cbcvebase.
CVE-2017-2370
published 2017-02-20

CVE-2017-2370: An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS…

PriorityP354high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.36%
95.4th percentile
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app.

Affected

8 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.2.110.2.1
applemac_os_x< 10.12.310.12.3
applemacos_sierra
appletvos< 10.1.110.1.1
appletvos
applewatchos< 3.1.33.1.3
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41163.zip
  • Monitor for userspace calls to the `mach_voucher_extract_attr_recipe_trap` Mach trap with a crafted `recipe_size` userspace pointer designed to trigger a kernel heap overflow; the trap is callable from any context and requires no special privileges.
  • Detect exploitation attempts where the `recipe_size` argument (a userspace pointer) is passed as the `size` parameter to `copyin` instead of the validated `sz` value, enabling a fully controlled kernel heap overflow.
  • Flag processes on macOS Sierra 10.12.1 (build 16B2555) or iOS 10.2 (iPod Touch 6G, build 14C92) invoking `mach_voucher_extract_attr_recipe_trap` with a `sz` value between 256 (MACH_VOUCHER_TRAP_STACK_LIMIT) and 5120 (MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE), which triggers the vulnerable heap allocation path.
  • ·The vulnerability exists in the Kernel component across multiple Apple platforms; patched versions are iOS 10.2.1, macOS Sierra 10.12.3, tvOS 10.1.1, and watchOS 3.1.3 — detections should be scoped to devices running older versions.
  • ·The PoC exploit specifically targets macOS Sierra 10.12.1 (build 16B2555) and iOS 10.2 on iPod Touch 6G (build 14C92); detections tuned to these exact builds will have the highest fidelity.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.