The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apple macOS Sierra

vulnerability CVE-2017-17405

Ruby: code execution via FTP Pipe File

Synthesis of the vulnerability

An attacker can use a vulnerability via FTP Pipe File of Ruby, in order to run code.
Impacted products: Mac OS X, Debian, Solaris, RHEL, Slackware, Ubuntu.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 20/12/2017.
Identifiers: bulletinjan2019, CVE-2017-17405, DLA-1221-1, DLA-1222-1, DLA-1421-1, DSA-4259-1, HT208937, HT209193, RHSA-2018:0378-01, RHSA-2018:0583-01, RHSA-2018:0584-01, RHSA-2018:0585-01, SSA:2017-353-01, USN-3515-1, VIGILANCE-VUL-24840.

Description of the vulnerability

An attacker can use a vulnerability via FTP Pipe File of Ruby, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 24664

Mail client: sender spoofing via Mailsploit

Synthesis of the vulnerability

An attacker can send an email with a special From header, which is truncated by some mail clients, in order to deceive the victim.
Impacted products: iOS by Apple, iPhone, Mac OS X, Notes, Office, Outlook, SeaMonkey, Thunderbird, Synology DSM.
Severity: 3/4.
Consequences: disguisement.
Provenance: document.
Creation date: 06/12/2017.
Identifiers: CERTFR-2017-ALE-019, Mailsploit, MFSA-2017-30, Synology-SA-17:82, VIGILANCE-VUL-24664.

Description of the vulnerability

Messaging clients interpret the From header to display the sender name.

However, using a Base64 or Quoted Printable encoding, and '\0' or '\n' characters, an attacker can force the displayed email address to be truncated.

An attacker can therefore send an email with a special From header, which is truncated by some mail clients, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-8816 CVE-2017-8817 CVE-2017-8818

curl: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of curl.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Shibboleth SP, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 29/11/2017.
Identifiers: bulletinapr2018, bulletinoct2018, CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, DLA-1195-1, DSA-4051-1, FEDORA-2017-0c062324cd, FEDORA-2017-45bdf4dace, HT208465, HT208692, JSA10874, openSUSE-SU-2018:0161-1, RHSA-2018:3558-01, STORM-2019-002, USN-3498-1, USN-3498-2, VIGILANCE-VUL-24564.

Description of the vulnerability

An attacker can use several vulnerabilities of curl.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-13872

Apple macOS: privilege escalation via Root Empty Password

Synthesis of the vulnerability

An attacker can bypass restrictions via Root Empty Password of Apple macOS, in order to escalate his privileges.
Impacted products: Mac OS X.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 29/11/2017.
Identifiers: APPLE-SA-2017-11-29-2, CERTFR-2017-ALE-018, CERTFR-2017-AVI-435, CVE-2017-13872, HT208331, HT208394, VIGILANCE-VUL-24563, VU#113765.

Description of the vulnerability

An attacker can bypass restrictions via Root Empty Password of Apple macOS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-3735

OpenSSL: out-of-bounds memory reading via X.509 IPAddressFamily

Synthesis of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Mac OS X, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, hMailServer, AIX, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, Percona Server, pfSense, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/11/2017.
Identifiers: 2011879, 2013026, 2014367, bulletinapr2018, CERTFR-2017-AVI-391, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-3735, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, HT208331, HT208394, ibm10715641, ibm10738249, JSA10851, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:3221-01, SA157, SB10211, SUSE-SU-2017:2968-1, SUSE-SU-2017:2981-1, SUSE-SU-2018:0112-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-24317.

Description of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-13782 CVE-2017-13786 CVE-2017-13799

Apple macOS: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apple macOS.
Impacted products: Mac OS X.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 39.
Creation date: 02/11/2017.
Identifiers: CERTFR-2017-AVI-385, CVE-2017-13782, CVE-2017-13786, CVE-2017-13799, CVE-2017-13800, CVE-2017-13801, CVE-2017-13804, CVE-2017-13807, CVE-2017-13808, CVE-2017-13809, CVE-2017-13810, CVE-2017-13811, CVE-2017-13812, CVE-2017-13813, CVE-2017-13814, CVE-2017-13815, CVE-2017-13816, CVE-2017-13817, CVE-2017-13818, CVE-2017-13819, CVE-2017-13820, CVE-2017-13821, CVE-2017-13822, CVE-2017-13823, CVE-2017-13824, CVE-2017-13825, CVE-2017-13826-REJECT, CVE-2017-13828, CVE-2017-13830, CVE-2017-13831, CVE-2017-13832, CVE-2017-13834, CVE-2017-13836, CVE-2017-13838, CVE-2017-13840, CVE-2017-13841, CVE-2017-13842, CVE-2017-13843, CVE-2017-13846, CVE-2017-7132, HT208221, VIGILANCE-VUL-24280.

Description of the vulnerability

An attacker can use several vulnerabilities of Apple macOS.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-12613

Apache APR-core: out-of-bounds memory reading via apr_exp_tim

Synthesis of the vulnerability

An attacker can force a read at an invalid address via apr_exp_tim() of Apache APR-core, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: APR-core, Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, openSUSE Leap, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 24/10/2017.
Identifiers: bulletinjul2018, CVE-2017-12613, DLA-1162-1, FEDORA-2017-8d2cfc3752, HT209139, HT209193, JSA10873, K52319810, openSUSE-SU-2018:1214-1, RHSA-2017:3270-01, RHSA-2018:0465-01, RHSA-2018:0466-01, RHSA-2018:1253-01, SUSE-SU-2018:1322-1, VIGILANCE-VUL-24220.

Description of the vulnerability

An attacker can force a read at an invalid address via apr_exp_tim() of Apache APR-core, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-12618

Apache APR-util: out-of-bounds memory reading via apr_sdbm

Synthesis of the vulnerability

An attacker can force a read at an invalid address via apr_sdbm() of Apache APR-util, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: APR-util, Mac OS X, Debian, Fedora, WebSphere AS Traditional, openSUSE Leap.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 24/10/2017.
Identifiers: 2009782, CVE-2017-12618, DLA-1163-1, FEDORA-2017-329e5fb4c9, HT209139, HT209193, openSUSE-SU-2017:3325-1, VIGILANCE-VUL-24219.

Description of the vulnerability

An attacker can force a read at an invalid address via apr_sdbm() of Apache APR-util, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-13077 CVE-2017-13078 CVE-2017-13079

WPA2: information disclosure via Key Reinstallation Attacks

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Key Reinstallation Attacks of WPA2, in order to obtain sensitive information.
Impacted products: SNS, iOS by Apple, iPhone, Mac OS X, ArubaOS, Cisco Aironet, Cisco AnyConnect Secure Mobility Client, ASA, Meraki MR***, Cisco IP Phone, Cisco Wireless IP Phone, Debian, Fedora, FortiGate, FortiOS, FreeBSD, Android OS, Junos OS, SSG, Linux, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, openSUSE Leap, pfSense, 802.11 protocol, RHEL, RuggedSwitch, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: data reading.
Provenance: radio connection.
Number of vulnerabilities in this bulletin: 10.
Creation date: 16/10/2017.
Identifiers: ARUBA-PSA-2017-007, CERTFR-2017-ALE-014, CERTFR-2017-AVI-357, CERTFR-2017-AVI-358, CERTFR-2017-AVI-359, CERTFR-2017-AVI-360, CERTFR-2017-AVI-361, CERTFR-2017-AVI-363, CERTFR-2017-AVI-373, CERTFR-2017-AVI-379, CERTFR-2017-AVI-383, CERTFR-2017-AVI-390, CERTFR-2017-AVI-441, CERTFR-2017-AVI-478, CERTFR-2018-AVI-014, CERTFR-2018-AVI-048, cisco-sa-20171016-wpa, CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088, DLA-1150-1, DLA-1200-1, DLA-1573-1, DSA-3999-1, FEDORA-2017-12e76e8364, FEDORA-2017-45044b6b33, FEDORA-2017-60bfb576b7, FEDORA-2017-cfb950d8f4, FEDORA-2017-fc21e3856b, FG-IR-17-196, FreeBSD-SA-17:07.wpa, HT208221, HT208222, HT208334, HT208394, JSA10827, K-511282, KRACK Attacks, openSUSE-SU-2017:2755-1, openSUSE-SU-2017:2846-1, openSUSE-SU-2017:2896-1, openSUSE-SU-2017:2905-1, openSUSE-SU-2017:3144-1, RHSA-2017:2907-01, RHSA-2017:2911-01, SSA:2017-291-02, SSA-418456, SSA-901333, STORM-2017-005, SUSE-SU-2017:2745-1, SUSE-SU-2017:2752-1, SUSE-SU-2017:2847-1, SUSE-SU-2017:2869-1, SUSE-SU-2017:2908-1, SUSE-SU-2017:2920-1, SUSE-SU-2017:3106-1, SUSE-SU-2017:3165-1, SUSE-SU-2017:3265-1, SUSE-SU-2017:3267-1, SUSE-SU-2018:0040-1, SUSE-SU-2018:0171-1, Synology-SA-17:60, Synology-SA-17:60 KRACK, USN-3455-1, USN-3505-1, VIGILANCE-VUL-24144, VU#228519.

Description of the vulnerability

An attacker can bypass access restrictions to data via Key Reinstallation Attacks of WPA2, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-7149 CVE-2017-7150

Apple macOS: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apple macOS.
Impacted products: Mac OS X.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/10/2017.
Identifiers: CERTFR-2017-AVI-334, CVE-2017-7149, CVE-2017-7150, HT208165, VIGILANCE-VUL-24040.

Description of the vulnerability

An attacker can use several vulnerabilities of Apple macOS.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apple macOS Sierra: