#VU9671 Information disclosure in iCloud for Windows - CVE-2017-13864

Cybersecurity Help s.r.o.

Published: 2017-12-18

Vulnerability identifier: #VU9671

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-13864

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iCloud for Windows
Client/Desktop applications / Other client software

Vendor: Apple Inc.

Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a privacy issue in the use of client certificates. A remote attacker can obtain credentials and track the user's actions.

Mitigation
Update to version 7.2.

Vulnerable software versions

iCloud for Windows: 6.0.0 - 6.2.2

External links
https://support.apple.com/en-us/HT208328

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apple iTunes

Multiple vulnerabilities in Apple iCloud