Vulnerability Description
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Iphone Os | <= 8.1.2 |
| Apple | Mac Os X | <= 10.10.1 |
| Apple | Tvos | <= 7.0.1 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlVendor Advisory
- http://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion
- http://support.apple.com/HT204244Vendor Advisory
- http://support.apple.com/HT204245Vendor Advisory
- http://support.apple.com/HT204246Vendor Advisory
- http://www.exploit-db.com/exploits/35847Exploit
- http://www.osvdb.org/114862
- https://code.google.com/p/google-security-research/issues/detail?id=92Exploit
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlVendor Advisory
- http://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion
- http://support.apple.com/HT204244Vendor Advisory
FAQ
What is CVE-2014-4492?
CVE-2014-4492 is a vulnerability with a CVSS score of 7.5 (HIGH). libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary ...
How severe is CVE-2014-4492?
CVE-2014-4492 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-4492?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Iphone Os, Apple Mac Os X, Apple Tvos.