var-201710-1363
Vulnerability from variot
An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the "Wi-Fi" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition. Apple iOS and tvOS are prone to an arbitrary code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions prior to Apple tvOS 11 and iOS 11 are vulnerable. in the United States. tvOS is a smart TV operating system. Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read
CVE-2017-7115
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as "dongle"). Similarly, the "AppleBCMWLANCore" driver handles the high-level protocols and the Wi-Fi configuration.
The host and dongle communicate with one another using a set of "message rings". Two message rings (distinct from the "flow rings") are used to transfer data from the host to the dongle (H2D):
-H2D_MSGRING_CONTROL_SUBMIT (Ring #0) -H2D_MSGRING_RXPOST_SUBMIT (Ring #1)
When the host wishes to notify the dongle of an event (such as submitting an IO-Control request or posting an address into which an RX frame may be written), it does so by writing a small structure to the appropriate message ring buffer at the current write index. Similarly, when reading events from any of the completion rings (D2H), the host uses the read index for the current ring in order to access the posted message buffer by the dongle within the ring. Each ring has a corresponding fixed "item size" which is set during the ring's initialisation -- individual items' addresses within the ring can therefore be calculated like so: "ring_base + ring_index * item_size".
As the Wi-Fi dongle is connected to the host over PCIe, it is able to issue IO requests to the Root Complex. To prevent a malicious dongle from overwriting arbitrary physical memory and subverting the host OS, some isolation is needed between the device-visible IO-Space and the host's physical address space. This is facilitated on iOS by using an IOMMU called the "Device Address Resolution Table" (DART).
On iOS, the read and write indices for each of the rings (H2D and D2H) are synchronised between the peers by mapping them into IO-Space -- this way, each side of the communication can freely access the R/W indices for each ring and know where the next buffers are going to be posted (either by itself or by its peer). These IO-Space addresses are submitted by the AppleBCMWLANBusInterfacePCIe driver into the PCIe shared structure at the end of the Wi-Fi chip's RAM by writing directly into the chip's TCM. Indeed, we can dump the structure's contents and see the IO-Space addresses for each of these buffers:
Dumping ring_info
-----------------------------------------
h2d_w_idx_ptr: 0x0020249C
h2d_r_idx_ptr: 0x00202548
d2h_w_idx_ptr: 0x002025F4
d2h_r_idx_ptr: 0x00202604
-> h2d_w_idx_hostaddr: 0x80538000 -> h2d_r_idx_hostaddr: 0x80530000 -> d2h_w_idx_hostaddr: 0x80548000 -> d2h_r_idx_hostaddr: 0x80540000
By installing a hook on the DMA function in the Wi-Fi chip, we can verify that indeed these buffers are not only readable in IO-Space, they are also writable (including the H2D indices!). Here's a snippet (from the chip's console) in which we installed such a hook in order to DMA into the "h2d_w_idx_ptr" buffer:
Before: 00 00 00 00 00 00 00 00 After : 48 BF 6B 4B 50 34 4A BF ^---------------^ Wi-Fi MAC
When a PCIe MSI interrupt occurs, the AppleBCMWLANBusInterfacePCIe driver first handles the interrupt and checks which operations should be performed (by reading the MailBox register). If an interrupt signalling an event's completion arrives, the pending messages in each D2H ring are processed by calling AppleBCMWLANPCIeCompletionRing::signalWorkAvailable(). This, in turn, calls a virtual function in the ring instance (at offset 0x138). The handled function reads the events at the current "read index" and subsequently handles them by invoking the registered callback function for the given ring (e.g., "drainControlCompleteRing" for the D2H_MSGRING_CONTROL_COMPLETE ring). Here is a short snippet of the approximate high-level logic of the virtual function that iterates over each pending buffer:
int64_t AppleBCMWLANPCIeCompletionRing_iterateAndCallCompletionCallbacks(void* this) {
...
do {
uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 216);
int32_t item_size = *(int32_t*) ((uint64_t)this + 92);
(1) uint32_t read_index = (uint32_t)((uint64_t)this + 144);
uint8_t* next_buffer = ring_base + item_size * read_index;
(2) uint64_t num_events = calculateNumberOfReadEventsToDrain(this);
//Call the registered callback
callback_t cb = *(callback_t*)(this + 24);
uint32_t events_handled = cb(this, next_buffer, ..., num_events);
read_index += events_handled;
uint32_t max_ring_index = *(uint32_t*)(this + 88);
if (read_index >= max_ring_index)
read_index = 0;
...
