CVE-2013-0963

Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.apple.com/archives/security-announce/2013/Jan/msg00000.html	Vendor Advisory
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://support.apple.com/kb/HT5642	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:iphone_os:6.0:::::::*
	cpe:2.3:o:apple:iphone_os:6.0.1:::::::*

History

No history.

Information

Published : 2013-01-29 05:58

Updated : 2024-02-04 18:16

NVD link : CVE-2013-0963

Mitre link : CVE-2013-0963

CVE.ORG link : CVE-2013-0963

JSON object : View

Products Affected

apple

iphone_os

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2013-0963", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-01-29T05:58:54.900", "references": [{"url": "http://lists.apple.com/archives/security-announce/2013/Jan/msg00000.html", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html", "source": "product-security@apple.com"}, {"url": "http://support.apple.com/kb/HT5642", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID."}, {"lang": "es", "value": "Identity Services en Apple iOS v6.1 no maneja adecuadamente los fallos de validaci\u00f3n de los certificados AppleID, que podr\u00eda permitir a atacantes f\u00edsicamente cercanos evitar la autenticaci\u00f3n aprovechando una asignaci\u00f3n incorrecta de un valor de cadena vac\u00edo en un AppleID."}], "lastModified": "2013-03-16T03:39:45.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FD52712-0484-421B-A5DD-2CF0B4C027BD", "versionEndIncluding": "6.0.2"}, {"criteria": "cpe:2.3:o:apple:iphone_os:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEE0068D-C699-4646-9658-610409925A79"}, {"criteria": "cpe:2.3:o:apple:iphone_os:6.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87C215DD-BC98-4283-BF13-69556EF7CB78"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}