Vulnerabilities > CVE-2015-7035 - Code vulnerability in Apple mac OS X

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

apple

CWE-17

nessus

NVD

Published: 2015-10-23

Updated: 2016-12-24

Summary

Apple Mac EFI before 2015-002, as used in OS X before 10.11.1 and other products, mishandles arguments, which allows attackers to reach "unused" functions via unspecified vectors.

Vulnerable Configurations

Part	Description	Count
OS	Apple Apple MAC OS X - Apple MAC OS X 10.0 Apple MAC OS X 10.0.0 Apple MAC OS X 10.0.1 Apple MAC OS X 10.0.2 Apple MAC OS X 10.0.3 Apple MAC OS X 10.0.4 Apple MAC OS X 10.1 Apple MAC OS X 10.1.0 Apple MAC OS X 10.1.1 Apple MAC OS X 10.1.2 Apple MAC OS X 10.1.3 Apple MAC OS X 10.1.4 Apple MAC OS X 10.1.5 Apple MAC OS X 10.2 Apple MAC OS X 10.2.0 Apple MAC OS X 10.2.1 Apple MAC OS X 10.2.2 Apple MAC OS X 10.2.3 Apple MAC OS X 10.2.4 Apple MAC OS X 10.2.5 Apple MAC OS X 10.2.6 Apple MAC OS X 10.2.7 Apple MAC OS X 10.2.8 Apple MAC OS X 10.3 Apple MAC OS X 10.3.0 Apple MAC OS X 10.3.1 Apple MAC OS X 10.3.2 Apple MAC OS X 10.3.3 Apple MAC OS X 10.3.4 Apple MAC OS X 10.3.5 Apple MAC OS X 10.3.6 Apple MAC OS X 10.3.7 Apple MAC OS X 10.3.8 Apple MAC OS X 10.3.9 Apple MAC OS X 10.4 Apple MAC OS X 10.4.0 Apple MAC OS X 10.4.1 Apple MAC OS X 10.4.2 Apple MAC OS X 10.4.3 Apple MAC OS X 10.4.4 Apple MAC OS X 10.4.5 Apple MAC OS X 10.4.6 Apple MAC OS X 10.4.7 Apple MAC OS X 10.4.8 Apple MAC OS X 10.4.9 Apple MAC OS X 10.4.10 Apple MAC OS X 10.4.11 Apple MAC OS X 10.5 Apple MAC OS X 10.5.0 Apple MAC OS X 10.5.1 Apple MAC OS X 10.5.2 Apple MAC OS X 10.5.3 Apple MAC OS X 10.5.4 Apple MAC OS X 10.5.5 Apple MAC OS X 10.5.6 Apple MAC OS X 10.5.7 Apple MAC OS X 10.5.8 Apple MAC OS X 10.6.0 Apple MAC OS X 10.6.1 Apple MAC OS X 10.6.2 Apple MAC OS X 10.6.3 Apple MAC OS X 10.6.4 Apple MAC OS X 10.6.5 Apple MAC OS X 10.6.6 Apple MAC OS X 10.6.7 Apple MAC OS X 10.6.8 Apple MAC OS X 10.7.0 Apple MAC OS X 10.7.1 Apple MAC OS X 10.7.2 Apple MAC OS X 10.7.3 Apple MAC OS X 10.7.4 Apple MAC OS X 10.7.5 Apple MAC OS X 10.8.0 Apple MAC OS X 10.8.1 Apple MAC OS X 10.8.2 Apple MAC OS X 10.8.3 Apple MAC OS X 10.8.4 Apple MAC OS X 10.8.5 Apple MAC OS X 10.9 Apple MAC OS X 10.9.1 Apple MAC OS X 10.9.2 Apple MAC OS X 10.9.3 Apple MAC OS X 10.9.4 Apple MAC OS X 10.9.5 Apple MAC OS X 10.10.0 Apple MAC OS X 10.10.1 Apple MAC OS X 10.10.2 Apple MAC OS X 10.10.3 Apple MAC OS X 10.10.4 Apple MAC OS X 10.10.5 Apple MAC OS X 10.11.0	93

