CVE-2016-7626
published 2017-02-20CVE-2016-7626: An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue…
PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
5.42%
91.7th percentile
An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue involves the "Profiles" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted certificate profile.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 10.2 | 10.2 |
| apple | tvos | < 10.1 | 10.1 |
| apple | tvos | — | — |
| apple | watchos | < 3.1.1 | 3.1.1 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crashes of the 'profiled' process (com.apple.managedconfiguration.profiled) triggered by SIGSEGV / EXC_BAD_ACCESS, which indicates exploitation of the certificate profile memory corruption vulnerability. ↗
- →Watch for the log message indicating profiled service exit due to segmentation fault, which is a direct symptom of exploitation. ↗
- →Detect NSCocoaErrorDomain Code 4097 errors referencing 'com.apple.managedconfiguration.profiled' in MobileSafari logs, indicating a failed/crashed profiled helper after certificate delivery. ↗
- →Alert on HTTP redirects from web content (e.g., via Mobile Safari) to CRT/certificate files, especially from untrusted domains, as the attack vector involves Safari silently launching the Preferences app to import a crafted certificate. ↗
- →The overflow is controlled via the certificate length in the OCSP field; inspect certificate files with anomalously large OCSP field lengths delivered over the network. ↗
- ·The attack can be delivered via both Apple Mail (double-click on certificate attachment) and Mobile Safari (HTTP redirect to a CRT file), meaning network-based and email-based delivery vectors both apply. ↗
- ·The vulnerability affects iOS before 10.2, tvOS before 10.1, and watchOS before 3.1.1 (and watchOS before 3.1.3 per a later advisory); detections should be scoped to unpatched devices running these OS versions. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6233-89wc-89pv: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-14
CVE-2016-7626 [HIGH] CWE-119 GHSA-6233-89wc-89pv: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue involves the "Profiles" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted certificate profile.
Apple
CVE-2016-7626: watchOS 3.1.3
vendor_apple·2017-01-23·CVSS 8.8
CVE-2016-7626 [HIGH] CVE-2016-7626: watchOS 3.1.3
Apple Security Update: About the security content of watchOS 3.1.3
Product: watchOS
Version: 3.1.3
CVE: CVE-2016-7626
Component: Profiles
Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation.
Apple
CVE-2016-7626: iOS 10.2
vendor_apple·2016-12-12·CVSS 8.8
CVE-2016-7626 [HIGH] CVE-2016-7626: iOS 10.2
Apple Security Update: About the security content of iOS 10.2
Product: iOS
Version: 10.2
CVE: CVE-2016-7626
Component: Profiles
Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation.
Apple
CVE-2016-7626: tvOS 10.1
vendor_apple·2016-12-12·CVSS 8.8
CVE-2016-7626 [HIGH] CVE-2016-7626: tvOS 10.1
Apple Security Update: About the security content of tvOS 10.1
Product: tvOS
Version: 10.1
CVE: CVE-2016-7626
Component: Profiles
Impact: Opening a maliciously crafted certificate may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of certificate profiles. This issue was addressed through improved input validation.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94852http://www.securitytracker.com/id/1037429https://lists.apple.com/archives/security-announce/2016/Dec/msg00001.htmlhttps://support.apple.com/HT207422https://support.apple.com/HT207425https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40906/http://www.securityfocus.com/bid/94852http://www.securitytracker.com/id/1037429https://lists.apple.com/archives/security-announce/2016/Dec/msg00001.htmlhttps://support.apple.com/HT207422https://support.apple.com/HT207425https://support.apple.com/HT207487https://www.exploit-db.com/exploits/40906/
2017-02-20
Published