ESB-2018.0967 - [Mac] High Sierra: Multiple vulnerabilities 2018-04-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0967
        macOS High Sierra 10.13.4, Security Update 2018-002 Sierra,
                  and Security Update 2018-002 El Capitan
                               3 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           High Sierra
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Console/Physical            
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-4176 CVE-2018-4175 CVE-2018-4174
                   CVE-2018-4170 CVE-2018-4167 CVE-2018-4166
                   CVE-2018-4160 CVE-2018-4158 CVE-2018-4157
                   CVE-2018-4156 CVE-2018-4155 CVE-2018-4154
                   CVE-2018-4152 CVE-2018-4151 CVE-2018-4150
                   CVE-2018-4144 CVE-2018-4143 CVE-2018-4142
                   CVE-2018-4139 CVE-2018-4138 CVE-2018-4136
                   CVE-2018-4135 CVE-2018-4132 CVE-2018-4131
                   CVE-2018-4115 CVE-2018-4112 CVE-2018-4111
                   CVE-2018-4108 CVE-2018-4107 CVE-2018-4106
                   CVE-2018-4105 CVE-2018-4104 CVE-2017-13890
                   CVE-2017-8816  

Reference:         ESB-2018.0965
                   ESB-2018.0964
                   ESB-2018.0963
                   ESB-2017.3058
                   ESB-2017.3040
                   ESB-2017.3037.2

Original Bulletin: 
   https://support.apple.com/en-au/HT208692

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2018-3-29-5 macOS High Sierra 10.13.4, Security Update
2018-002 Sierra, and Security Update 2018-002 El Capitan

Admin Framework
Available for: macOS High Sierra 10.13.3
Impact: Passwords supplied to sysadminctl may be exposed to other
local users
Description: The sysadminctl command-line tool required that
passwords be passed to it in its arguments, potentially exposing the
passwords to other local users. This update makes the password
parameter optional, and sysadminctl will prompt for the password if
needed.
CVE-2018-4170: an anonymous researcher

APFS
Available for: macOS High Sierra 10.13.3
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input
validation.
CVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot

ATS
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: Processing a maliciously crafted file might disclose user
information
Description: A validation issue existed in the handling of symlinks.
This issue was addressed through improved validation of symlinks.
CVE-2018-4112: Haik Aftandilian of Mozilla

CFNetwork Session
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4166: Samuel Gro=C3=9F (@5aelo)

CoreFoundation
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4155: Samuel Gro=C3=9F (@5aelo)
CVE-2018-4158: Samuel Gro=C3=9F (@5aelo)

CoreText
Available for: macOS High Sierra 10.13.3
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2018-4142: Robin Leroy of Google Switzerland GmbH

CoreTypes
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: Processing a maliciously crafted webpage may result in the
mounting of a disk image
Description: A logic issue was addressed with improved restrictions.
CVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis

curl
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: Multiple issues in curl
Description: An integer overflow existed in curl. This issue was
addressed through improved bounds checking.
CVE-2017-8816: an anonymous researcher

Disk Images
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: Mounting a malicious disk image may result in the launching
of an application
Description: A logic issue was addressed with improved validation.
CVE-2018-4176: Theodor Ragnar Gislason of Syndis

Disk Management
Available for: macOS High Sierra 10.13.3
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input
validation.
CVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous
researcher

File System Events
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4167: Samuel Gro=C3=9F (@5aelo)

iCloud Drive
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4151: Samuel Gro=C3=9F (@5aelo)

Intel Graphics Driver
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360

IOFireWireFamily
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.

Kernel
Available for: macOS High Sierra 10.13.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4150: an anonymous researcher

Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4104: The UK's National Cyber Security Centre (NCSC)

Kernel
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4143: derrek (@derrekr6)

Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2018-4136: Jonas Jensen of lgtm.com and Semmle

Kernel
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
system privileges
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2018-4160: Jonas Jensen of lgtm.com and Semmle

kext tools
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A logic issue existed resulting in memory corruption.
This was addressed with improved state management.
CVE-2018-4139: Ian Beer of Google Project Zero

LaunchServices
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: A maliciously crafted application may be able to bypass code
signing enforcement
Description: A logic issue was addressed with improved validation.
CVE-2018-4175: Theodor Ragnar Gislason of Syndis

Mail
Available for: macOS High Sierra 10.13.3
Impact: An attacker in a privileged network position may be able to
exfiltrate the contents of S/MIME-encrypted e-mail
Description: An issue existed in the handling of S/MIME HTML e-mail.
This issue was addressed by not loading remote resources on S/MIME
encrypted messages by default if the message has an invalid or
missing S/MIME signature.
CVE-2018-4111: an anonymous researcher

Mail
Available for: macOS High Sierra 10.13.3
Impact: An attacker in a privileged network position may be able to
intercept the contents of S/MIME-encrypted e-mail
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4174: an anonymous researcher, an anonymous researcher

Notes
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4152: Samuel Gro=C3=9F (@5aelo)

NSURLSession
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4166: Samuel Gro=C3=9F (@5aelo)

