Vulnerability in arbitrary code execution in components

Trust: 0.8

sources: JVNDB: JVNDB-2016-007365

DESCRIPTION

An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ImageIO" component. It allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) via a crafted PDF file. Apple macOS is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, gain elevated privileges and perform unauthorized actions. This may aid in other attacks. ImageIO is one of the static methods used to perform common image I/O operations. An out-of-bounds write vulnerability exists in the ImageIO component of Apple macOS Sierra prior to 10.12.1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1 macOS Sierra 10.12.1 is now available and addresses the following: AppleGraphicsControl Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved lock state checking. CVE-2016-4662: Apple AppleSMC Available for: macOS Sierra 10.12 Impact: A local user may be able to elevate privileges Description: A null pointer dereference was addressed through improved locking. CVE-2016-4678: daybreaker@Minionz working with Trend Micro's Zero Day Initiative ATS Available for: macOS Sierra 10.12 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4667: Simmon Huang of alipay, Thelongestusernameofall@gmail.com Moony Li of Trend Micro, @Flyic ATS Available for: macOS Sierra 10.12 Impact: A local user may be able to execute arbitrary code with additional privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4674: Shrek_wzw of Qihoo 360 Nirvan Team CFNetwork Proxies Available for: macOS Sierra 10.12 Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts. CVE-2016-7579: Jerry Decime CoreGraphics Available for: macOS Sierra 10.12 Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent FaceTime Available for: macOS Sierra 10.12 Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com FontParser Available for: macOS Sierra 10.12 Impact: Parsing a maliciously crafted font may disclose sensitive user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4660: Ke Liu of Tencent's Xuanwu Lab ImageIO Available for: OS X El Capitan v10.11.6 Impact: Parsing a maliciously crafted PDF may lead to arbitrary code execution Description: An out-of-bounds write was addressed through improved bounds checking. CVE-2016-4671: Ke Liu of Tencent's Xuanwu Lab, Juwei Lin (@fuzzerDOTcn) ImageIO Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: Processing a maliciously crafted image may result in the disclosure of process memory Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking. CVE-2016-4682: Ke Liu of Tencent's Xuanwu Lab libarchive Available for: macOS Sierra 10.12 Impact: A malicious archive may be able to overwrite arbitrary files Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. CVE-2016-4679: Omer Medan of enSilo Ltd libxpc Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12 Impact: An application may be able to execute arbitrary code with root privileges Description: A logic issue was addressed through additional restrictions. CVE-2016-4675: Ian Beer of Google Project Zero ntfs Available for: macOS Sierra 10.12 Impact: An application may be able to cause a denial of service Description: An issue existed in the parsing of disk images. This issue was addressed through improved validation. CVE-2016-4661: Recurity Labs on behalf of BSI (German Federal Office for Information Security) NVIDIA Graphics Drivers Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 Impact: An application may be able to cause a denial of service Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4663: Apple System Boot Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12 Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation. CVE-2016-4669: Ian Beer of Google Project Zero macOS Sierra 10.12.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYDlRWAAoJEIOj74w0bLRGFnYP/iy1NY+HgMgJd4OeOakX4sGP 8utQ55plu7WdQ3imNdcP1NYm+tuqFLxSDm7qJMA4zsAakxdUAGWEWYjRmJ9IxTep Gil1qjXZHksX/7lF+VzoMcsAC4CE0yFnaFAw0gHdhQFZyzYryPVsryue56WX5DAD 4/MJUK85U1P2YRDkMW8Mt4TrOW0kgpohpZIFsWKmBocZ4Q/GLybQLzip7mv9w4/K k8L+m9oHUr+Bh7Et+OoM+4oTBC2pIwdb9U5edTHqIMpXp15jScTXbQ/pz+ngjZ6E wUDa8hZC30m6SWSJtFUMZ5+6Gedcafcn/kegRPeFwitQ13EnLOVeGekp25ROsnF1 NwXiDDYuUxTg8ecW6YJm1OktO035nUg3Rjnonx3km2FNDiFgakK78p622B/eJwOA WbD6ahu8qAFTf14pCe7WJVvQz4vnjwiwTQxOTxVgiLfAdFHNm9IpxazwEeW8sN+G cjvoi5VTWL8FiHfUITnJrzeclitgke67vhOs6Ju5+nYiKrUf74NoNnFBPMjD4Qa1 GfvjZ2LWUVBLBahWUl2Nhlr4EWECqF3AEZhBRmcvcHnspcN3f9BBD/kktvpqTAV9 J5TqpiRr2qhrQEV8WLt/GvZSf7hjnSMPUZS4pi27ZKSugkTQsHJs4eWE6awQUgrV E0naX6k6U0S+vJiI0JU7 =eHH+ -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2016-4671 // JVNDB: JVNDB-2016-007365 // BID: 93852 // VULHUB: VHN-93490 // PACKETSTORM: 139320

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.12.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.11.6	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.12.0	Trust: 0.6
vendor:	apple	model:	macos	scope:	eq	version:	10.12	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.11	Trust: 0.3
vendor:	apple	model:	macos	scope:	ne	version:	10.12.1	Trust: 0.3

sources: BID: 93852 // JVNDB: JVNDB-2016-007365 // CNNVD: CNNVD-201610-707 // NVD: CVE-2016-4671

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4671
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-4671
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201610-707
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-93490
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-4671
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-93490
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4671
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-93490 // JVNDB: JVNDB-2016-007365 // CNNVD: CNNVD-201610-707 // NVD: CVE-2016-4671

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.9

sources: VULHUB: VHN-93490 // JVNDB: JVNDB-2016-007365 // NVD: CVE-2016-4671

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-707

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201610-707

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007365

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1	url:	https://lists.apple.com/archives/security-announce/2016/Oct/msg00001.html	Trust: 0.8
title:	HT207275	url:	https://support.apple.com/en-us/HT207275	Trust: 0.8
title:	HT207275	url:	https://support.apple.com/ja-jp/HT207275	Trust: 0.8
title:	Apple macOS Sierra ImageIO Remedial measures for border write vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65070	Trust: 0.6

sources: JVNDB: JVNDB-2016-007365 // CNNVD: CNNVD-201610-707

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4671	Trust: 2.9
db:	BID	id:	93852	Trust: 2.0
db:	SECTRACK	id:	1037086	Trust: 1.1
db:	JVN	id:	JVNVU90743185	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-007365	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-707	Trust: 0.7
db:	ZDI	id:	ZDI-16-589	Trust: 0.3
db:	VULHUB	id:	VHN-93490	Trust: 0.1
db:	PACKETSTORM	id:	139320	Trust: 0.1

sources: VULHUB: VHN-93490 // BID: 93852 // JVNDB: JVNDB-2016-007365 // PACKETSTORM: 139320 // CNNVD: CNNVD-201610-707 // NVD: CVE-2016-4671

REFERENCES

url:	http://www.securityfocus.com/bid/93852	Trust: 1.7
url:	https://support.apple.com/ht207275	Trust: 1.7
url:	http://www.securitytracker.com/id/1037086	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4671	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90743185/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4671	Trust: 0.8
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	https://support.apple.com/en-ie/ht207275	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-16-589/	Trust: 0.3
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4682	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4661	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4678	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4667	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4662	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4669	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4660	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4635	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4674	Trust: 0.1
url:	https://www.apple.com/support/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4679	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7579	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4663	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4673	Trust: 0.1

sources: VULHUB: VHN-93490 // BID: 93852 // JVNDB: JVNDB-2016-007365 // PACKETSTORM: 139320 // CNNVD: CNNVD-201610-707 // NVD: CVE-2016-4671

CREDITS

Recurity Labs on behalf of BSI (German Federal Office for Information Security), Simmon Huang of alipay, Thelongestusernameofall@gmail.com, Moony Li of TrendMicro, @Flyic, Ke Liu of Tencent's Xuanwu Lab, Juwei Lin (@fuzzerDOTcn), Shrek_wzw of Qihoo 360 Ni

Trust: 0.6

sources: CNNVD: CNNVD-201610-707

SOURCES

db:	VULHUB	id:	VHN-93490
db:	BID	id:	93852
db:	JVNDB	id:	JVNDB-2016-007365
db:	PACKETSTORM	id:	139320
db:	CNNVD	id:	CNNVD-201610-707
db:	NVD	id:	CVE-2016-4671

LAST UPDATE DATE

2024-11-23T20:27:33.666000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-93490	date:	2017-07-29T00:00:00
db:	BID	id:	93852	date:	2016-11-24T01:08:00
db:	JVNDB	id:	JVNDB-2016-007365	date:	2017-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201610-707	date:	2017-03-13T00:00:00
db:	NVD	id:	CVE-2016-4671	date:	2024-11-21T02:52:44.517

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-93490	date:	2017-02-20T00:00:00
db:	BID	id:	93852	date:	2016-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2016-007365	date:	2017-02-28T00:00:00
db:	PACKETSTORM	id:	139320	date:	2016-10-24T21:46:59
db:	CNNVD	id:	CNNVD-201610-707	date:	2016-10-25T00:00:00
db:	NVD	id:	CVE-2016-4671	date:	2017-02-20T08:59:00.573