| Vulnerability Name: | CVE-2017-13903 (CCN-136273) | ||||||||||||
| Assigned: | 2017-12-13 | ||||||||||||
| Published: | 2017-12-13 | ||||||||||||
| Updated: | 2019-10-03 | ||||||||||||
| Summary: | An issue was discovered in certain Apple products. iOS before 11.2.1 is affected. tvOS before 11.2.1 is affected. The issue involves the "HomeKit" component. It allows remote attackers to modify the application state by leveraging incorrect message handling, as demonstrated by use of an Apple Watch to obtain an encryption key and unlock a door. | ||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-noinfo | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-13903 Source: BID Type: Third Party Advisory, VDB Entry 102182 Source: CCN Type: BID-102182 Apple iOS and tvOS CVE-2017-13903 Security Bypass Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1040008 Source: XF Type: UNKNOWN appleios-cve201713903-sec-bypass(136273) Source: CCN Type: Apple security document HT208357 About the security content of iOS 11.2.1 Source: CCN Type: Apple security document HT208359 About the security content of tvOS 11.2.1 Source: CONFIRM Type: Vendor Advisory https://support.apple.com/HT208357 Source: CONFIRM Type: Vendor Advisory https://support.apple.com/HT208359 Source: MISC Type: Press/Media Coverage https://www.engadget.com/2017/12/21/apple-ignored-a-major-homekit-security-flaw-for-six-weeks/ | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||