var-201704-1558
Vulnerability from variot
Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadcom firmware functions, there is a separate CVE ID for the operating-system behavior. Apple iOS is prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to iOS 10.3.1 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Wi-Fi is one of the wireless Internet access components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
APPLE-SA-2017-04-03-1 iOS 10.3.1
iOS 10.3.1 is now available and addresses the following:
Wi-Fi Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A stack buffer overflow was addressed through improved input validation. CVE-2017-6975: Gal Beniamini of Google Project Zero
Installation note:
This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
- Navigate to Settings
- Select General
- Select About. The version after applying this update will be "10.3.1".
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org
iQIcBAEBCgAGBQJY4mGWAAoJEIOj74w0bLRGDXMP/2Pxq15u8s/Poib9N4oDn7Y/ 6k+8C8LEz6VmBaFaxKYBbyIGVo9FfLnIUA4Xar8CI2JOz97AifMQBGZra1pXWByL TQ44DgRRyoF4+MckoNPLKaAOy1aSGLF/3m3LEduNaVDZpgIYubzHPU1KaOFMujFw M1e4NEd18+eDgW9c5gXlGHmqtViCGQ1kTi7iySDxHlDd1MguFF9rVDjU2Yfn4juz whYHQKOpcSgkeX0tSRVgOU8UzXfDrzdsP433AqELHq2frBdjbi0B37XclP3dPjsQ MPbQwUE1kbC1agxPfl97RRRFyOyfkI2a1rp9SSFOFqpqIQxkj5gYqx08ji0ol0UF rNC6TZ103Vsyzi9NmO2DO0pv9ocFpg1D2efFkZeUU2hIfdb2B9jnQaulw/WmBzmD KQ3eImhvjTyzfB6UmJm+cdQcWYFYbJBFVeQ20lPeuekckghGLNhU21Zo/HKPnYHD wR8kz0TZUC7uQaiBbB63Blz0T+nNDrkNdTD6VnOhUX9Lpx+cfu717itijduV9L35 iPRDRw9Z8yuN2K0h5SLbHD17NIsNakDDI4VTFBu98YsFJxwHAWqoIH9rdeHbTPwp MQyuwvkQTOAse+e/R+TnfE/xVAAaX6H5P2E5KAuJtO0+mqx89bqn+wF8D2QTtPci qhkKFRDRZJjCDTZijmfA =TCYT -----END PGP SIGNATURE-----
. Broadcom: Stack buffer overflow when handling 802.11r (FT) authentication response
CVE-2017-6975
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
In order to allow fast roaming between access points in a wireless network, the Broadcom firmware supports the Fast BSS Transition feature (IEEE 802.11r-2008 FT), allowing a client to roam between APs in the same mobility domain.
When a client decides to roam to a different AP in an FT network (in the same mobility domain), they first send an authentication request frame. This frame is either sent to the new AP (in over-the-air FT) or to the original AP (in over-the-DS FT). The authentication request frame includes the Fast BSS Transition Information Element (FT-IE) specifying the R0 key holder ID (R0KH-ID) corresponding to the roam request.
In response, the AP send back an authentication response frame, also containing an FT-IE. This FT-IE contains the regular fields (Anonce, Snonce, etc.) but also includes the R0KH-ID and R1KH-ID. This is done by encoding the additional fields as TLVs immediately after the structure of the FT-IE (but still within the bounds of the IE), like so:
| FT-IE Tag (55) | FT-IE Length | ... FT-IE Contents ... | Additional TLVs |
0 1 2 84 2 + FT-IE Length
On the BCM4339 SoC with firmware version 6.37.34.40 the authentication response frame for FT roaming is handled by ROM function 0x7B6A4. This function first retrieves the FT-IE. Then, it allocates a heap buffer for it, using the size specified in the IE's length field. The FT-IE is then stored in the allocated buffer, which is subsequently used to extract the R0KH-ID and R1KH-ID fields.