Common Weakness Enumeration (CWE)

CWE-17 - Code

Nessus

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPD2015-007.NASL
description	The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-004 or 2015-007. It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework - apache_mod_php - ATS - Audio - CFNetwork - CoreGraphics - CoreText - EFI - FontParser - Grand Central Dispatch - ImageIO - IOAcceleratorFamily - Kernel - libarchive - MCX Application Restrictions - OpenGL Note that successful exploitation of the most serious issues can result in arbitrary code execution.
last seen	2020-06-01
modified	2020-06-02
plugin id	86829
published	2015-11-10
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86829
title	Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86829); script_version("1.9"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id( "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-4860", "CVE-2015-5924", "CVE-2015-5925", "CVE-2015-5926", "CVE-2015-5927", "CVE-2015-5932", "CVE-2015-5933", "CVE-2015-5934", "CVE-2015-5935", "CVE-2015-5936", "CVE-2015-5937", "CVE-2015-5938", "CVE-2015-5939", "CVE-2015-5940", "CVE-2015-5942", "CVE-2015-5944", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-6975", "CVE-2015-6976", "CVE-2015-6977", "CVE-2015-6978", "CVE-2015-6984", "CVE-2015-6985", "CVE-2015-6989", "CVE-2015-6991", "CVE-2015-6992", "CVE-2015-6993", "CVE-2015-6996", "CVE-2015-7009", "CVE-2015-7010", "CVE-2015-7016", "CVE-2015-7018", "CVE-2015-7023", "CVE-2015-7035" ); script_bugtraq_id( 69477, 72325, 72701, 74971, 76317, 76644, 76649, 76733, 76734, 76738, 77162, 77263, 77265, 77266, 77270 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2015-10-21-4"); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)"); script_summary(english:"Checks for the presence of Security Update 2015-004 and 2015-007."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-004 or 2015-007. It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework - apache_mod_php - ATS - Audio - CFNetwork - CoreGraphics - CoreText - EFI - FontParser - Grand Central Dispatch - ImageIO - IOAcceleratorFamily - Kernel - libarchive - MCX Application Restrictions - OpenGL Note that successful exploitation of the most serious issues can result in arbitrary code execution."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT205375"); # https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7e01da3"); script_set_attribute(attribute:"solution", value: "Install Security Update 2015-004 / 2015-007 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Compare 2 patch numbers to determine if patch requirements are satisfied. # Return true if this patch or a later patch is applied # Return false otherwise function check_patch(year, number) { local_var p_split = split(patch, sep:"-"); local_var p_year = int( p_split[0]); local_var p_num = int( p_split[1]); if (year > p_year) return TRUE; else if (year < p_year) return FALSE; else if (number >= p_num) return TRUE; else return FALSE; } if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); # Advisory states that update 2015-004 is available for 10.10.5 and update 2015-007 is available for 10.9.5 os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); if (!ereg(pattern:"Mac OS X 10\.(9\|10)\.5([^0-9]\|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.9.5 or Mac OS X 10.10.5"); if ("10.9.5" >< os) patch = "2015-007"; else if ("10.10.5" >< os) patch = "2015-004"; packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1); sec_boms_report = egrep(pattern:"^com\.apple\.pkg\.update\.security\..*bom$", string:packages); sec_boms = split(sec_boms_report, sep:'\n'); foreach package (sec_boms) { # Grab patch year and number match = eregmatch(pattern:"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]", string:package); if (empty_or_null(match[1]) \|\| empty_or_null(match[2])) continue; patch_found = check_patch(year:int(match[1]), number:int(match[2])); if (patch_found) exit(0, "The host has Security Update " + patch + " or later installed and is therefore not affected."); } report = '\n Missing security update : ' + patch; report += '\n Installed security BOMs : '; if (sec_boms_report) report += str_replace(find:'\n', replace:'\n ', string:sec_boms_report); else report += 'n/a'; report += '\n'; security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPDEFI2015-002.NASL
