Sign-up

ID

VAR-201702-0885


CVE

CVE-2017-2372


TITLE

Apple GarageBand and Logic Pro X Update for vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-001056

DESCRIPTION

An issue was discovered in certain Apple products. GarageBand before 10.1.5 is affected. Logic Pro X before 10.3 is affected. The issue involves the "Projects" component, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted GarageBand project file. Apple From GarageBand and Logic Pro X An update for has been released.Crafted GarageBand An arbitrary code may be executed by opening the project file. Attackers can exploit this issue to execute arbitrary code on the affected system. Failed exploit attempts may result in a denial-of-service condition. CVE-2017-2372: Tyler Bohan of Cisco Talos Installation note: GarageBand 10.1.5 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYf8YgAAoJEIOj74w0bLRGWiQP+gNnna3Ha0pOdJr/u3LHf/tN tpX/lArjvo8ELpqb8wc5iCDXmSq7BgrnOV2T+XNI0XtE1md0xkQ3ttfTmSWB33Nh ylVaHytLC/Xy5JqOYjuD9NWwo9wBdT+/6m1jMymUvaSs+QS3wNn64v0gp75zGKBh UW9LJHDAAzfWui2rL2Rw3Iyuk2tGAO7QmEdTjfKZ7p+wcWjz3A61LYorVVxlZOO+ d6ir0mleQudZWB55hidm0z5d3x5GWhQ9jWWgI6fdD8DvEXrQfE60bnQZEMQzplgk bGE9ZPASl41Y3rzfLb8M5c7Rfth2sWijOOTDfGiIzaXBH293S6iyfzwONnoL9eTH WeR8Em4Dbp5YpMoMoEPUR+Bx2pOgZWAPbbErn4uvP8quC1DcKQ/WzObOb/m5XfE6 /jUvV6dI1f/jNutt9uzs/y54qzoQxJDQXm6lqWo0PvlMbEOiSWUlH0ierwMpxAaG dw1EjizczK9JoLseNc8YTAYyjEvhx7BMZuRiZjmHuHzfSaTvD4Gl/8w+KTEmsIkf V0R1F6IK6gFxRphHvfY2SkDVvgYk0eHCSXq9pkPDShElJR38Iu+a4vvXOjSGkOHL h2mAUdnNalF9zyyVX2oCfgHnxtuI8dvNQDHQjYS+xmcd00VmJm63WFgT72fOzVvP n5gdgHkBKUmF+lzYVHtj =4J27 -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2017-2372 // JVNDB: JVNDB-2017-001056 // BID: 95627 // VULHUB: VHN-110575 // PACKETSTORM: 140631 // PACKETSTORM: 140630

AFFECTED PRODUCTS

vendor:applemodel:logic pro xscope:lteversion:10.2.4

Trust: 1.0

vendor:applemodel:garagebandscope:lteversion:10.1.4

Trust: 1.0

vendor:applemodel:garagebandscope:ltversion:10.1.5 earlier

Trust: 0.8

vendor:applemodel:logic pro xscope:ltversion:10.3 earlier

Trust: 0.8

vendor:applemodel:garagebandscope:eqversion:10.1.4

Trust: 0.6

vendor:applemodel:logic pro xscope:eqversion:10.2.4

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.10.1

Trust: 0.3

vendor:applemodel:logic proscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:logic proscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:garagebandscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:logic proscope:neversion:x10.3

Trust: 0.3

vendor:applemodel:garagebandscope:neversion:10.1.5

Trust: 0.3

sources: BID: 95627 // JVNDB: JVNDB-2017-001056 // CNNVD: CNNVD-201701-793 // NVD: CVE-2017-2372

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2372
value: HIGH

Trust: 1.0

NVD: CVE-2017-2372
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201701-793
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110575
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2372
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-110575
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2372
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-110575 // JVNDB: JVNDB-2017-001056 // CNNVD: CNNVD-201701-793 // NVD: CVE-2017-2372

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-110575 // JVNDB: JVNDB-2017-001056 // NVD: CVE-2017-2372

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201701-793

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201701-793

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-001056

PATCH
title:HT207477 (About the security content of GarageBand 10.1.5)url:https://support.apple.com/en-us/HT207477
Trust: 0.8
title:HT207476 (About the security content of Logic Pro X 10.3)url:https://support.apple.com/en-us/HT207476
Trust: 0.8
title:HT207476url:https://support.apple.com/ja-jp/HT207476
Trust: 0.8
title:HT207477url:https://support.apple.com/ja-jp/HT207477
Trust: 0.8
title:Apple Logic Pro X  and GarageBand Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67351
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-001056 // 
            
            
            
            CNNVD: CNNVD-201701-793

EXTERNAL IDS
db:NVDid:CVE-2017-2372
Trust: 3.0
db:BIDid:95627
Trust: 2.0
db:TALOSid:TALOS-2016-0262
Trust: 1.1
db:SECTRACKid:1037627
Trust: 1.1
db:JVNid:JVNVU90290095
Trust: 0.8
db:JVNDBid:JVNDB-2017-001056
Trust: 0.8
db:CNNVDid:CNNVD-201701-793
Trust: 0.7
db:PACKETSTORMid:140631
Trust: 0.2
db:PACKETSTORMid:140630
Trust: 0.2
db:SEEBUGid:SSVID-96570
Trust: 0.1
db:VULHUBid:VHN-110575
Trust: 0.1
sources:
            
            
            VULHUB: VHN-110575 // 
            
            
            
            BID: 95627 // 
            
            
            
            JVNDB: JVNDB-2017-001056 // 
            
            
            
            PACKETSTORM: 140631 // 
            
            
            
            PACKETSTORM: 140630 // 
            
            
            
            CNNVD: CNNVD-201701-793 // 
            
            
            
            NVD: CVE-2017-2372

REFERENCES
url:http://www.securityfocus.com/bid/95627
Trust: 1.7
url:https://support.apple.com/ht207476
Trust: 1.7
url:https://support.apple.com/ht207477
Trust: 1.7
url:http://www.talosintelligence.com/reports/talos-2016-0262/
Trust: 1.1
url:http://www.securitytracker.com/id/1037627
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2372
Trust: 0.8
url:http://jvn.jp/cert/jvnvu90290095
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-2372
Trust: 0.8
url:https://www.apple.com/
Trust: 0.3
url:https://support.apple.com/kb/ht201222
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2017-2372
Trust: 0.2
url:https://www.apple.com/support/security/pgp/
Trust: 0.2
url:https://gpgtools.org
Trust: 0.2
sources:
            
            
            VULHUB: VHN-110575 // 
            
            
            
            BID: 95627 // 
            
            
            
            JVNDB: JVNDB-2017-001056 // 
            
            
            
            PACKETSTORM: 140631 // 
            
            
            
            PACKETSTORM: 140630 // 
            
            
            
            CNNVD: CNNVD-201701-793 // 
            
            
            
            NVD: CVE-2017-2372

CREDITS
Tyler Bohan of Cisco Talos
Trust: 0.9
sources:
            
            
            BID: 95627 // 
            
            
            
            CNNVD: CNNVD-201701-793

SOURCES
db:VULHUBid:VHN-110575
db:BIDid:95627
db:JVNDBid:JVNDB-2017-001056
db:PACKETSTORMid:140631
db:PACKETSTORMid:140630
db:CNNVDid:CNNVD-201701-793
db:NVDid:CVE-2017-2372

LAST UPDATE DATE
2024-11-23T22:52:33.324000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-110575date:2017-07-26T00:00:00
db:BIDid:95627date:2017-01-23T01:11:00
db:JVNDBid:JVNDB-2017-001056date:2017-01-23T00:00:00
db:CNNVDid:CNNVD-201701-793date:2017-02-27T00:00:00
db:NVDid:CVE-2017-2372date:2024-11-21T03:23:23.550

SOURCES RELEASE DATE
db:VULHUBid:VHN-110575date:2017-02-20T00:00:00
db:BIDid:95627date:2017-01-18T00:00:00
db:JVNDBid:JVNDB-2017-001056date:2017-01-23T00:00:00
db:PACKETSTORMid:140631date:2017-01-20T01:45:28
db:PACKETSTORMid:140630date:2017-01-20T01:43:41
db:CNNVDid:CNNVD-201701-793date:2017-01-20T00:00:00
db:NVDid:CVE-2017-2372date:2017-02-20T08:59:05.400