Vulnerabilities > CVE-2018-4200 - Use After Free vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apple
canonical
CWE-416
nessus
exploit available

Summary

An issue was discovered in certain Apple products. iOS before 11.3.1 is affected. Safari before 11.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers a WebCore::jsElementScrollHeightGetter use-after-free.

Vulnerable Configurations

Part Description Count
Application
Apple
402
OS
Apple
240
OS
Microsoft
1
OS
Canonical
3

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionWebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free. CVE-2018-4200. Dos exploit for Multiple platform. Tags: Use After Free (UAF)
fileexploits/multiple/dos/44566.html
idEDB-ID:44566
last seen2018-05-24
modified2018-05-02
platformmultiple
port
published2018-05-02
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44566/
titleWebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free
typedos

Nessus

  • NASL familyWindows
    NASL idITUNES_12_7_5.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities as referenced in the HT208852 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id110384
    published2018-06-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110384
    titleApple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110384);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id(
        "CVE-2018-4188",
        "CVE-2018-4190",
        "CVE-2018-4192",
        "CVE-2018-4199",
        "CVE-2018-4200",
        "CVE-2018-4201",
        "CVE-2018-4204",
        "CVE-2018-4214",
        "CVE-2018-4218",
        "CVE-2018-4222",
        "CVE-2018-4224",
        "CVE-2018-4225",
        "CVE-2018-4226",
        "CVE-2018-4232",
        "CVE-2018-4233",
        "CVE-2018-4246"
      );
      script_bugtraq_id(103961, 104378);
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2018-06-01-7");
    
      script_name(english:"Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)");
      script_summary(english:"Checks the version of iTunes on Windows.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple iTunes installed on the remote Windows host is
    prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities
    as referenced in the HT208852 advisory.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208852");
      # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?375c8685");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple iTunes version 12.7.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4246");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Safari Proxy Object Type Confusion');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/06");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("itunes_detect.nasl");
      script_require_keys("installed_sw/iTunes Version", "SMB/Registry/Enumerated");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    # Ensure this is Windows
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    
    app_info = vcf::get_app_info(app:"iTunes Version", win_local:TRUE);
    
    constraints = [{"fixed_version" : "12.7.5"}];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201808-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201808-04 (WebkitGTK+: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. Impact : A remote attacker could execute arbitrary commands or cause a denial of service condition via a maliciously crafted web content. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id112078
    published2018-08-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112078
    titleGLSA-201808-04 : WebkitGTK+: Multiple vulnerabilities
  • NASL familyPeer-To-Peer File Sharing
    NASL idITUNES_12_7_5_BANNER.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities in WebKit as referenced in the HT208852 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id110383
    published2018-06-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110383
    titleApple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-93BA62D099.NASL
    descriptionThis update addresses the following vulnerabilities : - [CVE-2018-4200](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4200) Additional fixes : - Do TLS error checking on GTlsConnection::accept-certificate to finish the load earlier in case of errors. - Properly close the connection to the nested wayland compositor in the Web Process. - Avoid painting backing stores for zero-opacity layers. - Fix downloads started by context menu failing in some websites due to missing user agent HTTP header. - Fix video unpause when GStreamerGL is disabled. - Fix several GObject introspection annotations. - Update user agent quirks to fix Outlook.com and Chase.com. - Fix several crashes and rendering issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-05-16
    plugin id109824
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109824
    titleFedora 27 : webkitgtk4 (2018-93ba62d099)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SAFARI11_1_0_PATCH_2018_04_24.NASL
    descriptionThe version of Apple Safari installed on the remote macOS or Mac OS X host is 11.1, but is missing the security fix APPLE-SA-2018-04-24-3. It is, therefore, affected by multiple vulnerabilities as described in the HT208741 security advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id109392
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109392
    titlemacOS : Apple Safari 11.1 APPLE-SA-2018-04-24-3 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-97C58E29E4.NASL
    descriptionThis update addresses the following vulnerabilities : - [CVE-2018-4200](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4200) Additional fixes : - Do TLS error checking on GTlsConnection::accept-certificate to finish the load earlier in case of errors. - Properly close the connection to the nested wayland compositor in the Web Process. - Avoid painting backing stores for zero-opacity layers. - Fix downloads started by context menu failing in some websites due to missing user agent HTTP header. - Fix video unpause when GStreamerGL is disabled. - Fix several GObject introspection annotations. - Update user agent quirks to fix Outlook.com and Chase.com. - Fix several crashes and rendering issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120639
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120639
    titleFedora 28 : webkit2gtk3 (2018-97c58e29e4)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3387-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the issues : The following security vulnerabilities were addressed : CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999) CVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535). CVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535). CVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280). CVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279). CVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182). CVE-2018-4113: An issue in the JavaScriptCore function in the
    last seen2020-06-01
    modified2020-06-02
    plugin id118389
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118389
    titleSUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2018:3387-1)
  • NASL familyMisc.
    NASL idAPPLETV_11_4.NASL
    descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 11.4. It is, therefore, affected by multiple vulnerabilities as described in the HT208850 security advisory. Note that only 4th and 5th generation models are affected by these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id110325
    published2018-06-05
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110325
    titleApple TV < 11.4 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-6A9FEA1B3A.NASL
    descriptionThis update addresses the following vulnerabilities : - [CVE-2018-4200](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4200) Additional fixes : - Do TLS error checking on GTlsConnection::accept-certificate to finish the load earlier in case of errors. - Properly close the connection to the nested wayland compositor in the Web Process. - Avoid painting backing stores for zero-opacity layers. - Fix downloads started by context menu failing in some websites due to missing user agent HTTP header. - Fix video unpause when GStreamerGL is disabled. - Fix several GObject introspection annotations. - Update user agent quirks to fix Outlook.com and Chase.com. - Fix several crashes and rendering issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-05-23
    plugin id109970
    published2018-05-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109970
    titleFedora 26 : webkitgtk4 (2018-6a9fea1b3a)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1288.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the issues : The following security vulnerabilities were addressed : - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999) - CVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535). - CVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535). - CVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280). - CVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279). - CVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182). - CVE-2018-4113: An issue in the JavaScriptCore function in the
    last seen2020-06-05
    modified2018-10-26
    plugin id118453
    published2018-10-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118453
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3640-1.NASL
    descriptionIvan Fratric discovered that WebKitGTK+ incorrectly handled certain web content. If a user were tricked into viewing a malicious website, a remote attacker could possibly exploit this to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109649
    published2018-05-09
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109649
    titleUbuntu 16.04 LTS / 17.10 / 18.04 LTS : webkit2gtk vulnerability (USN-3640-1)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147421/GS20180502035150.txt
idPACKETSTORM:147421
last seen2018-05-07
published2018-05-01
reporterIvan Fratric
sourcehttps://packetstormsecurity.com/files/147421/WebKit-WebCore-jsElementScrollHeightGette-Use-After-Free.html
titleWebKit WebCore::jsElementScrollHeightGette Use-After-Free