description	The remote Mac OS X host is running an EFI firmware version that is affected by a function execution vulnerability due to an issue with handling EFI arguments. An unauthenticated, remote attacker can exploit this to execute arbitrary functions via unspecified vectors.
last seen	2020-06-01
modified	2020-06-02
plugin id	86722
published	2015-11-04
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/86722
title	Mac OS X EFI Function Execution Vulnerability (EFI Security Update 2015-002)
code	#TRUSTED 532f206dd914f9ebc588f1a81c2e2fdab2d6dbf478fe57fe5e347cab8f4d80083fa922c5be3a64a0fa366fa87c80fb184b657335010265f43773f0a37b7042324609c76c9b34252d5fdd8691e79202581826653ccda5d47fa3f5ab60f21b83d18dbca8c0542c35abb942ce35b33fad2ccb3dc8481269d102c5d74fec7e8de5ece229ccc08a8cb05305f4df005f7aeb60d350a79949bcac2b35167dbbef92b3e6a61dc585e93b1501430138af0a65335b0fc4f03f785b24e30b33a0affb553fe4eb463d4cfd544a6e6d2060e140f2705eac58433643e711329a0967ab16e9efbbaeaed7226a1a44dcfa6f9f0ede898338c7d7c706f1963ac63cd44f2b68ae3fa2393b1df2933b4cc27e7bbb9199f40cf7cb9b8aa79f2f20022fc7abe1eddcac6376f8e492697560b3541bb84f65ae2dbae423b822fed5012ba78223ef7098eff9ccea445537ca25b8194eba064d1b14f56ba381ee7c2a592e3a386c7ab4e36484b3e88bf1a71a65abb03d5b22fb9a74c25461a4dcd656e7f62f64a064d48749956e59ff6a500fc15b6480601e447862939fbd950f731027b12b7568f08aebbdfba8d9ade96d72c5ae8580f099c92b5bb9a4a82cf412769c43229920501e046eacab0ae392d127619299099c27813fa9e96b9ede49b48d266a95dad8ede08853d231965e0bce876699e6d32a3bac19a6ff3134134085bb21fdcf06f61f52f17eea # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86722); script_version("1.7"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2015-7035"); script_bugtraq_id(74971); script_xref(name:"APPLE-SA", value:"APPLE-SA-2015-10-21-6"); script_name(english:"Mac OS X EFI Function Execution Vulnerability (EFI Security Update 2015-002)"); script_summary(english:"Checks the EFI version."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a function execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host is running an EFI firmware version that is affected by a function execution vulnerability due to an issue with handling EFI arguments. An unauthenticated, remote attacker can exploit this to execute arbitrary functions via unspecified vectors."); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT205317"); # https://lists.apple.com/archives/security-announce/2015/Oct/msg00007.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df1789d1"); script_set_attribute(attribute:"solution", value: "Install Mac EFI Security Update 2015-002."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); efi_fixes = make_nested_array( "Mac-942459F5819B171B", make_array( "efi-version", "MBP81.88Z.0047.B2A.1506082203" ), "Mac-FC02E91DDD3FA6A4", make_array( "efi-version", "IM131.88Z.010A.B09.1509111558" ), "Mac-3CBD00234E554E41", make_array( "efi-version", "MBP112.88Z.0138.B16.1509081314" ), "Mac-8ED6AF5B48C039E1", make_array( "efi-version", "MM51.88Z.0077.B12.1506081728" ), "Mac-35C1E88140C3E6CF", make_array( "efi-version", "MBA61.88Z.0099.B20.1509081314", "minimum-smc-version", "2.12f135" ), "Mac-F2268DAE", make_array( "efi-version", "IM111.88Z.0034.B04.1509231906" ), "Mac-81E3E92DD6088272", make_array( "efi-version", "IM144.88Z.0179.B12.1509081439" ), "Mac-94245BF5819B151B", make_array( "efi-version", "MBP81.88Z.0047.B2A.1506082203" ), "Mac-4BC72D62AD45599E", make_array( "efi-version", "MM51.