Here is the high-level logic for this function:
void function_7B6A4(...) {
//Copying in the FT-IE
char* ft_ie = bcm_parse_tlvs(auth_frame, auth_frame_len, 55);
unsigned short ft_ie_len = ft_ie[1] + 2;
char* ft_ie_buffer = malloc(ft_ie_len);
memcpy(ft_ie_buffer, ft_ie, ft_ie_len);
//Extracting the embedded IEs in the FT-IE. The size of the
//FT-IE's fields without the embedded IEs is 84.
char* ies = ft_ie_buffer + 84;
int ies_length = ft_ie_len - 84;
char* r0kh_id = bcm_parse_tlvs(ies, ies_length, 1);
char* r1kh_id = bcm_parse_tlvs(ies, ies_length, 3);
memcpy(..., ft_ie + 20, 0x20); //Copying the Anonce
...
}
First, it should be noted that the function erroneously assumes the size of the FT-IE is at least 84. An attacker could include a shorter FT-IE, causing the function to copy 0x20 bytes from (ft_ie + 20), which are stored as the AP's Anonce.
Second, after extracting the R0KH-ID and R1KH-ID fields, the function proceeds to calculate the PTK. To do so, the value of PMK-R0 must first be derived. According to IEEE 802.11r-2008 - 8.5.1.5.3, the PMK-R0 is derived as follows:
R0-Key-Data = KDF-384(XXKey, "FT-R0", SSIDlength || SSID || MDID || R0KHlength || R0KH-ID || S0KH-ID) PMK-R0 = L(R0-Key-Data, 0, 256) PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
(see also "wpa_derive_pmk_r0" under https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c)
This calculation is performed by ROM function 0x13C94, which uses the R0KH-ID that was parsed earlier from the FT-IE in the authentication response frame. The function has approximately the following logic:
void function_13C94(...) { char buffer[128]; ... memcpy(buffer, "FT-R0", strlen("FT-R0")); buffer += strlen("FT-R0"); memcpy(buffer, &ssid_length, 1); buffer += 1; memcpy(buffer, ssid, ssid_length); buffer += ssid_length; memcpy(buffer, &mdid, 2); buffer += 2; memcpy(buffer, r0kh_id, r0kh_id_len); buffer += rokh_id_len; ... }
Where "r0kh_id" is the contents of the R0KH-ID field that was extracted from the FT-IE, and "r0kh_id_len" is the length of the extracted field.
Since the R0KH-ID field's length is not validated, an attacker can include an extremely long field within a crafted FT-IE (specifically, the R0KH-ID's length can be at most MAX_IE_SIZE + IE_HEADER_SIZE - FT_IE_SIZE = 255 + 2 - 84 = 173). This would cause the stack-allocated buffer to be overflown, corrupting the stack with attacker-controlled data.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Found by: laginimaineb
. CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team
WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8586: an anonymous researcher CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative CVE-2019-8596: Wen Xu of SSLab at Georgia Tech CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8609: Wen Xu of SSLab, Georgia Tech CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative CVE-2019-8611: Samuel Groß of Google Project Zero CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab CVE-2019-8622: Samuel Groß of Google Project Zero CVE-2019-8623: Samuel Groß of Google Project Zero CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
Additional recognition
Safari We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance.