}
while (hasMoreEvents(this));
...
}
uint64_t calculateNumberOfReadEventsToDrain(void* this) {
//AppleBCMWLANPCIeCompletionRing::getReadIndex()
uint64_t (*getReadIndex)(void*) = (uint64_t (*) (void*))(*(uint64_t*)this + 0x120);
uint64_t read_index = getReadIndex(this);
...
return read_index - last_index;
}
uint64_t AppleBCMWLANPCIeCompletionRing__getReadIndex(void this) { uint32_t read_index = (uint32_t*)((uint64_t)this + 144); if (read_index >= 0x10000) panic(...); return read_index; }
Similarly, when data need to be written into the submission rings, the corresponding AppleBCMWLANPCIeSubmissionRing instance's work loop function is invoked (virtual function @ offset 0x138). Here is the approximate high-level logic for this function:
uint64_t AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks(void* this) { ...
(3) uint32_t write_index = (uint32_t)((uint64_t)this + 184); (4) while (hasMoreEvents(this)) {
uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 248);
int32_t item_size = *(int32_t*) ((uint64_t)this + 92);
uint8_t* next_buffer = ring_base + item_size * write_index;
(5) uint64_t num_events = calculateNumberOfWriteEvents(this);
//Call the registered callback
callback_t cb = *(callback_t*)(this + 112);
uint32_t num_written = cb(this, next_buffer, ..., num_events);
if (!num_written)
break;
write_index += num_written;
uint32_t max_ring_index = *(uint32_t*)(this + 88);
if ( write_index >= max_ring_index)
write_index = 0;
**(uint32_t**)((uint64_t)this + 184) = write_index;
}
...
}
uint64_t calculateNumberOfWriteEvents(void* this) {
//AppleBCMWLANPCIeSubmissionRing::getIndices()
void (*getIndices)(void*, uint64_t*, uint64_t*) =
(uint64_t (*) (void*, uint64_t*, uint64_t*))(*(uint64_t*)this + 0x128);
uint64_t read_index, write_index;
getIndices(this, &read_index, &write_index);
...
}
uint64_t AppleBCMWLANPCIeSubmissionRing__getIndices(void this, uint64_t rindex, uint64t windex) { uint32_t read_index = (uint32_t)((uint64_t)this + 176); uint32_t write_index = (uint32_t)((uint64_t)this + 184); if (read_index >= 0x10000 || write_index >= 0x10000) panic(...); rindex = read_index; *windex = write_index; }
Note that in both the snippets above, the pointers to the "read_index" and "write_index" are both pointers to the same memory addresses which were mapped into IO-Space earlier and submitted to the dongle. As such, the dongle can freely DMA into these addresses and modify their contents. Following the logic of the two snippets above, we can see that a malicious dongle can therefore trigger several race conditions by modifying the indices' values:
-
The dongle can trigger OOB writes to offsets not larger than 0xFFFF * item_size, by executing the following attack: a. Host calls AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks on ring #n b. Dongle DMA-s into ring #n's write index, setting a value <= 0x10000 c. Host reaches (3) and reads the malicious write index d. Dongle DMA-s into ring #n's write index, restoring the original write index e. Host reaches (4), calls hasMoreEvents() and succeeds since the index is now valid f. Host reaches (5), calculates the correct number of events to process, and calls the callback g. The callback writes arbitrary data into the attacker-controlled offset, triggering an OOB write
-
Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB.
-
The dongle can also cause OOB writes to an offset larger than 0xFFFF * item_size, by executing the same attack as described in (1). However, if the dongle fails to restore the write index before the bounds checks in AppleBCMWLANPCIeSubmissionRing::getIndices, this will result in a panic and reboot the device.
-
Similarly, by DMA-ing into a ring's read index for any of the completion rings, the dongle may cause the host to read a completion event OOB at an offset larger than 0xFFFF * item_size
One possibility to exploit this vulnerability would be to trigger an OOB write from a ring into the DART's translation tables, thus effectively adding mappings to the chip's IO-Space. If the attacker can add the DART's translation table itself to the DART mapping, they can then freely add memory mappings, allowing for arbitrary R/W into the kernel's physical address space.
Indeed, by locating the DART's translation table and reverse engineering it, we can find the location of the DART's descriptors in relation to the ring base addresses. In one execution, dumping the addresses for the DART descriptors and the ring base addresses resulted in the following output:
Ring #0 - Base: 0xFFFFFFE00380D000 Ring #1 - Base: 0xFFFFFFE0B0DE8000 Ring #2 - Base: 0xFFFFFFE0B0DEC000 Ring #3 - Base: 0xFFFFFFE0B0CC4000 Ring #4 - Base: 0xFFFFFFE0B0CD0000 DART: First Level Descriptor: 0xFFFFFFE02BB4000 Second Level Descriptor: 0xFFFFFFE0B0CD4000 ...
As we can see above, the DART's second level descriptor is comfortably placed within range of ring #0 (H2D_MSGRING_CONTROL_SUBMIT) -- allowing an attacker to add entries to the DART's mapping. Moreover, even if the Wi-Fi chip or driver encounters an error and the chip is reset, the added mappings in the DART are not cleared (!).
Suggested Mitigations:
-
The indices can never be larger the 16-bits. As such, there's no reason to introduce possible mistakes when handling values larger than that. This can be mitigated by changed the index types to 16-bit wide types instead of 32-bits.
-
There's no reason to map the H2D indices as writable: 2.1. If DART supports read-only mappings, I suggest the indices be mapped as such. 2.2. Otherwise, the index should only be read from the shared region once on each iteration, instead of re-reading it in several "helper" functions.
-
The indices in both the submission and completion rings should be verified against the ring's maximal index (this+88) and not against the maximal possible value (0xFFFF).
-
Clear all DART mappings when the chip is reset.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
Found by: laginimaineb
. CVE-2017-7103: Gal Beniamini of Google Project Zero CVE-2017-7105: Gal Beniamini of Google Project Zero CVE-2017-7108: Gal Beniamini of Google Project Zero CVE-2017-7110: Gal Beniamini of Google Project Zero CVE-2017-7112: Gal Beniamini of Google Project Zero
Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor Description: Multiple race conditions were addressed through improved validation. CVE-2017-7115: Gal Beniamini of Google Project Zero
Wi-Fi Available for: Apple TV (4th generation) Impact: Malicious code executing on the Wi-Fi chip may be able to read restricted kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7116: Gal Beniamini of Google Project Zero
Installation note:
Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software."
To check the current version of software, select "Settings -> General -> About."
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJZwtdFAAoJEIOj74w0bLRGD90P/3SlwWGkh+yI71C2P4n52kwK EAJj475W7WveTPOeQkfc+MP0P8D7UPUpoNTGHnDvl9TKdW/ZksHF6OMolt0lvfbc EQKsM4KJhIcynZOSBHVjcoUZ53+u1eoW0UAqZgvde7hv2ex6JybRHJdb0ysk3cGg LlX5gQeG2oVx+j510fO5ZeBFm1NSXFjE9z1ldytQBLOScfdWHN9x+jM+elqr1tzt T0p9Y1d2ukbWHaRWm+D3Jn6NrxXcGKzC+HI8CcX3x7UHIXn0Ofl0prBrPZ5GhbG8 hGw8mIcOCpjk7+zmToqQRNVFpHv8RCe61Jf+Jvd1d0a7ROD2sa2nSiEKyTppnomH 9As1OrZnrE+c1tfrttN4iwUhEqGa4kVXiceK728oFx8phUKpgJGe1uJG3MaAOGTp Bg3DzTRIQufm4VOEY3G7wko1edr6wltGN4DZQJReIXPc0MTptyNh88WlK/O9NZok KXvMYgl6GvU9WA+QNDXVSobOUpmELbnsmaADrAF+5rUwFDlOSIn33nUVhVixpMWG LhJHHm5S3nbtkq/rZoWiDmo8q/fPgpDXi+yD8yd2PNx46xZzxw1//ff4UMrKMi9m ucZhu9yd2xLAyeSFZTf2r2Wa6jenP80GOf3ZwDIpmy+9CsOzVlfQ2c/YI/Mb0T3J 1xEedCIxogsKRuNXEosG =A3qE -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-1363",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "tvos",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.2.2"
},
{
"model": "iphone os",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.3.3"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "11 (ipad air or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "11 (iphone 5s or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "11 (ipod touch first 6 generation )"
},
{
"model": "tvos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "11 (apple tv first 4 generation )"
},
{