88Z.0077.B12.1506081728" ), "Mac-2E6FAB96566FE58C", make_array( "efi-version", "MBA51.88Z.00EF.B04.1509111654" ), "Mac-031AEE4D24BFF0B1", make_array( "efi-version", "MM61.88Z.0106.B0A.1509111654" ), "Mac-7BA5B2794B2CDB12", make_array( "efi-version", "MM51.88Z.0077.B12.1506081728" ), "Mac-7DF2A3B5E5D671ED", make_array( "efi-version", "IM131.88Z.010A.B09.1509111558" ), "Mac-00BE6ED71E35EB86", make_array( "efi-version", "IM131.88Z.010A.B09.1509111558" ), "Mac-F2238AC8", make_array( "efi-version", "IM112.88Z.0057.B03.1509231647" ), "Mac-742912EFDBEE19B3", make_array( "efi-version", "MBA41.88Z.0077.B12.1506081728" ), "Mac-942B59F58194171B", make_array( "efi-version", "IM121.88Z.0047.B21.1506101610" ), "Mac-189A3D4F975D5FFC", make_array( "efi-version", "MBP111.88Z.0138.B16.1509081438" ), "Mac-F22586C8", make_array( "efi-version", "MBP61.88Z.0057.B11.1509232013" ), "Mac-4B7AC7E43945597E", make_array( "efi-version", "MBP91.88Z.00D3.B0C.1509111653" ), "Mac-F22589C8", make_array( "efi-version", "MBP61.88Z.0057.B11.1509232013" ), "Mac-C3EC7CD22292981F", make_array( "efi-version", "MBP101.88Z.00EE.B0A.1509111559" ), "Mac-7DF21CB3ED6977E5", make_array( "efi-version", "MBA61.88Z.0099.B20.1509081314", "minimum-smc-version", "2.13f7" ), "Mac-942B5BF58194151B", make_array( "efi-version", "IM121.88Z.0047.B21.1506101610" ), "Mac-94245B3640C91C81", make_array( "efi-version", "MBP81.88Z.0047.B2A.1506082203" ), "Mac-6F01561E16C75D06", make_array( "efi-version", "MBP91.88Z.00D3.B0C.1509111653" ), "Mac-94245A3940C91C80", make_array( "efi-version", "MBP81.88Z.0047.B2A.1506082203" ), "Mac-27ADBB7B4CEE8E61", make_array( "efi-version", "IM142.88Z.0118.B12.1509081435" ), "Mac-031B6874CF7F642A", make_array( "efi-version", "IM141.88Z.0118.B12.1509081313" ), "Mac-F60DEB81FF30ACF6", make_array( "efi-version", "MP61.88Z.0116.B16.1509081436" ), "Mac-77EB7D7DAF985301", make_array( "efi-version", "IM143.88Z.0118.B12.1509081435" ), "Mac-F2238BAE", make_array( "efi-version", "IM112.88Z.0057.B03.1509231647" ), "Mac-F65AE981FFA204ED", make_array( "efi-version", "MM61.88Z.0106.B0A.1509111654" ), "Mac-C08A6BB70A942AC2", make_array( "efi-version", "MBA41.88Z.0077.B12.1506081728" ), "Mac-66F35F19FE2A0D05", make_array( "efi-version", "MBA51.88Z.00EF.B04.1509111654" ), "Mac-2BD1B31983FE1663", make_array( "efi-version", "MBP112.88Z.0138.B16.1509081314" ), "Mac-AFD8A9D944EA4843", make_array( "efi-version", "MBP102.88Z.0106.B0A.1509130955" ) ); # Modeled after check actual patch performs # if the SMC gets "borked" it reports as "0.000" # output: # -2 if there's an error # -1 if actual < intended # 0 if actual == intended # 1 if actual > intended function compareTwoSMCVersions(actual, intended) { local_var pat, item_actual, item_intended, actualMajorVersion, actualMinorVersion, actualBuildType, actualBuildNumber, intendedMajorVersion, intendedMinorVersion, intendedBuildType, intendedBuildNumber; # borked version checks if(actual == "0.000" && intended == "0.000") return 0; if(actual == "0.000" && intended != "0.000") return -1; if(actual != "0.000" && intended == "0.000") return 1; pat = "^(\d+)\.(\d+)([a-f]{1})(\d+)$"; item_actual = eregmatch(pattern: pat, string: actual); item_intended = eregmatch(pattern: pat, string: intended); if(isnull(item_actual) \|\| isnull(item_intended)) return -2; actualMajorVersion = int(item_actual[1]); actualMinorVersion = int(item_actual[2]); actualBuildType = item_actual[3]; actualBuildNumber = int(item_actual[4]); intendedMajorVersion = int(item_intended[1]); intendedMinorVersion = int(item_intended[2]); intendedBuildType = item_intended[3]; intendedBuildNumber = int(item_intended[4]); if(actualMajorVersion != intendedMajorVersion) return -2; if(actualMinorVersion != intendedMinorVersion) return -2; if(actualBuildType !~ "^[abf]$" \|\| intendedBuildType !