#VU41100 Command Injection in macOS and NetBSD - CVE-2014-8517

Vulnerability identifier: #VU41100

Vulnerability risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2014-8517

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
macOS
Operating systems & Components / Operating system
NetBSD
Operating systems & Components / Operating system

Vendor: Apple Inc.
NetBSD Foundation, Inc

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.

Mitigation
Install update from vendor's website.

Vulnerable software versions

macOS: 10.8.5, 10.9.5, 10.10.0 - 10.10.1

NetBSD: 5.1 - 10.10.1

---

External links
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc
https://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
https://lists.opensuse.org/opensuse-updates/2014-11/msg00029.html
https://seclists.org/oss-sec/2014/q4/459
https://seclists.org/oss-sec/2014/q4/464
https://secunia.com/advisories/62028
https://secunia.com/advisories/62260
https://support.apple.com/HT204244
https://security.gentoo.org/glsa/201611-05
https://www.exploit-db.com/exploits/43112/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.