Installation note:
Safari 12.1.1 may be obtained from the Mac App Store
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201704-1558",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "iphone os",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.3"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "10.3.1 earlier"
},
{
"model": "iphone os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.3"
},
{
"model": "ipod touch",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "0"
},
{
"model": "iphone",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "0"
},
{
"model": "ipad",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "50"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "40"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "30"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.4.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.9"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.8"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.7"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.10"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10"
},
{
"model": "ios",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "10.3.1"
}
],
"sources": [
{
"db": "BID",
"id": "97328"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:iphone_os",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple",
"sources": [
{
"db": "PACKETSTORM",
"id": "142004"
},
{
"db": "PACKETSTORM",
"id": "152848"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
}
],
"trust": 0.8
},
"cve": "CVE-2017-6975",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2017-6975",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-115178",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2017-6975",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-6975",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-6975",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201704-237",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-115178",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-6975",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadcom firmware functions, there is a separate CVE ID for the operating-system behavior. Apple iOS is prone to an arbitrary code-execution vulnerability. \nAn attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. \nVersions prior to iOS 10.3.1 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Wi-Fi is one of the wireless Internet access components. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\nAPPLE-SA-2017-04-03-1 iOS 10.3.1\n\niOS 10.3.1 is now available and addresses the following:\n\nWi-Fi\nAvailable for: iPhone 5 and later, iPad 4th generation and later,\niPod touch 6th generation and later\nImpact: Impact: An attacker within range may be able to execute\narbitrary code on the Wi-Fi chip\nDescription: A stack buffer overflow was addressed through improved\ninput validation. \nCVE-2017-6975: Gal Beniamini of Google Project Zero\n\nInstallation note:\n\nThis update is available through iTunes and Software Update on your\niOS device, and will not appear in your computer\u0027s Software Update\napplication, or in the Apple Downloads site. Make sure you have an\nInternet connection and have installed the latest version of iTunes\nfrom www.apple.com/itunes/\n\niTunes and Software Update on the device will automatically check\nApple\u0027s update server on its weekly schedule. When an update is\ndetected, it is downloaded and the option to be installed is\npresented to the user when the iOS device is docked. We recommend\napplying the update immediately if possible. Selecting Don\u0027t Install\nwill present the option the next time you connect your iOS device. \n\nThe automatic update process may take up to a week depending on the\nday that iTunes or the device checks for updates. You may manually\nobtain the update via the Check for Updates button within iTunes, or\nthe Software Update on your device. \n\nTo check that the iPhone, iPod touch, or iPad has been updated:\n\n* Navigate to Settings\n* Select General\n* Select About. The version after applying this update\nwill be \"10.3.1\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - http://gpgtools.org\n\niQIcBAEBCgAGBQJY4mGWAAoJEIOj74w0bLRGDXMP/2Pxq15u8s/Poib9N4oDn7Y/\n6k+8C8LEz6VmBaFaxKYBbyIGVo9FfLnIUA4Xar8CI2JOz97AifMQBGZra1pXWByL\nTQ44DgRRyoF4+MckoNPLKaAOy1aSGLF/3m3LEduNaVDZpgIYubzHPU1KaOFMujFw\nM1e4NEd18+eDgW9c5gXlGHmqtViCGQ1kTi7iySDxHlDd1MguFF9rVDjU2Yfn4juz\nwhYHQKOpcSgkeX0tSRVgOU8UzXfDrzdsP433AqELHq2frBdjbi0B37XclP3dPjsQ\nMPbQwUE1kbC1agxPfl97RRRFyOyfkI2a1rp9SSFOFqpqIQxkj5gYqx08ji0ol0UF\nrNC6TZ103Vsyzi9NmO2DO0pv9ocFpg1D2efFkZeUU2hIfdb2B9jnQaulw/WmBzmD\nKQ3eImhvjTyzfB6UmJm+cdQcWYFYbJBFVeQ20lPeuekckghGLNhU21Zo/HKPnYHD\nwR8kz0TZUC7uQaiBbB63Blz0T+nNDrkNdTD6VnOhUX9Lpx+cfu717itijduV9L35\niPRDRw9Z8yuN2K0h5SLbHD17NIsNakDDI4VTFBu98YsFJxwHAWqoIH9rdeHbTPwp\nMQyuwvkQTOAse+e/R+TnfE/xVAAaX6H5P2E5KAuJtO0+mqx89bqn+wF8D2QTtPci\nqhkKFRDRZJjCDTZijmfA\n=TCYT\n-----END