~ "^[abf]$") return -2; if(actualBuildType < intendedBuildType) return -1; if(actualBuildType > intendedBuildType) return 1; if(actualBuildNumber < intendedBuildNumber) return -1; if(actualBuildNumber > intendedBuildNumber) return 1; return 0; } # Modeled after check patch performs # output: # -2 if there's an error # -1 if actual < intended # 0 if actual == intended # 1 if actual > intended function compareTwoEFIVersions(actual, intended) { local_var actual_array, intended_array, actual_minor_version, intended_minor_version, actual_major_version, intended_major_version; actual_array = split(actual, sep:'.', keep:FALSE); intended_array = split(intended, sep:'.', keep:FALSE); if(max_index(actual_array) != 5 \|\| max_index(intended_array) != 5) return -2; if(actual_array[0] != intended_array[0]) return -2; if(actual_array[1] != "88Z" \|\| intended_array[1] != "88Z") return -2; if(actual_array[2] !~ "^[\da-fA-F]{4}$" \|\| intended_array[2] !~ "^[\da-fA-F]{4}$") return -2; # don't know why, but this check is in the patch if(actual_array[3][0] =~ "[dD]" \|\| intended_array[3][0] =~ "[dD]") return -2; actual_minor_version = substr(actual_array[3], 1); intended_minor_version = substr(intended_array[3], 1); if(actual_minor_version !~ "^[\da-fA-F]{2}$" \|\| intended_minor_version !~ "^[\da-fA-F]{2}$") return -2; actual_minor_version = ord(hex2raw(s:actual_minor_version)); intended_minor_version = ord(hex2raw(s:intended_minor_version)); actual_major_version = getword(blob:hex2raw(s:actual_array[2]), pos:0, order:BYTE_ORDER_BIG_ENDIAN); intended_major_version = getword(blob:hex2raw(s:intended_array[2]), pos:0, order:BYTE_ORDER_BIG_ENDIAN); if(actual_major_version > intended_major_version) return 1; if(actual_major_version < intended_major_version) return -1; if(actual_minor_version > intended_minor_version) return 1; if(actual_minor_version < intended_minor_version) return -1; return 0; } if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); # Available for: OS X Mavericks v10.9.5 os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); if (!ereg(pattern:"Mac OS X 10\.9\.5([^0-9]\|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.9.5"); board_id_cmd = 'ioreg -l \| awk -F \\" \'/board-id/ { print $4 }\''; efi_version_cmd = 'ioreg -p IODeviceTree -n rom@0 \| awk -F \\" \'/version/ { print $4 }\''; smc_version_cmd = 'ioreg -l \| awk -F \\" \'/smc-version/ { print $4 }\''; results = exec_cmds(cmds:make_list(board_id_cmd, efi_version_cmd, smc_version_cmd)); # these may not be considered an 'error' if host is a VM running on non Apple hardware if(isnull(results)) exit(0, "Unable to obtain hardware information on remote host."); if(isnull(results[board_id_cmd]) \|\| results[board_id_cmd] !~ "^Mac-[a-fA-F\d]+$") exit(0, 'No valid Mac board ID found.'); if(isnull(results[efi_version_cmd]) \|\| ".88Z." >!< results[efi_version_cmd]) exit(0, 'No valid Mac EFI version found.'); if(isnull(results[smc_version_cmd]) \|\| results[smc_version_cmd] !~ "^(\d+)\.([\da-f]+)$") exit(0, 'No valid Mac SMC version found.'); board_id = results[board_id_cmd]; efi_version = results[efi_version_cmd]; smc_version = results[smc_version_cmd]; if(isnull(efi_fixes[board_id])) exit(0, "The remote host does not have an affected board ID (" + board_id + ")."); efi_fix = efi_fixes[board_id]["efi-version"]; min_smc_ver = efi_fixes[board_id]["minimum-smc-version"]; if(!isnull(min_smc_ver)) { if(compareTwoSMCVersions(actual:smc_version, intended:min_smc_ver) < 0) exit(0, "SMC version " + smc_version + " is too old to allow update."); } res = compareTwoEFIVersions(actual:efi_version, intended:efi_fix); if(res == -2) exit(1, "Error comparing EFI version (" + efi_version + ") to fixed version (" + efi_fix + ")."); if(res >= 0) audit(AUDIT_INST_VER_NOT_VULN, "Apple EFI", efi_version); port = 0; if(report_verbosity > 0) { report = '\n Board ID : ' + board_id + '\n Installed EFI version : ' + efi_version + '\n Fixed EFI version : ' + efi_fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port);

