CVE-2013-3951

Apple iOS <8.2 and macOS <10.10.4 - Local Stack Cookie Randomization Bypass via stack-guard= Call-Path Prefix

Title source: llm
STIX 2.1

Description

sys/openbsd/stack_protector.c in libc in Apple iOS 6.1.3 and Mac OS X 10.8.x does not properly parse the Apple strings employed in the user-space stack-cookie implementation, which allows local users to bypass cookie randomization by executing a program with a call-path beginning with the stack-guard= substring, as demonstrated by an iOS untethering attack or an attack against a setuid Mac OS X program.

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033703
Various Sources x_refsource_misc
http://www.syscan.org/index.php/sg/program/day/2
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205212
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205267
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205213
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html

Scores

EPSS 0.0046
EPSS Percentile 36.5%

Details

CWE
CWE-20
Status published
Products (9)
apple/iphone_os 6.1.3
apple/iphone_os < 8.2
apple/mac_os_x 10.8.0
apple/mac_os_x 10.8.1
apple/mac_os_x 10.8.2
apple/mac_os_x 10.8.3
apple/mac_os_x 10.8.4
apple/mac_os_x < 10.10.4
apple/watchos < 1.0.1
Published Jun 05, 2013
Tracked Since Feb 18, 2026