The day Yosemite was released, we were told that Mavericks was the biggest threat possible on the network. I pushed back, hard. They sent a list of CVEs they claim are not fixed in Mavericks and won’t be since Yosemite is “free”
Right now, I really don’t know which is more or less likely… overzealous network security, lazy ACAS/Nessus plugin authors, or Apple abandoning an OS because they don’t see any reason why everyone shouldn’t upgrade the instant a new release is available, no testing necessary!
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt
Impact: An attacker can obtain WiFi credentials
Apple mentions patching CVE-2014-4364 in its Release notes. Neither Miter nor NIST have mentioned this in OSX yet. However they have not updated this CVE since last month and Yosemite was just released on 10/16/2014.
National Cyber Awareness System
CVE-2014-4364
Original release date: 09/18/2014
Last revised: 09/18/2014
Source: US-CERT/NIST
Overview
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
CVE-2014-4426 : Craig Young of Tripwire VERT
Impact: A remote attacker could determine all the network addresses of the system
Vulnerability Summary for CVE-2014-4426
Original release date: 10/17/2014
Last revised: 10/17/2014
Source: US-CERT/NIST
This vulnerability is currently undergoing analysis and not all information is available.
AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.
apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to a denial of service. These issues were addressed by updating Apache to version 2.4.9.
CVE-2013-6438
Source: US-CERT/NIST
Overview
The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows disruption of service
CVE-2014-0098
Overview
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows disruption of service
CVE-2014-4427 : Paul S. Ziegler of Reflare UG
This vulnerability is currently undergoing analysis and not all information is available.
Impact: An application confined by sandbox restrictions may misuse the accessibility API
Description: A sandboxed application could misuse the accessibility API without the user's knowledge. This has been addressed by requiring administrator approval to use the accessibility API on an per-application basis.
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.
In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.
CVE-2014-4428 : Mike Ryan of iSEC Partners
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy devices. If a Mac had paired with such a device, an attacker could spoof the legitimate device to establish a connection. The issue was addressed by denying unencrypted HID connections.
CVE-2014-4425
Impact: The 'require password after sleep or screen saver begins' preference may not be respected until after a reboot
Description: A session management issue existed in the handling of system preference settings. This issue was addressed through improved session tracking.
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC, Karsten Iwen, Dustin Li (
http://dustin.li/), Ken J. Takekoshi, and other anonymous researchers
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while mounted, the volume was unmounted but the keys were retained, so it could have been mounted again without the password. This issue was addressed by erasing the keys on eject.
CVE-2014-3537
Impact: A local user can execute arbitrary code with system privileges
Description: When the CUPS web interface served files, it would follow symlinks. A local user could create symlinks to arbitrary files and retrieve them through the web interface. This issue was addressed by disallowing symlinks to be served via the CUPS web interface.
Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking.
CVE-2014-4431 : Emil Sjölander of Umeå University
Impact: In some circumstances, windows may be visible even when the screen is locked
Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking.
CVE-2014-4432
Impact: The fdesetup command may provide misleading status for the state of encryption on disk
Description: After updating settings, but before rebooting, the fdesetup command provided misleading status. This issue was addressed through improved status reporting.
CVE-2014-4435 : knoy
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed brute force attacks on iCloud Lost mode PIN. This issue was addressed through improved state persistence across reboots.
CVE-2014-4373 : cunzhang from Adlab of Venustech
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed through improved error handling.
CVE-2014-4405 : Ian Beer of Google Project Zero
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties.
CVE-2014-4404 : Ian Beer of Google Project Zero
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking.
CVE-2014-4436 : cunzhang from Adlab of Venustech
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the IOHIDFamily driver. The issue was addressed through improved input validation.
CVE-2014-4380 : cunzhang from Adlab of Venustech
Impact: A user may be able to execute arbitrary code with system privileges
Description: An out-of-bounds write issue exited in the IOHIDFamily driver. The issue was addressed through improved input validation.
CVE-2014-4407 : @PanguTeam
Impact: A malicious application may be able to read uninitialized data from kernel memory
Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization.
CVE-2014-4388 : @PanguTeam
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.
CVE-2014-4418 : Ian Beer of Google Project Zero
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue
was addressed through improved validation of metadata.
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.
CVE-2014-4433 : Maksymilian Arciemowicz
Impact: A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution
Description: A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking.
CVE-2014-4434 : Maksymilian Arciemowicz
Impact: A malicious file system may cause unexpected system shutdown
Description: A NULL dereference issue existed in the handling of HFS filenames. A maliciously crafted filesystem may cause an unexpected system shutdown. This issue was addressed by avoiding the NULL dereference.
CVE-2014-4375 : an anonymous researcher
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports.
CVE-2011-2391 : Marc Heuse
Impact: A person with a privileged network position may cause a denial of service
Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking
CVE-2014-4408
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking.
CVE-2014-4442 : Darius Davis of VMware
Impact: A local user can cause an unexpected system termination
Description: A reachable panic existed in the handling of messages sent to system control sockets. This issue was addressed through additional validation of messages.
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm.
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type handlers allowed sandboxed applications to specify handlers for existing content types. A compromised application could use this to bypass sandbox restrictions. The issue was addressed by restricting sandboxed applications from specifying content type handlers.
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would sometimes prevent the screen from locking. The issue was addressed by changing the order of operations.
CVE-2014-4439 : Patrick J Power of Melbourne, Australia
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application resulted in email being sent to addresses that were removed from the list of recipients. The issue was addressed through improved user interface consistency checks.
CVE-2014-4440 : Kevin Koster of Cloudpath Networks
Impact: When mobile configuration profiles were uninstalled, their settings were not removed
Description: Web proxy settings installed by a mobile configuration profile were not removed when the profile was uninstalled. This issue was addressed through improved handling of profile uninstallation.
CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS
Impact: File Sharing may enter a state in which it cannot be disabled
Description: A state management issue existed in the File Sharing framework. This issue was addressed through improved state management.
CVE-2014-4351 : Karl Smith of NCC Group
Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking.
CVE-2013-5150
Impact: History of pages recently visited in an open tab may remain after clearing of history
Description: Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history.
CVE-2014-4417 : Marek Isalski of Faelix Limited
Impact: Opting in to push notifications from a maliciously crafted website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in SafariNotificationAgent's handling of Safari Push Notifications. This issue was addressed through improved handling of Safari Push Notifications.
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.
CVE-2014-4443 : Coverity
Impact: A remote attacker may be able to cause a denial of service
Description: A null dereference existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data.
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of Kaspersky Lab
Impact: A local user might have access to another user's Kerberos tickets
Description: A state management issue existed in SecurityAgent. While Fast User Switching, sometimes a Kerberos ticket for the switched-to user would be placed in the cache for the previous user. This issue was addressed through improved state management.
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden