A vulnerability was found in Apple iOS up to 9.3.3 (Smartphone Operating System) and classified as problematic. This issue affects an unknown code block of the component Printing UIKit. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Printing UIKit in Apple iOS before 10 mishandles environment variables, which allows local users to discover cleartext AirPrint preview content by reading a temporary file.

The weakness was disclosed 09/13/2016 by Raul Siles with DinoSec as HT207143 as confirmed advisory (Website). It is possible to read the advisory at support.apple.com. The identification of this vulnerability is CVE-2016-4749 since 05/11/2016. The exploitation is known to be easy. Attacking locally is a requirement. The requirement for exploitation is a simple authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK. The advisory points out:

An issue existed in AirPrint preview. This was addressed through improved environment sanitization.

Upgrading to version 10 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 91604, 91602, 91603 and 91605 are pretty similar.

Productinfo

Type

• Smartphone Operating System

Vendor

• Apple

Name

• iOS

Version

• 9.3.0
• 9.3.1
• 9.3.2
• 9.3.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion