A vulnerability, which was classified as critical, has been found in Apple macOS up to 10.14.3 (Operating System). Affected by this issue is an unknown code of the component Security. The manipulation with an unknown input leads to a out-of-bounds vulnerability. Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Mojave 10.14.4. A malicious application may be able to read restricted memory.

The bug was discovered 03/25/2019. The weakness was shared 03/25/2019 with NCSC as HT209600 as confirmed advisory (Website). The advisory is available at support.apple.com. This vulnerability is handled as CVE-2019-8520 since 02/18/2019. The exploitation is known to be easy. Local access is required to approach this attack. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. The advisory points out:

An out-of-bounds read was addressed with improved bounds checking.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 371712 (Apple macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra Not Installed (APPLE-SA-2019-3-25-2)).

Upgrading to version 10.14.4 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries VDB-132341, VDB-132342, VDB-132343 and VDB-132344 are related to this item.

Productinfo

Type

• Operating System

Vendor

• Apple

Name

• macOS

Version

• 10.14.0
• 10.14.1
• 10.14.2
• 10.14.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion