Multiple vulnerabilities in Apple MacOS

1) Out-of-bounds read

EUVDB-ID: #VU15513

Risk: Low

CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-4338

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists on systems with Wi-Fi is enabled due to stack value by OOB Read is stored in the ol_nd_hostip variable when the setOFFLOAD_NDP function does not check the input value. A local attacker can use the dlsym function to /System/Library/PrivateFrameworks/Apple80211.framework/Apple80211, which yields Apple80211Open, Apple80211BindToInterface, and Apple80211Close functions, trigger out-of-bounds read and obtain a kernel address for privilege escalation in the Apple OS X local environment.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://www.thezdi.com/blog/2018/10/24/cve-2018-4338-triggering-an-information-disclosure-on-macos-t...

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Information disclosure

EUVDB-ID: #VU15514

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4324

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to insufficient permissions and access controls when handling the Apple ID. A local attacker can run a specially crafted application and determine the Apple ID of the owner of the computer.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU15515

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4321

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper validation of the process entitlement. A local attacker can run a specially crafted application and access local users AppleIDs.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU15516

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4333

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper validation of user-supplied input. A local attacker can run a specially crafted application and read restricted memory.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Security restrictions bypass

EUVDB-ID: #VU15517

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4353

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to improper sandbox restrictions. A local attacker can run a specially crafted application and circumvent sandbox restrictions.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

EUVDB-ID: #VU15518

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-4336

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper sandbox restrictions when handling malicious input. A local attacker can run a specially crafted application and execute arbitrary code with kernel privileges.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

EUVDB-ID: #VU15519

Risk: Low

CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]

CVE-ID: CVE-2018-4344

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper sandbox restrictions when handling malicious input. A local attacker can run a specially crafted application and execute arbitrary code with kernel privileges.

Mitigation

Update to version 10.14.

Vulnerable software versions

macOS: 10.13 17A365 - 10.13.6 17G66

CPE2.3

• cpe:2.3:o:apple:macos:10.13:17A365:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.1:17B48:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.2:17C88:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.3:17D47:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.4:17E199:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.5:17F77:*:*:*:*:*:*
• cpe:2.3:o:apple:macos:10.13.6:17G66:*:*:*:*:*:*

External links

https://support.apple.com/en-us/HT209139

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.