Vulnerability Name:

CVE-2013-3951 (CCN-84809)

Assigned:2013-06-05
Published:2013-06-05
Updated:2016-12-08
Summary:sys/openbsd/stack_protector.c in libc in Apple iOS 6.1.3 and Mac OS X 10.8.x does not properly parse the Apple strings employed in the user-space stack-cookie implementation, which allows local users to bypass cookie randomization by executing a program with a call-path beginning with the stack-guard= substring, as demonstrated by an iOS untethering attack or an attack against a setuid Mac OS X program.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: Stefan Esser
Mountain Lion/iOS Vulnerabilities Garage Sale

Source: MISC
Type: Exploit
http://antid0te.com/syscan_2013/SyScan2013_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale_Whitepaper.pdf

Source: MITRE
Type: CNA
CVE-2013-3951

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2015-09-16-1

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2015-09-21-1

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2015-09-30-3

Source: CCN
Type: Apple Web site
Apple

Source: CCN
Type: BID-60440
Apple iOS User Space Stack Cookies CVE-2013-3951 Local Security Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1033703

Source: MISC
Type: UNKNOWN
http://www.syscan.org/index.php/sg/program/day/2

Source: XF
Type: UNKNOWN
appleios-macosx-cve20133951-sec-bypass(84809)

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT205212

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT205213

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/HT205267

Vulnerable Configuration:Configuration 1:
  • cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version <= 8.2)
  • OR cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:* (Version <= 10.10.4)
  • OR cpe:/o:apple:watchos:*:*:*:*:*:*:*:* (Version <= 1.0.1)

    • Configuration 2:
  • cpe:/o:apple:ios:6.1.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:apple:ios:6.1.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apple iphone os *
    apple mac os x *
    apple watchos *
    apple iphone os 6.1.3
    apple mac os x 10.8.0
    apple mac os x 10.8.1
    apple mac os x 10.8.2
    apple mac os x 10.8.3
    apple mac os x 10.8.4
    apple iphone os 6.1.3
    apple mac os x 10.8.3
    apple mac os x 10.8.4
    apple mac os x 10.8.0
    apple mac os x 10.8.2
    apple mac os x 10.8.1