CVE-2011-3429 - Credentials Management vulnerability in Apple Iphone OS

Publication

2011-10-14

Last modification

2017-08-29

Summary

The Settings component in Apple iOS before 5 stores a cleartext parental-restrictions passcode in an unspecified file, which might allow physically proximate attackers to obtain sensitive information by reading this file.

Description

Apple iOS is prone to an information-disclosure vulnerability.A local attacker can exploit this issue to retrieve the passcode which protects parental restrictions. Information obtained may aid in further attacks.The following Apple systems are vulnerable:iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,iOS 3.2 through 4.3.5 for iPadNOTE: This issue was previously discussed in BID 50086 (Apple iPhone/iPad/iPod touch Prior to iOS 5 Multiple Vulnerabilities) but has been given its own record to better document it.

Solution

Vendor updates are available. Please see the references for more information.

Exploit

An attacker requires local interactive access to exploit.

Classification

CWE-255 - Credentials Management

Risk level (CVSS AV:L/AC:L/Au:N/C:P/I:N/A:N)

Low

2.1

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Apple Iphone OS  3.1.2 , 3.0 , 4.1 , 3.2 , 4.2.5 , 4.3.0 , 3.1.3 , 4.3.1 , 3.1 , 4.0.1 , 4.2.8 , 4.3.3 , 4.3.5 , 3.2.1 , 4.2.1 , 3.2.2 , 4.3.2 , 4.0.2 , 4.0