Monday, 13 November 2017

On 04:38 by Unknown in    No comments
A vulnerability, which was classified as problematic, has been found in Apple tvOS up to 11.0. Affected by this issue is an unknown function of the component Kernel. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. Impacted is confidentiality.

The weakness was presented 11/13/2017 as HT208219 as confirmed security advisory (Website). The advisory is shared for download at support.apple.com. This vulnerability is handled as CVE-2017-13852 since 08/30/2017. Local access is required to approach this attack. A single authentication is necessary for exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment.

Upgrading to version 11.1 eliminates this vulnerability.

CVSSv3

VulDB Base Score3.3
VulDB Temp Score3.2
VulDB VectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
VulDB Reliability: High

CVSSv2

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete
VulDB Base Score1.5 (CVSS2#AV:L/AC:M/Au:S/C:P/I:N/A:N)
VulDB Temp Score1.3 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High

CPE

  • cpe:/a:apple:tvos:11.0

Exploiting

Class: Information disclosure (CWE-200)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: tvOS 11.1

Timeline

08/30/2017   CVE assigned
11/13/2017  +75 days Advisory disclosed
11/13/2017  +0 days VulDB entry created
11/13/2017  +0 days VulDB last update

Sources

AdvisoryHT208219
Status: Confirmed

CVE: CVE-2017-13852 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a Comment