"model": "tv",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.2.2"
},
{
"model": "iphone os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "10.3.3"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.1.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.0.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2.2"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.1.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2.2"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.1"
},
{
"model": "tvos",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10"
},
{
"model": "tv",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "50"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "40"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "30"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.4.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7.0.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "7"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.0.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.1.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5.0.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.9"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.8"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.7"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.6"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.5"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2.10"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "2.0"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.3.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.3.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.3.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.3"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.2"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10.1"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "10"
},
{
"model": "tvos",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "11"
},
{
"model": "ios",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "11"
}
],
"sources": [
{
"db": "BID",
"id": "100924"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:iphone_os",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:apple:apple_tv",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gal Beniamini of Google Project Zero",
"sources": [
{
"db": "BID",
"id": "100924"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
}
],
"trust": 0.9
},
"cve": "CVE-2017-7115",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2017-7115",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-115318",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2017-7115",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-7115",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-7115",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-1057",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-115318",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-7115",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in certain Apple products. iOS before 11 is affected. tvOS before 11 is affected. The issue involves the \"Wi-Fi\" component. It might allow remote attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via crafted Wi-Fi traffic that leverages a race condition. Apple iOS and tvOS are prone to an arbitrary code-execution vulnerability. \nAn attacker can leverage this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. \nVersions prior to Apple tvOS 11 and iOS 11 are vulnerable. in the United States. tvOS is a smart TV operating system. Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read \n\nCVE-2017-7115\n\n\nBroadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the \"AppleBCMWLANBusInterfacePCIe\" driver is used in order to handle the PCIe interface and low-level communication protocols with the Wi-Fi SoC (also referred to as \"dongle\"). Similarly, the \"AppleBCMWLANCore\" driver handles the high-level protocols and the Wi-Fi configuration. \n\nThe host and dongle communicate with one another using a set of \"message rings\". Two message rings (distinct from the \"flow rings\") are used to transfer data from the host to the dongle (H2D):\n\n -H2D_MSGRING_CONTROL_SUBMIT (Ring #0)\n -H2D_MSGRING_RXPOST_SUBMIT (Ring #1)\n\nWhen the host wishes to notify the dongle of an event (such as submitting an IO-Control request or posting an address into which an RX frame may be written), it does so by writing a small structure to the appropriate message ring buffer at the current write index. Similarly, when reading events from any of the completion rings (D2H), the host uses the read index for the current ring in order to access the posted message buffer by the dongle within the ring. Each ring has a corresponding fixed \"item size\" which is set during the ring\u0027s initialisation -- individual items\u0027 addresses within the ring can therefore be calculated like so: \"ring_base + ring_index * item_size\". \n\nAs the Wi-Fi dongle is connected to the host over PCIe, it is able to issue IO requests to the Root Complex. To prevent a malicious dongle from overwriting arbitrary physical memory and subverting the host OS, some isolation is needed between the device-visible IO-Space and the host\u0027s physical address space. This is facilitated on iOS by using an IOMMU called the \"Device Address Resolution Table\" (DART). \n\nOn iOS, the read and write indices for each of the rings (H2D and D2H) are synchronised between the peers by mapping them into IO-Space -- this way, each side of the communication can freely access the R/W indices for each ring and know where the next buffers are going to be posted (either by itself or by its peer). These IO-Space addresses are submitted by the AppleBCMWLANBusInterfacePCIe driver into the PCIe shared structure at the end of the Wi-Fi chip\u0027s RAM by writing directly into the chip\u0027s TCM. Indeed, we can dump the structure\u0027s contents and see the IO-Space addresses for each of these buffers:\n\n Dumping ring_info\n -----------------------------------------\n h2d_w_idx_ptr: 0x0020249C\n h2d_r_idx_ptr: 0x00202548\n d2h_w_idx_ptr: 0x002025F4\n d2h_r_idx_ptr: 0x00202604\n-\u003e h2d_w_idx_hostaddr: 0x80538000\n-\u003e h2d_r_idx_hostaddr: 0x80530000\n-\u003e d2h_w_idx_hostaddr: 0x80548000\n-\u003e d2h_r_idx_hostaddr: 0x80540000\n\nBy installing a hook on the DMA function in the Wi-Fi chip, we can verify that indeed these buffers are not only readable in IO-Space, they are also *writable* (including the H2D indices!). Here\u0027s a snippet (from the chip\u0027s console) in which we installed such a hook in order to DMA into the \"h2d_w_idx_ptr\" buffer:\n\n Before: 00 00 00 00 00 00 00 00 \n After : 48 BF 6B 4B 50 34 4A BF \n ^---------------^\n Wi-Fi MAC\n\nWhen a PCIe MSI interrupt occurs, the AppleBCMWLANBusInterfacePCIe driver first handles the interrupt and checks which operations should be performed (by reading the MailBox register). If an interrupt signalling an event\u0027s completion arrives, the pending messages in each D2H ring are processed by calling AppleBCMWLANPCIeCompletionRing::signalWorkAvailable(). This, in turn, calls a virtual function in the ring instance (at offset 0x138). The handled function reads the events at the current \"read index\" and subsequently handles them by invoking the registered callback function for the given ring (e.g., \"drainControlCompleteRing\" for the D2H_MSGRING_CONTROL_COMPLETE ring). Here is a short snippet of the approximate high-level logic of the virtual function that iterates over each pending buffer:\n\n int64_t AppleBCMWLANPCIeCompletionRing_iterateAndCallCompletionCallbacks(void* this) {\n\n ... \n\n do {\n uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 216);\n int32_t item_size = *(int32_t*) ((uint64_t)this + 92);\n(1) uint32_t read_index = **(uint32_t**)((uint64_t)this + 144);\n\n uint8_t* next_buffer = ring_base + item_size * read_index;\n(2) uint64_t num_events = calculateNumberOfReadEventsToDrain(this);\n\n //Call the registered callback\n callback_t cb = *(callback_t*)(this + 24);\n uint32_t events_handled = cb(this, next_buffer, ..., num_events);\n\n read_index += events_handled;\n uint32_t max_ring_index = *(uint32_t*)(this + 88);\n if (read_index \u003e= max_ring_index)\n read_index = 0;\n \n ... \n \n }\n while (hasMoreEvents(this));\n ... \n }\n\n uint64_t calculateNumberOfReadEventsToDrain(void* this) {\n \n //AppleBCMWLANPCIeCompletionRing::getReadIndex()\n uint64_t (*getReadIndex)(void*) = (uint64_t (*) (void*))(*(uint64_t*)this + 0x120); \n uint64_t read_index = getReadIndex(this);\n ... \n return read_index - last_index;\n }\n\n uint64_t AppleBCMWLANPCIeCompletionRing__getReadIndex(void* this) {\n uint32_t read_index = **(uint32_t**)((uint64_t)this + 144);\n if (read_index \u003e= 0x10000) \n panic(...);\n return read_index;\n }\n\nSimilarly, when data need to be written into the submission rings, the corresponding AppleBCMWLANPCIeSubmissionRing instance\u0027s work loop function is invoked (virtual function @ offset 0x138). Here is the approximate high-level logic for this function:\n\n uint64_t AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks(void* this) {\n ... \n\n(3) uint32_t write_index = **(uint32_t**)((uint64_t)this + 184);\n(4) while (hasMoreEvents(this)) {\n\n uint8_t* ring_base = *(uint8_t**) ((uint64_t)this + 248);\n int32_t item_size = *(int32_t*) ((uint64_t)this + 92);\n \n uint8_t* next_buffer = ring_base + item_size * write_index;\n(5) uint64_t num_events = calculateNumberOfWriteEvents(this);\n \n //Call the registered callback\n callback_t cb = *(callback_t*)(this + 112);\n uint32_t num_written = cb(this, next_buffer, ..., num_events);\n \n if (!num_written)\n break;\n \n write_index += num_written;\n uint32_t max_ring_index = *(uint32_t*)(this + 88);\n if ( write_index \u003e= max_ring_index)\n write_index = 0;\n\n **(uint32_t**)((uint64_t)this + 184) = write_index;\n }\n ... \n }\n\n uint64_t calculateNumberOfWriteEvents(void* this) {\n\n //AppleBCMWLANPCIeSubmissionRing::getIndices()\n void (*getIndices)(void*, uint64_t*, uint64_t*) = \n (uint64_t (*) (void*, uint64_t*, uint64_t*))(*(uint64_t*)this + 0x128); \n\n uint64_t read_index, write_index;\n getIndices(this, \u0026read_index, \u0026write_index);\n ... \n }\n\n uint64_t AppleBCMWLANPCIeSubmissionRing__getIndices(void* this, uint64_t* rindex, uint64*t windex) {\n uint32_t read_index = **(uint32_t**)((uint64_t)this + 176);\n uint32_t write_index = **(uint32_t**)((uint64_t)this + 184);\n if (read_index \u003e= 0x10000 || write_index \u003e= 0x10000)\n panic(...);\n *rindex = read_index;\n *windex = write_index;\n }\n\nNote that in both the snippets above, the pointers to the \"read_index\" and \"write_index\" are both pointers to the same memory addresses which were mapped into IO-Space earlier and submitted to the dongle. As such, the dongle can freely DMA into these addresses and modify their contents. Following the logic of the two snippets above, we can see that a malicious dongle can therefore trigger several race conditions by modifying the indices\u0027 values:\n\n 1. The dongle can trigger OOB writes to offsets not larger than 0xFFFF * item_size, by executing the following attack:\n a. Host calls AppleBCMWLANPCIeSubmissionRing_iterateAndCallSubmissionCallbacks on ring #n\n b. Dongle DMA-s into ring #n\u0027s write index, setting a value \u003c= 0x10000\n c. Host reaches (3) and reads the malicious write index\n d. Dongle DMA-s into ring #n\u0027s write index, restoring the original write index\n e. Host reaches (4), calls hasMoreEvents() and succeeds since the index is now valid\n f. Host reaches (5), calculates the correct number of events to process, and calls the callback\n g. The callback writes arbitrary data into the attacker-controlled offset, triggering an OOB write\n\n 2. Similarly, by DMA-ing into a ring\u0027s read index for any of the completion rings, the dongle may cause the host to read a completion event OOB. \n \n 3. The dongle can also cause OOB writes to an offset larger than 0xFFFF * item_size, by executing the same attack as described in (1). However, if the dongle fails to restore the write index before the bounds checks in AppleBCMWLANPCIeSubmissionRing::getIndices, this will result in a panic and reboot the device. \n \n 4. Similarly, by DMA-ing into a ring\u0027s read index for any of the completion rings, the dongle may cause the host to read a completion event OOB at an offset larger than 0xFFFF * item_size\n\nOne possibility to exploit this vulnerability would be to trigger an OOB write from a ring into the DART\u0027s translation tables, thus effectively adding mappings to the chip\u0027s IO-Space. If the attacker can add the DART\u0027s translation table itself to the DART mapping, they can then freely add memory mappings, allowing for arbitrary R/W into the kernel\u0027s physical address space. \n\nIndeed, by locating the DART\u0027s translation table and reverse engineering it, we can find the location of the DART\u0027s descriptors in relation to the ring base addresses. In one execution, dumping the addresses for the DART descriptors and the ring base addresses resulted in the following output:\n\n Ring #0 - Base: 0xFFFFFFE00380D000\n Ring #1 - Base: 0xFFFFFFE0B0DE8000\n Ring #2 - Base: 0xFFFFFFE0B0DEC000\n Ring #3 - Base: 0xFFFFFFE0B0CC4000\n Ring #4 - Base: 0xFFFFFFE0B0CD0000\n DART: \n First Level Descriptor: 0xFFFFFFE02BB4000\n Second Level Descriptor: 0xFFFFFFE0B0CD4000\n ... \n\nAs we can see above, the DART\u0027s second level descriptor is comfortably placed within range of ring #0 (H2D_MSGRING_CONTROL_SUBMIT) -- allowing an attacker to add entries to the DART\u0027s mapping. Moreover, even if the Wi-Fi chip or driver encounters an error and the chip is reset, the added mappings in the DART are not cleared (!). \n\nSuggested Mitigations:\n\n 1. The indices can never be larger the 16-bits. As such, there\u0027s no reason to introduce possible mistakes when handling values larger than that. This can be mitigated by changed the index types to 16-bit wide types instead of 32-bits. \n\n 2. There\u0027s no reason to map the H2D indices as writable:\n 2.1. If DART supports read-only mappings, I suggest the indices be mapped as such. \n 2.2. Otherwise, the index should only be read from the shared region *once* on each iteration, instead of re-reading it in several \"helper\" functions. \n\n 3. The indices in both the submission and completion rings should be verified against the ring\u0027s maximal index (this+88) and not against the maximal possible value (0xFFFF). \n\n 4. Clear all DART mappings when the chip is reset. \n\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\nor a patch has been made broadly available, the bug report will become\nvisible to the public. \n\n\n\nFound by: laginimaineb\n\n. \nCVE-2017-7103: Gal Beniamini of Google Project Zero\nCVE-2017-7105: Gal Beniamini of Google Project Zero\nCVE-2017-7108: Gal Beniamini of Google Project Zero\nCVE-2017-7110: Gal Beniamini of Google Project Zero\nCVE-2017-7112: Gal Beniamini of Google Project Zero\n\nWi-Fi\nAvailable for: Apple TV (4th generation)\nImpact: Malicious code executing on the Wi-Fi chip may be able to\nexecute arbitrary code with kernel privileges on the application\nprocessor\nDescription: Multiple race conditions were addressed through improved\nvalidation. \nCVE-2017-7115: Gal Beniamini of Google Project Zero\n\nWi-Fi\nAvailable for: Apple TV (4th generation)\nImpact: Malicious code executing on the Wi-Fi chip may be able to\nread restricted kernel memory\nDescription: A validation issue was addressed with improved input\nsanitization. \nCVE-2017-7116: Gal Beniamini of Google Project Zero\n\nInstallation note:\n\nApple TV will periodically check for software updates. Alternatively,\nyou may manually check for software updates by selecting\n\"Settings -\u003e System -\u003e Software Update -\u003e Update Software.\"\n\nTo check the current version of software, select\n\"Settings -\u003e General -\u003e About.\"\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - https://gpgtools.org\n\niQIcBAEBCgAGBQJZwtdFAAoJEIOj74w0bLRGD90P/3SlwWGkh+yI71C2P4n52kwK\nEAJj475W7WveTPOeQkfc+MP0P8D7UPUpoNTGHnDvl9TKdW/ZksHF6OMolt0lvfbc\nEQKsM4KJhIcynZOSBHVjcoUZ53+u1eoW0UAqZgvde7hv2ex6JybRHJdb0ysk3cGg\nLlX5gQeG2oVx+j510fO5ZeBFm1NSXFjE9z1ldytQBLOScfdWHN9x+jM+elqr1tzt\nT0p9Y1d2ukbWHaRWm+D3Jn6NrxXcGKzC+HI8CcX3x7UHIXn0Ofl0prBrPZ5GhbG8\nhGw8mIcOCpjk7+zmToqQRNVFpHv8RCe61Jf+Jvd1d0a7ROD2sa2nSiEKyTppnomH\n9As1OrZnrE+c1tfrttN4iwUhEqGa4kVXiceK728oFx8phUKpgJGe1uJG3MaAOGTp\nBg3DzTRIQufm4VOEY3G7wko1edr6wltGN4DZQJReIXPc0MTptyNh88WlK/O9NZok\nKXvMYgl6GvU9WA+QNDXVSobOUpmELbnsmaADrAF+5rUwFDlOSIn33nUVhVixpMWG\nLhJHHm5S3nbtkq/rZoWiDmo8q/fPgpDXi+yD8yd2PNx46xZzxw1//ff4UMrKMi9m\nucZhu9yd2xLAyeSFZTf2r2Wa6jenP80GOf3ZwDIpmy+9CsOzVlfQ2c/YI/Mb0T3J\n1xEedCIxogsKRuNXEosG\n=A3qE\n-----END PGP SIGNATURE-----\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-7115"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "BID",
"id": "100924"
},
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "PACKETSTORM",
"id": "144297"
},
{
"db": "PACKETSTORM",
"id": "144277"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-115318",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=42996",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-7115",
"trust": 3.1
},
{
"db": "BID",
"id": "100924",
"trust": 2.1
},
{
"db": "SECTRACK",
"id": "1039385",
"trust": 1.8
},
{
"db": "EXPLOIT-DB",
"id": "42996",
"trust": 1.8
},
{
"db": "JVN",
"id": "JVNVU99806334",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "144297",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-96627",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-115318",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-7115",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144277",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "BID",
"id": "100924"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "PACKETSTORM",
"id": "144297"
},
{
"db": "PACKETSTORM",
