cbcvebase.
CVE-2016-7626
published 2017-02-20

CVE-2016-7626: An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
5.42%
91.7th percentile
An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue involves the "Profiles" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted certificate profile.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.210.2
appletvos< 10.110.1
appletvos
applewatchos< 3.1.13.1.1
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://cert.cx/appleios10/300k.php
urlhttps://cert.cx/appleios10/500k.php
urlhttps://cert.cx/appleios10/700k.php
urlhttps://cert.cx/appleios10/900k.php
urlhttps://cert.cx/appleios10/expl.html
domaincert.cx
path/System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40906.zip
  • Monitor for crashes of the 'profiled' process (com.apple.managedconfiguration.profiled) triggered by SIGSEGV / EXC_BAD_ACCESS, which indicates exploitation of the certificate profile memory corruption vulnerability.
  • Watch for the log message indicating profiled service exit due to segmentation fault, which is a direct symptom of exploitation.
  • Detect NSCocoaErrorDomain Code 4097 errors referencing 'com.apple.managedconfiguration.profiled' in MobileSafari logs, indicating a failed/crashed profiled helper after certificate delivery.
  • Alert on HTTP redirects from web content (e.g., via Mobile Safari) to CRT/certificate files, especially from untrusted domains, as the attack vector involves Safari silently launching the Preferences app to import a crafted certificate.
  • The overflow is controlled via the certificate length in the OCSP field; inspect certificate files with anomalously large OCSP field lengths delivered over the network.
  • ·The attack can be delivered via both Apple Mail (double-click on certificate attachment) and Mobile Safari (HTTP redirect to a CRT file), meaning network-based and email-based delivery vectors both apply.
  • ·The vulnerability affects iOS before 10.2, tvOS before 10.1, and watchOS before 3.1.1 (and watchOS before 3.1.3 per a later advisory); detections should be scoped to unpatched devices running these OS versions.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.