PGP SIGNATURE-----\n\n\n\n. Broadcom: Stack buffer overflow when handling 802.11r (FT) authentication response \n\nCVE-2017-6975\n\n\nBroadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. \n\nIn order to allow fast roaming between access points in a wireless network, the Broadcom firmware supports the Fast BSS Transition feature (IEEE 802.11r-2008 FT), allowing a client to roam between APs in the same mobility domain. \n\nWhen a client decides to roam to a different AP in an FT network (in the same mobility domain), they first send an authentication request frame. This frame is either sent to the new AP (in over-the-air FT) or to the original AP (in over-the-DS FT). The authentication request frame includes the Fast BSS Transition Information Element (FT-IE) specifying the \u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e key holder ID (R0KH-ID) corresponding to the roam request. \n\nIn response, the AP send back an authentication response frame, also containing an FT-IE. This FT-IE contains the regular fields (Anonce, Snonce, etc.) but also includes the R0KH-ID and R1KH-ID. This is done by encoding the additional fields as TLVs immediately after the structure of the FT-IE (but still within the bounds of the IE), like so:\n\n ----------------------------------------------------------------------------\n | FT-IE Tag (55) | FT-IE Length | ... FT-IE Contents ... | Additional TLVs |\n ----------------------------------------------------------------------------\n 0 1 2 84 2 + FT-IE Length\n\nOn the BCM4339 SoC with firmware version 6.37.34.40 the authentication response frame for FT roaming is handled by ROM function 0x7B6A4. This function first retrieves the FT-IE. Then, it allocates a heap buffer for it, using the size specified in the IE\u0027s length field. The FT-IE is then stored in the allocated buffer, which is subsequently used to extract the R0KH-ID and R1KH-ID fields. \n\nHere is the high-level logic for this function:\n\nvoid function_7B6A4(...) {\n \n //Copying in the FT-IE\n char* ft_ie = bcm_parse_tlvs(auth_frame, auth_frame_len, 55);\n unsigned short ft_ie_len = ft_ie[1] + 2;\n char* ft_ie_buffer = malloc(ft_ie_len);\n memcpy(ft_ie_buffer, ft_ie, ft_ie_len);\n\n //Extracting the embedded IEs in the FT-IE. The size of the\n //FT-IE\u0027s fields without the embedded IEs is 84. \n char* ies = ft_ie_buffer + 84;\n int ies_length = ft_ie_len - 84;\n char* r0kh_id = bcm_parse_tlvs(ies, ies_length, 1);\n char* r1kh_id = bcm_parse_tlvs(ies, ies_length, 3);\n memcpy(..., ft_ie + 20, 0x20); //Copying the Anonce\n ... \n}\n\nFirst, it should be noted that the function erroneously assumes the size of the FT-IE is at least 84. An attacker could include a shorter FT-IE, causing the function to copy 0x20 bytes from (ft_ie + 20), which are stored as the AP\u0027s Anonce. \n\nSecond, after extracting the R0KH-ID and R1KH-ID fields, the function proceeds to calculate the PTK. To do so, the value of PMK-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e must first be derived. According to IEEE 802.11r-2008 - 8.5.1.5.3, the PMK-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e is derived as follows:\n\n\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e-Key-Data = KDF-384(XXKey, \"FT-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e\",\n SSIDlength || SSID || MDID || R0KHlength || R0KH-ID || S0KH-ID)\nPMK-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e = L(\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e-Key-Data, 0, 256)\nPMK-R0Name-Salt = L(\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e-Key-Data, 256, 128)\n\n(see also \"wpa_derive_pmk_r0\" under \u003ca href=\"https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c\" title=\"\" class=\"\" rel=\"nofollow\"\u003ehttps://w1.fi/cgit/hostap/plain/src/common/wpa_common.c\u003c/a\u003e)\n\nThis calculation is performed by ROM function 0x13C94, which uses the R0KH-ID that was parsed earlier from the FT-IE in the authentication response frame. The function has approximately the following logic:\n\nvoid function_13C94(...) {\n char buffer[128];\n ... \n memcpy(buffer, \"FT-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e\", strlen(\"FT-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e\")); buffer += strlen(\"FT-\u003ca href=\"https://crrev.com/0\" title=\"\" class=\"\" rel=\"nofollow\"\u003eR0\u003c/a\u003e\");\n memcpy(buffer, \u0026ssid_length, 1); buffer += 1;\n memcpy(buffer, ssid, ssid_length); buffer += ssid_length;\n memcpy(buffer, \u0026mdid, 2); buffer += 2;\n memcpy(buffer, r0kh_id, r0kh_id_len); buffer += rokh_id_len;\n ... \n}\n\nWhere \"r0kh_id\" is the contents of the R0KH-ID field that was extracted from the FT-IE, and \"r0kh_id_len\" is the length of the extracted field. \n\nSince the R0KH-ID field\u0027s length is not validated, an attacker can include an extremely long field within a crafted FT-IE (specifically, the R0KH-ID\u0027s length can be at most MAX_IE_SIZE + IE_HEADER_SIZE - FT_IE_SIZE = 255 + 2 - 84 = 173). This would cause the stack-allocated buffer to be overflown, corrupting the stack with attacker-controlled data. \n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout a broadly available patch, then the bug report will automatically\nbecome visible to the public. \n\n\n\nFound by: laginimaineb\n\n. \nCVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team\n\nWebKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and\nincluded in macOS Mojave 10.14.5\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: Multiple memory corruption issues were addressed with\nimproved memory handling. \nCVE-2019-6237: G. Geshev working with Trend Micro Zero Day\nInitiative, Liu Long of Qihoo 360 Vulcan Team\nCVE-2019-8571: 01 working with Trend Micro\u0027s Zero Day Initiative\nCVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)\nof Tencent Keen Lab, and dwfault working at ADLab of Venustech\nCVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero\nDay Initiative\nCVE-2019-8586: an anonymous researcher\nCVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative\nCVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security \u0026\nPrivacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab\nCVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero\nDay Initiative\nCVE-2019-8596: Wen Xu of SSLab at Georgia Tech\nCVE-2019-8597: 01 working with Trend Micro Zero Day Initiative\nCVE-2019-8601: Fluoroacetate working with Trend Micro\u0027s Zero Day\nInitiative\nCVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative\nCVE-2019-8609: Wen Xu of SSLab, Georgia Tech\nCVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative\nCVE-2019-8611: Samuel Gro\u00df of Google Project Zero\nCVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro\u0027s\nZero Day Initiative\nCVE-2019-8619: Wen Xu of SSLab at Georgia Tech and\nHanqing Zhao of Chaitin Security Research Lab\nCVE-2019-8622: Samuel Gro\u00df of Google Project Zero\nCVE-2019-8623: Samuel Gro\u00df of Google Project Zero\nCVE-2019-8628: Wen Xu of SSLab at Georgia Tech and\nHanqing Zhao of Chaitin Security Research Lab\n\nAdditional recognition\n\nSafari\nWe would like to acknowledge Michael Ball of Gradescope by Turnitin\nfor their assistance. \n\nInstallation note:\n\nSafari 12.1.1 may be obtained from the Mac App Store",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-6975"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "BID",
"id": "97328"
},
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "PACKETSTORM",
"id": "142004"
},
{
"db": "PACKETSTORM",
"id": "141953"
},
{
"db": "PACKETSTORM",
"id": "152848"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-6975",
"trust": 3.2
},
{
"db": "BID",
"id": "97328",
"trust": 2.1
},
{
"db": "SECTRACK",
"id": "1038172",
"trust": 1.8
},
{
"db": "JVN",
"id": "JVNVU91033489",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "152848",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.1699",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "141953",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "142004",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-92879",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-92896",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-115178",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-6975",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "BID",
"id": "97328"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "PACKETSTORM",
"id": "142004"
},
{
"db": "PACKETSTORM",
"id": "141953"
},
{
"db": "PACKETSTORM",