"id": "144277"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"id": "VAR-201710-1363",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:36:02.609000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apple security updates",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT201222"
},
{
"title": "HT208113",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT208113"
},
{
"title": "HT208112",
"trust": 0.8,
"url": "https://support.apple.com/en-us/HT208112"
},
{
"title": "HT208113",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT208113"
},
{
"title": "HT208112",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/HT208112"
},
{
"title": "Apple iOS and tvOS Wi-Fi Repair measures for competitive conditions",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75065"
},
{
"title": "Apple: iOS 11",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=041cce4eee20b18dc79e9460a53e8400"
},
{
"title": "Apple: tvOS 11",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=74de8bbddd443742d386dabda32dc2ae"
},
{
"title": "Exp101tsArchiv30thers",
"trust": 0.1,
"url": "https://github.com/nu11secur1ty/Exp101tsArchiv30thers "
},
{
"title": "awesome-cve-poc_qazbnm456",
"trust": 0.1,
"url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-362",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/100924"
},
{
"trust": 1.9,
"url": "https://www.exploit-db.com/exploits/42996/"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht208112"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht208113"
},
{
"trust": 1.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1317"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1039385"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7115"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7115"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu99806334/index.html"
},
{
"trust": 0.3,
"url": "https://www.apple.com/"
},
{
"trust": 0.3,
"url": "http://www.apple.com/ios/"
},
{
"trust": 0.3,
"url": "http://www.apple.com/accessibility/tvos/"
},
{
"trust": 0.3,
"url": "https://support.apple.com/en-us/ht208112"
},
{
"trust": 0.3,
"url": "https://support.apple.com/en-us/ht208113"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/362.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht208112"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7116"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7112"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7105"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://gpgtools.org"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7108"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7110"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7103"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "BID",
"id": "100924"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "PACKETSTORM",
"id": "144297"
},
{
"db": "PACKETSTORM",
"id": "144277"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-115318"
},
{
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"db": "BID",
"id": "100924"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"db": "PACKETSTORM",
"id": "144297"
},
{
"db": "PACKETSTORM",
"id": "144277"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-23T00:00:00",
"db": "VULHUB",
"id": "VHN-115318"
},
{
"date": "2017-10-23T00:00:00",
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"date": "2017-09-19T00:00:00",
"db": "BID",
"id": "100924"
},
{
"date": "2017-11-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"date": "2017-09-22T06:02:22",
"db": "PACKETSTORM",
"id": "144297"
},
{
"date": "2017-09-21T10:11:11",
"db": "PACKETSTORM",
"id": "144277"
},
{
"date": "2017-09-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"date": "2017-10-23T01:29:12.957000",
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-08T00:00:00",
"db": "VULHUB",
"id": "VHN-115318"
},
{
"date": "2019-03-08T00:00:00",
"db": "VULMON",
"id": "CVE-2017-7115"
},
{
"date": "2017-09-19T00:00:00",
"db": "BID",
"id": "100924"
},
{
"date": "2017-11-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009323"
},
{
"date": "2019-03-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1057"
},
{
"date": "2024-11-21T03:31:12.260000",
"db": "NVD",
"id": "CVE-2017-7115"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple iOS and tvOS of Wi-Fi Component vulnerable to arbitrary code execution in privileged context",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009323"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "competitive condition",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-1057"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.