Buffer overflow in products

#VU33472 Buffer overflow in products

Cybersecurity Help s.r.o.

Published: 2017-02-20 | Updated: 2020-08-04

Vulnerability identifier: #VU33472

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2355

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. iCloud before 6.1.1 is affected. iTunes before 12.5.5 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access and application crash) via a crafted web site.

Mitigation
Install update from vendor's website.

External links
http://www.securityfocus.com/bid/95736
http://www.securitytracker.com/id/1037668
http://security.gentoo.org/glsa/201706-15
http://support.apple.com/HT207481
http://support.apple.com/HT207482
http://support.apple.com/HT207484
http://support.apple.com/HT207485
http://support.apple.com/HT207486

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in webkit2gtk (Alpine package)

Arch Linux update for webkit2gtk