NVIDIA Graphics Drivers
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360

PDFKit
Available for: macOS High Sierra 10.13.3
Impact: Clicking a URL in a PDF may visit a malicious website
Description: An issue existed in the parsing of URLs in PDFs. This
issue was addressed through improved input validation.
CVE-2018-4107: an anonymous researcher

PluginKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4156: Samuel Gro=C3=9F (@5aelo)

Quick Look
Available for: macOS High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4157: Samuel Gro=C3=9F (@5aelo)

Security
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4144: Abraham Masri (@cheesecakeufo)

Storage
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4154: Samuel Gro=C3=9F (@5aelo)

System Preferences
Available for: macOS High Sierra 10.13.3
Impact: A configuration profile may incorrectly remain in effect
after removal
Description: An issue existed in CFPreferences. This issue was
addressed through improved preferences cleanup.
CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of
Wandera

Terminal
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.3
Impact: Pasting malicious content may lead to arbitrary command
execution spoofing
Description: A command injection issue existed in the handling of
Bracketed Paste Mode. This issue was addressed through improved
validation of special characters.
CVE-2018-4106: Simon Hosie

WindowServer
Available for: macOS High Sierra 10.13.3
Impact: An unprivileged application may be able to log keystrokes
entered into other applications even when secure input mode is
enabled
Description: By scanning key states, an unprivileged application
could log keystrokes entered into other applications even when secure
input mode was enabled. This issue was addressed by improved state
management.
CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH

Installation note:

macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and
Security Update 2018-002 El Capitan may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlq9Gl4pHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbLsBAA
ulM5yGdq+lKTJ1XYrVVdH9k5QStzg551Ss0sHS84bC6p5AzSh+mFHITJDKyF3H+M
To0SoSwzdHrEmXNZ2LPAz9C0h9FSFh4AAhz3Fng4Qbd4L+Q+MypPnrpVZIMO9Iy8
srwJzbpa3LQ9Nq6NGmTD68wTyN2hjdcIc/ifsBev71HGx695Axr9tEV4PBzXyhZE
aZpUBc1e7PvDzLh4VjVRRfk591zRjzEGWuZH/1kbwmFuIBqb3BCaL6MQ4sFZUPw9
L26Q/RrFDA9KMb2P0K1EA2kTEoqAu51d31SgSGe8AskUdPaVE33juxXGde3LT+5F
OdfZ4iDc7MB808CU7aauzsed0DgYUPnenphj/+iIsZm//8fUt2YKCHT48uS8mjBp
W2rClecQ3J+nz3hmvoR5/tvJ2QsiZtir2CsGbZ7nLhxaNu098yJ22fQPpJeHy0pr
CIgp5qsNs0Qej7VOkjFWWPBvKwDYhnTInR8tHSHtxyUiG+voLGnMXKv94kPqMhUZ
Byhosi55N9wGEmAhHmjFr71E8H4gU1ZbKQo0UYulnXd22vzBWrPX5BQW9F0xLSMT
6mbkCh3gSWyVvhcCbQ/v3ajWoaC4ZyyUllLgpSZgr5bFt9YJGAVLngRX47oI27uS
8tPmXxjKq86HBH8Otmicu/yb9qf5d3lb/TwMawbH/iU=3D
=3DXshl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsMQy4x+lLeg9Ub1AQgCkw//Tws/ilBCzoUXgs59zRyj3G1Sh8iBiTQ6
9GZHS0V93WXeGl1o/jcNUTR2R3r1/9gI6TYotQ+BRgIveQU/j1zl8IJ5gF8eOwAF
NvhjBpZDEy+kXqNGA/L/Kw0TIeATfO11tNjYMAplYFewySuepr8lfBCM78HQdT+V
fhEEev1WTWrtTdnCX84VPLz4LUry8XIR9KT+sUVER4duPHse+SexJYx6cWYDZ0SN
ilemuRzXp9VLtCHuaV7iXx9HPHX8aRSGh7+FB52Cm2XtwdNdX3ib0AuwlDTnaaNF
4v4TrmVqPyRhIRL02kU4+Ps6XjeFBIZFRZPZngKmWP3p2YBQgezQ7G3JL0WDZbvs
elFjVDFWi/YKkvL1idkp4PHDqyM07mGeouDr8GmP9wEj/DhW58C6rkpvsRogjyal
a3tukUFwyykXsixzG5h5D4tehX6lTTXpgQ5OwJmCsOo19xaAm8Pz1q8T+o1r3oXb
MPhGfN+EaIQpOVAgfB3Pp+uSAhV0hLH+R3DfS/ieueg+FakfFVli2JeJNlnslnyA
GrhG+qYK9WS/ENOGFVIRfOj4RIwm0eyg2McQ094Z4iFG7neGYR/iuo1AN5Y7u2Qb
JGmWHw6GFyO1LIThUb7fBDgME/k9YdHOkrjvlphn4nBuEODvx87Yp6DqoebbzLox
LJVOf3I2QBk=
=0vAl
-----END PGP SIGNATURE-----

« Back to bulletins