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_11_1.NASL
description	The remote host is running a version of Mac OS X that is 10.9.5 or later but prior to 10.11.1 It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework (CVE-2015-5940) - apache_mod_php (CVE-2015-0235, CVE-2015-0273, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) - ATS (CVE-2015-6985) - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003) - Bom (CVE-2015-7006) - CFNetwork (CVE-2015-7023) - configd (CVE-2015-7015) - CoreGraphics (CVE-2015-5925, CVE-2015-5926) - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992, CVE-2015-7017) - Directory Utility (CVE-2015-6980) - Disk Images (CVE-2015-6995) - EFI (CVE-2015-7035) - File Bookmark (CVE-2015-6987) - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976, CVE-2015-6977, CVE-2015-6978, CVE-2015-6990, CVE-2015-6991, CVE-2015-6993, CVE-2015-7008, CVE-2015-7009, CVE-2015-7010, CVE-2015-7018) - Grand Central Dispatch (CVE-2015-6989) - Graphics Drivers (CVE-2015-7019, CVE-2015-7020, CVE-2015-7021) - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937, CVE-2015-5938, CVE-2015-5939) - IOAcceleratorFamily (CVE-2015-6996) - IOHIDFamily (CVE-2015-6974) - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994) - libarchive (CVE-2015-6984) - MCX Application Restrictions (CVE-2015-7016) - Net-SNMP (CVE-2014-3565, CVE-2012-6151) - OpenGL (CVE-2015-5924) - OpenSSH (CVE-2015-6563) - Sandbox (CVE-2015-5945) - Script Editor (CVE-2015-7007) - Security (CVE-2015-6983, CVE-2015-7024) - SecurityAgent (CVE-2015-5943) Note that successful exploitation of the most serious issues can result in arbitrary code execution.
last seen	2020-06-01
modified	2020-06-02
plugin id	86654
published	2015-10-29
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86654
title	Mac OS X < 10.11.1 Multiple Vulnerabilities

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References