CVE-2018-4441 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple products

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.

Vulnerable Configurations

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • idEDB-ID:46072
    last seen2019-01-02
    modified2019-01-02
    published2019-01-02
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46072
    titleWebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write
  • idEDB-ID:46522
    last seen2019-03-11
    modified2019-03-08
    published2019-03-08
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46522
    titleSony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-108.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.5 fixes the following issues : Security issues fixed : - CVE-2018-4438: Fixed a logic issue which lead to memory corruption (bsc#1119554) - CVE-2018-4437, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464: Fixed multiple memory corruption issues with improved memory handling (bsc#1119553, bsc#1119555, bsc#1119556, bsc#1119557, bsc#1119558) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-01-01
    modified2020-01-02
    plugin id121538
    published2019-02-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121538
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2019-108)
  • NASL familyMisc.
    NASL idAPPLETV_12_1_1.NASL
    descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 12.1.1. It is, therefore, affected by multiple vulnerabilities as described in the HT209342 security advisory: - Multiple elevation of privilege vulnerabilities exist due to improper memory handling. An application can exploit this to gain elevated privileges. (CVE-2018-4303, CVE-2018-4435) - Multiple unspecified command execution vulnerabilities exist that allow an attacker to execute arbitrary commands, sometimes with kernel privileges. (CVE-2018-4427, CVE-2018-4437, CVE-2018-4438, CVE-2018-4447, CVE-2018-4461, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443) - An unspecified denial of service (DoS) vulnerability exists in the Kernel that allows an an attacker in a privileged position to perform a denial of service attack. (CVE-2018-4460) Additionally, the version of Apple TV is also affected by several additional vulnerabilities including cross-site scripting (XSS) and an information disclosure vulnerability. Note that only 4th generation devices are affected by these vulnerabilities.
    last seen2020-01-01
    modified2020-01-02
    plugin id119839
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119839
    titleApple TV < 12.1.1 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0092-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.5 fixes the following issues : Security issues fixed : CVE-2018-4372, CVE-2018-4345, CVE-2018-4386, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4392, CVE-2018-4416, CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361, CVE-2018-4373, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165, CVE-2018-11713, CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464 (bsc#1119558, bsc#1116998, bsc#1110279) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-01-01
    modified2020-01-02
    plugin id121206
    published2019-01-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121206
    titleSUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2019:0092-1)
  • NASL familyWindows
    NASL idITUNES_12_9_2.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is prior to 12.9.2. It is, therefore, affected by multiple vulnerabilities as referenced in the HT209345 advisory. - Visiting a malicious website may lead to address bar spoofing (CVE-2018-4440) - Visiting a malicious website may lead to user interface spoofing (CVE-2018-4439) - Processing maliciously crafted web content may lead to arbitrary code execution. (CVE-2018-4437, CVE-2018-4464) - Processing maliciously crafted web content may lead to arbitrary code execution. (CVE-2018-4441, CVE-2018-4442, CVE-2018-4443) - Processing maliciously crafted web content may lead to arbitrary code execution. (CVE-2018-4438) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-01-01
    modified2020-01-02
    plugin id119767
    published2018-12-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119767
    titleApple iTunes < 12.9.2 Multiple Vulnerabilities (credentialed check)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SAFARI12_0_2.NASL
    descriptionThe version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 12.0.2. It is, therefore, affected by the following vulnerabilities : - Input-validation errors exist that allow memory corruption leading to arbitrary code execution. (CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464) Note that other flaws exist that allow information disclosure and address bar spoofing.
    last seen2020-01-01
    modified2020-01-02
    plugin id119498
    published2018-12-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119498