"id": "152848"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"id": "VAR-201704-1558",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-115178"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:29:48.948000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT207688",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT207688"
},
{
"title": "HT207688",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT207688"
},
{
"title": "Apple iOS Wi-Fi Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=73796"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/apple-patches-intel-side-channel-ios-macos/144743/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
},
{
"problemtype": "CWE-121",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/97328"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/may/30"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht207688"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht210121"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2019/may/24"
},
{
"trust": 1.8,
"url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html"
},
{
"trust": 1.8,
"url": "https://twitter.com/4dgifts/status/849268365457850370"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1038172"
},
{
"trust": 1.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6975"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6975"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu91033489/"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-au/ht210121"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht210121"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/152848/apple-security-advisory-2019-5-13-6.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80846"
},
{
"trust": 0.3,
"url": "https://www.apple.com/"
},
{
"trust": 0.3,
"url": "http://www.apple.com/ios/"
},
{
"trust": 0.3,
"url": "https://lists.apple.com/archives/security-announce/2017/apr/msg00000.html "
},
{
"trust": 0.2,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.2,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=53323"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/apple-patches-intel-side-channel-ios-macos/144743/"
},
{
"trust": 0.1,
"url": "https://www.apple.com/itunes/"
},
{
"trust": 0.1,
"url": "http://gpgtools.org"
},
{
"trust": 0.1,
"url": "https://crrev.com/0\""
},
{
"trust": 0.1,
"url": "https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c\""
},
{
"trust": 0.1,
"url": "https://w1.fi/cgit/hostap/plain/src/common/wpa_common.c\u003c/a\u003e)"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9417"
},
{
"trust": 0.1,
"url": "http://seclists.org/fulldisclosure/"
},
{
"trust": 0.1,
"url": "https://nmap.org/mailman/listinfo/fulldisclosure"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14315"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "BID",
"id": "97328"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "PACKETSTORM",
"id": "142004"
},
{
"db": "PACKETSTORM",
"id": "141953"
},
{
"db": "PACKETSTORM",
"id": "152848"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-115178"
},
{
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"db": "BID",
"id": "97328"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"db": "PACKETSTORM",
"id": "142004"
},
{
"db": "PACKETSTORM",
"id": "141953"
},
{
"db": "PACKETSTORM",
"id": "152848"
},
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-04-05T00:00:00",
"db": "VULHUB",
"id": "VHN-115178"
},
{
"date": "2017-04-05T00:00:00",
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"date": "2017-04-03T00:00:00",
"db": "BID",
"id": "97328"
},
{
"date": "2017-04-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"date": "2017-04-03T14:22:22",
"db": "PACKETSTORM",
"id": "142004"
},
{
"date": "2017-04-09T23:31:41",
"db": "PACKETSTORM",
"id": "141953"
},
{
"date": "2019-05-14T00:29:32",
"db": "PACKETSTORM",
"id": "152848"
},
{
"date": "2017-04-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"date": "2017-04-05T14:59:00.417000",
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-14T00:00:00",
"db": "VULHUB",
"id": "VHN-115178"
},
{
"date": "2019-05-14T00:00:00",
"db": "VULMON",
"id": "CVE-2017-6975"
},
{
"date": "2017-04-04T09:19:00",
"db": "BID",
"id": "97328"
},
{
"date": "2017-04-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002265"
},
{
"date": "2021-10-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201704-237"
},
{
"date": "2024-11-21T03:30:54.137000",
"db": "NVD",
"id": "CVE-2017-6975"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple iOS Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002265"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201704-237"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.