Vulnerabilities > CVE-2017-6988 - Improper Certificate Validation vulnerability in Apple mac OS X
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "802.1X" component. It allows remote attackers to discover the network credentials of arbitrary users by operating a crafted network that requires 802.1X authentication, because EAP-TLS certificate validation mishandles certificate changes.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
| NASL family | MacOS X Local Security Checks |
| NASL id | MACOS_10_12_5.NASL |
| description | The remote host is running a version of macOS that is 10.12.x prior to 10.12.5. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist in the Kernel component that allow a local attacker to gain kernel-level privileges. (CVE-2017-2494, CVE-2017-2546) - A state management flaw exists in the iBooks component due to improper handling of URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted book, to open arbitrary websites without user permission. (CVE-2017-2497) - A local privilege escalation vulnerability exists in the Kernel component due to a race condition. A local attacker can exploit this to execute arbitrary code with kernel-level privileges. (CVE-2017-2501) - An information disclosure vulnerability exists in the CoreAudio component due to improper sanitization of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2502) - A memory corruption issue exists in the Intel graphics driver component that allows a local attacker to execute arbitrary code with kernel-level privileges. CVE-2017-2503) - Multiple information disclosure vulnerabilities exist in the Kernel component due to improper sanitization of user-supplied input. A local attacker can exploit these to read the contents of restricted memory. (CVE-2017-2507, CVE-2017-2509, CVE-2017-2516, CVE-2017-6987) - A memory corruption issue exists in the Sandbox component that allows an unauthenticated, remote attacker to escape an application sandbox. (CVE-2017-2512) - A use-after-free error exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-2513) - Multiple buffer overflow conditions exist in the SQLite component due to the improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2518, CVE-2017-2520) - A memory corruption issue exists in the SQLite component when handling SQL queries. An unauthenticated, remote attacker can exploit this, via a specially crafted SQL query, to execute arbitrary code. (CVE-2017-2519) - An unspecified memory corruption issue exists in the TextInput component when parsing specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2524) - A flaw exists in the CoreAnimation component when handling specially crafted data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2527) - A race condition exists in the DiskArbitration feature that allow a local attacker to gain system-level privileges. (CVE-2017-2533) - An unspecified flaw exists in the Speech Framework that allows a local attacker to escape an application sandbox. (CVE-2017-2534) - A resource exhaustion issue exists in the Security component due to improper validation of user-supplied input. A local attacker can exploit this to exhaust resources and escape an application sandbox. (CVE-2017-2535) - Multiple memory corruption issues exist in the WindowServer component that allow a local attacker to execute arbitrary code with system-level privileges. (CVE-2017-2537, CVE-2017-2548) - An information disclosure vulnerability exists in WindowServer component in the _XGetConnectionPSN() function due to improper validation of user-supplied input. A local attacker can exploit this to read the contents of restricted memory. (CVE-2017-2540) - A stack-based buffer overflow condition exists in the WindowServer component in the _XGetWindowMovementGroup() function due to improper validation of user-supplied input. A local attacker can exploit this to execute arbitrary code with the privileges of WindowServer. (CVE-2017-2541) - Multiple memory corruption issues exist in the Multi-Touch component that allow a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2542, CVE-2017-2543) - A use-after-free error exists in the IOGraphic component that allows a local attacker to execute arbitrary code with kernel-level privileges. (CVE-2017-2545) - A flaw exists in the Speech Framework, specifically within the speechsynthesisd service, due to improper validation of unsigned dynamic libraries (.dylib) before being loaded. A local attacker can exploit this to bypass the application |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 100270 |
| published | 2017-05-18 |
| reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/100270 |
| title | macOS 10.12.x < 10.12.5 Multiple Vulnerabilities |