ID

VAR-201710-1363


CVE

CVE-2017-7115


TITLE

Apple iOS and tvOS of Wi-Fi Component vulnerable to arbitrary code execution in privileged context

Trust: 0.8

sources: JVNDB: JVNDB-2017-009323

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition. Apple iOS and tvOS are prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to Apple tvOS 11 and iOS 11 are vulnerable. in the United States. tvOS is a smart TV operating system. Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read CVE-2017-7115 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration. The host and dongle communicate with one another using a set of "message rings". Two message rings (distinct from the "flow rings") are used to transfer data from the host to the dongle (H2D): -H2D_MSGRING_CONTROL_SUBMIT (Ring #0) -H2D_MSGRING_RXPOST_SUBMIT (Ring #1) When the host wishes to notify the dongle of an event (such as submitting an IO-Control request or posting an address into which an RX frame may be written), it does so by writing a small structure to the appropriate message ring buffer at the current write index. Similarly, when reading events from any of the completion rings (D2H), the host uses the read index for the current ring in order to access the posted message buffer by the dongle within the ring. Each ring has a corresponding fixed "item size" which is set during the ring's initialisation -- individual items' addresses within the ring can therefore be calculated like so: "ring_base + ring_index * item_size". As the Wi-Fi dongle is connected to the host over PCIe, it is able to issue IO requests to the Root Complex. To prevent a malicious dongle from overwriting arbitrary physical memory and subverting the host OS, some isolation is needed between the device-visible IO-Space and the host's physical address space. This is facilitated on iOS by using an IOMMU called the "Device Address Resolution Table" (DART). On iOS, the read and write indices for each of the rings (H2D and D2H) are synchronised between the peers by mapping them into IO-Space -- this way, each side of the communication can freely access the R/W indices for each ring and know where the next buffers are going to be posted (either by itself or by its peer). These IO-Space addresses are submitted by the AppleBCMWLANBusInterfacePCIe driver into the PCIe shared structure at the end of the Wi-Fi chip's RAM by writing directly into the chip's TCM. Indeed, we can dump the structure's contents and see the IO-Space addresses for each of these buffers: Dumping ring_info ----------------------------------------- h2d_w_idx_ptr: 0x0020249C h2d_r_idx_ptr: 0x00202548 d2h_w_idx_ptr: 0x002025F4 d2h_r_idx_ptr: 0x00202604 -> h2d_w_idx_hostaddr: 0x80538000 -> h2d_r_idx_hostaddr: 0x80530000 -> d2h_w_idx_hostaddr: 0x80548000 -> d2h_r_idx_hostaddr: 0x80540000 By installing a hook on the DMA function in the Wi-Fi chip, we can verify that indeed these buffers are not only readable in IO-Space, they are also *writable* (including the H2D indices!). Here's a snippet (from the chip's console) in which we installed such a hook in order to DMA into the "h2d_w_idx_ptr" buffer: Before: 00 00 00 00 00 00 00 00 After : 48 BF 6B 4B 50 34 4A BF ^---------------^ Wi-Fi MAC When a PCIe MSI interrupt occurs, the AppleBCMWLANBusInterfacePCIe driver first handles the interrupt and checks which operations should be performed (by reading the MailBox register). If an interrupt signalling an event's completion arrives, the pending messages in each D2H ring are processed by calling AppleBCMWLANPCIeCompletionRing::signalWorkAvailable(). This, in turn, calls a virtual function in the ring instance (at offset 0x138). The handled function reads the events at the current "read index" and subsequently handles them by invoking the registered callback function for the given ring (e.g., "drainControlCompleteRing" for the D2H_MSGRING_CONTROL_COMPLETE ring). Here is a short snippet of the approximate high-level logic of the virtual function that iterates over each pending buffer: int64_t AppleBCMWLANPCIeCompletionRing_iterateAndCallCompletionCallbacks(void* this) { ... do { uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 216); int32_t item_size = *(int32_t*) ((uint64_t)this + 92); (1) uint32_t read_index = **(uint32_t**)((uint64_t)this + 144); uint8_t* next_buffer = ring_base + item_size * read_index; (2) uint64_t num_events = calculateNumberOfReadEventsToDrain(this); //Call the registered callback callback_t cb = *(callback_t*)(this + 24); uint32_t events_handled = cb(this, next_buffer, ..., num_events); read_index += events_handled; uint32_t max_ring_index = *(uint32_t*)(this + 88); if (read_index >= max_ring_index) read_index = 0; ... } while (hasMoreEvents(this)); ... } uint64_t calculateNumberOfReadEventsToDrain(void* this) { //AppleBCMWLANPCIeCompletionRing::getReadIndex() uint64_t (*getReadIndex)(void*) = (uint64_t (*) (void*))(*(uint64_t*)this + 0x120); uint64_t read_index = getReadIndex(this); ... return read_index - last_index; } uint64_t AppleBCMWLANPCIeCompletionRing__getReadIndex(void* this) { uint32_t read_index = **(uint32_t**)((uint64_t)this + 144); if (read_index >= 0x10000) panic(...); return read_index; } Similarly, when data need to be written into the submission rings, the corresponding AppleBCMWLANPCIeSubmissionRing instance's work loop function is invoked (virtual function @ offset 0x138). Here is the approximate high-level logic for this function: uint64_t AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks(void* this) { ... (3) uint32_t write_index = **(uint32_t**)((uint64_t)this + 184); (4) while (hasMoreEvents(this)) { uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 248); int32_t item_size = *(int32_t*) ((uint64_t)this + 92); uint8_t* next_buffer = ring_base + item_size * write_index; (5) uint64_t num_events = calculateNumberOfWriteEvents(this); //Call the registered callback callback_t cb = *(callback_t*)(this + 112); uint32_t num_written = cb(this, next_buffer, ..., num_events); if (!num_written) break; write_index += num_written; uint32_t max_ring_index = *(uint32_t*)(this + 88); if ( write_index >= max_ring_index) write_index = 0; **(uint32_t**)((uint64_t)this + 184) = write_index; } ... } uint64_t calculateNumberOfWriteEvents(void* this) { //AppleBCMWLANPCIeSubmissionRing::getIndices() void (*getIndices)(void*, uint64_t*, uint64_t*) = (uint64_t (*) (void*, uint64_t*, uint64_t*))(*(uint64_t*)this + 0x128); uint64_t read_index, write_index; getIndices(this, &read_index, &write_index); ... } uint64_t AppleBCMWLANPCIeSubmissionRing__getIndices(void* this, uint64_t* rindex, uint64*t windex) { uint32_t read_index = **(uint32_t**)((uint64_t)this + 176); uint32_t write_index = **(uint32_t**)((uint64_t)this + 184); if (read_index >= 0x10000 || write_index >= 0x10000) panic(...); *rindex = read_index; *windex = write_index; } Note that in both the snippets above, the pointers to the "read_index" and "write_index" are both pointers to the same memory addresses which were mapped into IO-Space earlier and submitted to the dongle. As such, the dongle can freely DMA into these addresses and modify their contents. Following the logic of the two snippets above, we can see that a malicious dongle can therefore trigger several race conditions by modifying the indices' values: 1. The dongle can trigger OOB writes to offsets not larger than 0xFFFF * item_size, by executing the following attack: a. Host calls AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks on ring #n b. Dongle DMA-s into ring #n's write index, setting a value <= 0x10000 c. Host reaches (3) and reads the malicious write index d. Dongle DMA-s into ring #n's write index, restoring the original write index e. Host reaches (4), calls hasMoreEvents() and succeeds since the index is now valid f. Host reaches (5), calculates the correct number of events to process, and calls the callback g. The callback writes arbitrary data into the attacker-controlled offset, triggering an OOB write 2. Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB. 3. The dongle can also cause OOB writes to an offset larger than 0xFFFF * item_size, by executing the same attack as described in (1). However, if the dongle fails to restore the write index before the bounds checks in AppleBCMWLANPCIeSubmissionRing::getIndices, this will result in a panic and reboot the device. 4. Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB at an offset larger than 0xFFFF * item_size One possibility to exploit this vulnerability would be to trigger an OOB write from a ring into the DART's translation tables, thus effectively adding mappings to the chip's IO-Space. If the attacker can add the DART's translation table itself to the DART mapping, they can then freely add memory mappings, allowing for arbitrary R/W into the kernel's physical address space. Indeed, by locating the DART's translation table and reverse engineering it, we can find the location of the DART's descriptors in relation to the ring base addresses. In one execution, dumping the addresses for the DART descriptors and the ring base addresses resulted in the following output: Ring #0 - Base: 0xFFFFFFE00380D000 Ring #1 - Base: 0xFFFFFFE0B0DE8000 Ring #2 - Base: 0xFFFFFFE0B0DEC000 Ring #3 - Base: 0xFFFFFFE0B0CC4000 Ring #4 - Base: 0xFFFFFFE0B0CD0000 DART: First Level Descriptor: 0xFFFFFFE02BB4000 Second Level Descriptor: 0xFFFFFFE0B0CD4000 ... As we can see above, the DART's second level descriptor is comfortably placed within range of ring #0 (H2D_MSGRING_CONTROL_SUBMIT) -- allowing an attacker to add entries to the DART's mapping. Moreover, even if the Wi-Fi chip or driver encounters an error and the chip is reset, the added mappings in the DART are not cleared (!). Suggested Mitigations: 1. The indices can never be larger the 16-bits. As such, there's no reason to introduce possible mistakes when handling values larger than that. This can be mitigated by changed the index types to 16-bit wide types instead of 32-bits. 2. There's no reason to map the H2D indices as writable: 2.1. If DART supports read-only mappings, I suggest the indices be mapped as such. 2.2. Otherwise, the index should only be read from the shared region *once* on each iteration, instead of re-reading it in several "helper" functions. 3. The indices in both the submission and completion rings should be verified against the ring's maximal index (this+88) and not against the maximal possible value (0xFFFF). 4. Clear all DART mappings when the chip is reset. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb . CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwtdFAAoJEIOj74w0bLRGD90P/3SlwWGkh+yI71C2P4n52kwK EAJj475W7WveTPOeQkfc+MP0P8D7UPUpoNTGHnDvl9TKdW/ZksHF6OMolt0lvfbc EQKsM4KJhIcynZOSBHVjcoUZ53+u1eoW0UAqZgvde7hv2ex6JybRHJdb0ysk3cGg LlX5gQeG2oVx+j510fO5ZeBFm1NSXFjE9z1ldytQBLOScfdWHN9x+jM+elqr1tzt T0p9Y1d2ukbWHaRWm+D3Jn6NrxXcGKzC+HI8CcX3x7UHIXn0Ofl0prBrPZ5GhbG8 hGw8mIcOCpjk7+zmToqQRNVFpHv8RCe61Jf+Jvd1d0a7ROD2sa2nSiEKyTppnomH 9As1OrZnrE+c1tfrttN4iwUhEqGa4kVXiceK728oFx8phUKpgJGe1uJG3MaAOGTp Bg3DzTRIQufm4VOEY3G7wko1edr6wltGN4DZQJReIXPc0MTptyNh88WlK/O9NZok KXvMYgl6GvU9WA+QNDXVSobOUpmELbnsmaADrAF+5rUwFDlOSIn33nUVhVixpMWG LhJHHm5S3nbtkq/rZoWiDmo8q/fPgpDXi+yD8yd2PNx46xZzxw1//ff4UMrKMi9m ucZhu9yd2xLAyeSFZTf2r2Wa6jenP80GOf3ZwDIpmy+9CsOzVlfQ2c/YI/Mb0T3J 1xEedCIxogsKRuNXEosG =A3qE -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2017-7115 // JVNDB: JVNDB-2017-009323 // BID: 100924 // VULHUB: VHN-115318 // VULMON: CVE-2017-7115 // PACKETSTORM: 144297 // PACKETSTORM: 144277

AFFECTED PRODUCTS

vendor:applemodel:tvosscope:lteversion:10.2.2

Trust: 1.0

vendor:applemodel:iphone osscope:lteversion:10.3.3

Trust: 1.0

vendor:applemodel:iosscope:ltversion:11 (ipad air or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:11 (iphone 5s or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:11 (ipod touch first 6 generation )

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:11 (apple tv first 4 generation )

Trust: 0.8

vendor:applemodel:tvscope:eqversion:10.2.2

Trust: 0.6

vendor:applemodel:iphone osscope:eqversion:10.3.3

Trust: 0.6

vendor:applemodel:tvosscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.1.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:9.0

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.2.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:tvosscope:eqversion:10

Trust: 0.3

vendor:applemodel:tvscope:eqversion:0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:50

Trust: 0.3

vendor:applemodel:iosscope:eqversion:40

Trust: 0.3

vendor:applemodel:iosscope:eqversion:30

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7.0.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.9

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.8

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.7

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.6

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.5

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2.10

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:2.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:2.0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:10

Trust: 0.3

vendor:applemodel:tvosscope:neversion:11

Trust: 0.3

vendor:applemodel:iosscope:neversion:11

Trust: 0.3

sources: BID: 100924 // JVNDB: JVNDB-2017-009323 // CNNVD: CNNVD-201709-1057 // NVD: CVE-2017-7115

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7115
value: HIGH

Trust: 1.0

NVD: CVE-2017-7115
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201709-1057
value: HIGH

Trust: 0.6

VULHUB: VHN-115318
value: HIGH

Trust: 0.1

VULMON: CVE-2017-7115
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-7115
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-115318
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-7115
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-115318 // VULMON: CVE-2017-7115 // JVNDB: JVNDB-2017-009323 // CNNVD: CNNVD-201709-1057 // NVD: CVE-2017-7115

PROBLEMTYPE DATA

problemtype:CWE-362

Trust: 1.9

sources: VULHUB: VHN-115318 // JVNDB: JVNDB-2017-009323 // NVD: CVE-2017-7115

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-1057

TYPE

competitive condition

Trust: 0.6

sources: CNNVD: CNNVD-201709-1057

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009323

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-115318 // VULMON: CVE-2017-7115

PATCH

title:Apple security updatesurl:https://support.apple.com/en-us/HT201222

Trust: 0.8

title:HT208113url:https://support.apple.com/en-us/HT208113

Trust: 0.8

title:HT208112url:https://support.apple.com/en-us/HT208112

Trust: 0.8

title:HT208113url:https://support.apple.com/ja-jp/HT208113

Trust: 0.8

title:HT208112url:https://support.apple.com/ja-jp/HT208112

Trust: 0.8

title:Apple iOS and tvOS Wi-Fi Repair measures for competitive conditionsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75065

Trust: 0.6

title:Apple: iOS 11url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=041cce4eee20b18dc79e9460a53e8400

Trust: 0.1

title:Apple: tvOS 11url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=74de8bbddd443742d386dabda32dc2ae

Trust: 0.1

title:Exp101tsArchiv30thersurl:https://github.com/nu11secur1ty/Exp101tsArchiv30thers

Trust: 0.1

title:awesome-cve-poc_qazbnm456url:https://github.com/xbl3/awesome-cve-poc_qazbnm456

Trust: 0.1

sources: VULMON: CVE-2017-7115 // JVNDB: JVNDB-2017-009323 // CNNVD: CNNVD-201709-1057

EXTERNAL IDS

db:NVDid:CVE-2017-7115

Trust: 3.1

db:BIDid:100924

Trust: 2.1

db:SECTRACKid:1039385

Trust: 1.8

db:EXPLOIT-DBid:42996

Trust: 1.8

db:JVNid:JVNVU99806334

Trust: 0.8

db:JVNDBid:JVNDB-2017-009323

Trust: 0.8

db:CNNVDid:CNNVD-201709-1057

Trust: 0.7

db:PACKETSTORMid:144297

Trust: 0.2

db:SEEBUGid:SSVID-96627

Trust: 0.1

db:VULHUBid:VHN-115318

Trust: 0.1

db:VULMONid:CVE-2017-7115

Trust: 0.1

db:PACKETSTORMid:144277

Trust: 0.1

sources: VULHUB: VHN-115318 // VULMON: CVE-2017-7115 // BID: 100924 // JVNDB: JVNDB-2017-009323 // PACKETSTORM: 144297 // PACKETSTORM: 144277 // CNNVD: CNNVD-201709-1057 // NVD: CVE-2017-7115

REFERENCES

url:http://www.securityfocus.com/bid/100924

Trust: 1.9

url:https://www.exploit-db.com/exploits/42996/

Trust: 1.9

url:https://support.apple.com/ht208112

Trust: 1.8

url:https://support.apple.com/ht208113

Trust: 1.8

url:https://bugs.chromium.org/p/project-zero/issues/detail?id=1317

Trust: 1.8

url:http://www.securitytracker.com/id/1039385

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-7115

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7115

Trust: 0.8

url:http://jvn.jp/vu/jvnvu99806334/index.html

Trust: 0.8

url:https://www.apple.com/

Trust: 0.3

url:http://www.apple.com/ios/

Trust: 0.3

url:http://www.apple.com/accessibility/tvos/

Trust: 0.3

url:https://support.apple.com/en-us/ht208112

Trust: 0.3

url:https://support.apple.com/en-us/ht208113

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/362.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://support.apple.com/kb/ht208112

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7116

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7112

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7105

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://gpgtools.org

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7108

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7110

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-7103

Trust: 0.1

sources: VULHUB: VHN-115318 // VULMON: CVE-2017-7115 // BID: 100924 // JVNDB: JVNDB-2017-009323 // PACKETSTORM: 144297 // PACKETSTORM: 144277 // CNNVD: CNNVD-201709-1057 // NVD: CVE-2017-7115

CREDITS

Gal Beniamini of Google Project Zero

Trust: 0.9

sources: BID: 100924 // CNNVD: CNNVD-201709-1057

SOURCES

db:VULHUBid:VHN-115318
db:VULMONid:CVE-2017-7115
db:BIDid:100924
db:JVNDBid:JVNDB-2017-009323
db:PACKETSTORMid:144297
db:PACKETSTORMid:144277
db:CNNVDid:CNNVD-201709-1057
db:NVDid:CVE-2017-7115

LAST UPDATE DATE

2024-11-23T19:36:02.609000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-115318date:2019-03-08T00:00:00
db:VULMONid:CVE-2017-7115date:2019-03-08T00:00:00
db:BIDid:100924date:2017-09-19T00:00:00
db:JVNDBid:JVNDB-2017-009323date:2017-11-09T00:00:00
db:CNNVDid:CNNVD-201709-1057date:2019-03-13T00:00:00
db:NVDid:CVE-2017-7115date:2024-11-21T03:31:12.260

SOURCES RELEASE DATE

db:VULHUBid:VHN-115318date:2017-10-23T00:00:00
db:VULMONid:CVE-2017-7115date:2017-10-23T00:00:00
db:BIDid:100924date:2017-09-19T00:00:00
db:JVNDBid:JVNDB-2017-009323date:2017-11-09T00:00:00
db:PACKETSTORMid:144297date:2017-09-22T06:02:22
db:PACKETSTORMid:144277date:2017-09-21T10:11:11
db:CNNVDid:CNNVD-201709-1057date:2017-09-26T00:00:00
db:NVDid:CVE-2017-7115date:2017-10-23T01:29:12.957