cbcvebase.
CVE-2018-4407
published 2019-04-03

CVE-2018-4407: A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
22.01%
97.4th percentile
A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

Affected

9 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 12.012.0
applemac_os_x< 10.1410.14
applemacos_mojave
applemacos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0
appletvos< 1212
appletvos
applewatchos< 5.05.0
applewatchos_5

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a specially crafted IP packet sent over the local network; monitor for malformed/oversized IP packets targeting Apple devices (XNU kernel networking stack) that cause kernel panics or unexpected reboots.
  • The vulnerability resides in ICMP packet-handling code within the XNU kernel networking stack; network-level detection should focus on anomalous ICMP packets that could trigger a heap buffer overflow.
  • No open ports are required on the target device for exploitation; perimeter port-based filtering is insufficient — detection must occur at the IP/ICMP packet level on the local network segment.
  • Public WiFi networks are a key attack vector; alert on kernel crash/reboot events on Apple devices connected to shared or untrusted network segments.
  • ·Anti-virus/endpoint security software cannot block exploitation because the vulnerability is in a fundamental layer of the networking code, below where AV operates.
  • ·The PoC at time of disclosure was withheld from public release to allow time for patching; however, the existence of a PoC video was confirmed and RCE potential was acknowledged by Apple.
  • ·macOS Mojave (10.14) was patched prior to public release and is not vulnerable; detection/patching efforts should focus on all pre-Mojave macOS and iOS versions prior to iOS 12.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.