    titlemacOS : Apple Safari < 12.0.2 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0497-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.6 fixes the following issues (boo#1124937 boo#1119558) : Security vulnerabilities fixed : CVE-2018-4437: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. (boo#1119553) CVE-2018-4438: Processing maliciously crafted web content may lead to arbitrary code execution. A logic issue existed resulting in memory corruption. This was addressed with improved state management. (boo#1119554) CVE-2018-4441: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119555) CVE-2018-4442: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119556) CVE-2018-4443: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119557) CVE-2018-4464: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. (boo#1119558) CVE-2019-6212: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6215: Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. CVE-2019-6216: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6217: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6226: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6227: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6229: Processing maliciously crafted web content may lead to universal cross-site scripting. A logic issue was addressed with improved validation. CVE-2019-6233: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6234: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. Other bug fixes and changes: Make kinetic scrolling slow down smoothly when reaching the ends of pages, instead of abruptly, to better match the GTK+ behaviour. Fix Web inspector magnifier under Wayland. Fix garbled rendering of some websites (e.g. YouTube) while scrolling under X11. Fix several crashes, race conditions, and rendering issues. For a detailed list of changes, please refer to: https://webkitgtk.org/security/WSA-2019-0001.html https://webkitgtk.org/2019/02/09/webkitgtk2.22.6-released.html https://webkitgtk.org/security/WSA-2018-0009.html https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-01-01
    modified2020-01-02
    plugin id122474
    published2019-02-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122474
    titleSUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2019:0497-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0146-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.5 fixes the following issues : Security issues fixed : CVE-2018-4438: Fixed a logic issue which lead to memory corruption (bsc#1119554) CVE-2018-4437, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464: Fixed multiple memory corruption issues with improved memory handling (bsc#1119553, bsc#1119555, bsc#1119556, bsc#1119557, bsc#1119558) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-01-01
    modified2020-01-02
    plugin id121343
    published2019-01-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121343
    titleSUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2019:0146-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-81.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.5 fixes the following issues : Security issues fixed : - CVE-2018-4372, CVE-2018-4345, CVE-2018-4386, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4392, CVE-2018-4416, CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361, CVE-2018-4373, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165, CVE-2018-11713, CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464 (bsc#1119558, bsc#1116998, bsc#1110279) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-01-01
    modified2020-01-02
    plugin id121339
    published2019-01-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121339
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2019-81)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-308.NASL
    descriptionThis update for webkit2gtk3 to version 2.22.6 fixes the following issues (boo#1124937 boo#1119558) : Security vulnerabilities fixed : - CVE-2018-4437: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. (boo#1119553) - CVE-2018-4438: Processing maliciously crafted web content may lead to arbitrary code execution. A logic issue existed resulting in memory corruption. This was addressed with improved state management. (boo#1119554) - CVE-2018-4441: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119555) - CVE-2018-4442: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119556) - CVE-2018-4443: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. (boo#1119557) - CVE-2018-4464: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. (boo#1119558) - CVE-2019-6212: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. - CVE-2019-6215: Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. - CVE-2019-6216: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. - CVE-2019-6217: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. - CVE-2019-6226: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. - CVE-2019-6227: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. - CVE-2019-6229: Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved validation. - CVE-2019-6233: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. - CVE-2019-6234: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. Other bug fixes and changes : - Make kinetic scrolling slow down smoothly when reaching the ends of pages, instead of abruptly, to better match the GTK+ behaviour. - Fix Web inspector magnifier under Wayland. - Fix garbled rendering of some websites (e.g. YouTube) while scrolling under X11. - Fix several crashes, race conditions, and rendering issues. For a detailed list of changes, please refer to : - https://webkitgtk.org/security/WSA-2019-0001.html - https://webkitgtk.org/2019/02/09/webkitgtk2.22.6-released.html - https://webkitgtk.org/security/WSA-2018-0009.html - https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-01-01
    modified2020-01-02
    plugin id122744
    published2019-03-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122744
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2019-308)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/150935/GS20181228215646.txt
idPACKETSTORM:150935
last seen2018-12-29
published2018-12-27
reporterGoogle Security Research
sourcehttps://packetstormsecurity.com/files/150935/WebKit-JSC-JSArray-shiftCountWithArrayStorage-Out-Of-Band-Read-Write.html
titleWebKit JSC JSArray::shiftCountWithArrayStorage Out-Of-Band Read / Write