CVE-2014-4497

Vulnerability

A signedness error in the IOBluetoothFamily component of the Bluetooth implementation in Apple OS X versions before 10.10 allows an integer overflow condition. This vulnerability can be triggered by a crafted application that supplies a negative (signed) value where an unsigned integer is expected, leading to incorrect memory handling. The affected versions are all OS X releases prior to OS X Yosemite v10.10 (10.10.0 and earlier). [1]

Exploitation

An attacker must have the ability to run a malicious application on the target system (local access). The crafted app sends a specially crafted Bluetooth command that exploits the signedness error in IOBluetoothFamily. No user interaction beyond launching the app is required, and the attacker does not need elevated privileges to initiate the attack. The exploit triggers the flaw during I/O Kit processing, leading to an out-of-bounds write to kernel memory. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code with kernel (ring 0) privileges, fully compromising the operating system. Alternatively, the attacker can trigger a denial of service by corrupting kernel memory, causing a system panic or instability. [1]

Mitigation

Apple addressed this issue in OS X Yosemite v10.10.2 (released January 27, 2015) and Security Update 2015-001 for earlier versions. Users should update to OS X 10.10.2 or later, or apply the security update. No workaround is available for unpatched systems. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. [1]