CVE-2015-3684

Vulnerability

The HTTPAuthentication implementation in CFNetwork contains a memory corruption vulnerability that is triggered when crafted credentials are provided in a URL. This affects Apple iOS before 8.4 and OS X before 10.10.4, as stated in the official CVE description [1][2]. The bug lies in the handling of user credential strings during HTTP authentication, and it does not require any special configuration beyond making a network request with a maliciously crafted URL.

Exploitation

An attacker can exploit this vulnerability by supplying a URL containing specially crafted credentials to a vulnerable device. The attack does not require authentication; it is remotely exploitable over the network. The vulnerable CFNetwork component is used by any application that processes HTTP URLs, including Safari and third-party apps. The attacker only needs to deliver the malicious URL, for example via a link, a web page, or a crafted network response, to trigger the memory corruption during parsing.

Impact

Successful exploitation can lead to arbitrary code execution or a denial of service (application crash) on the target device. The memory corruption occurs with the privileges of the application processing the URL, potentially full user-level access. On iOS this could affect system services and lead to a complete compromise of the device; on OS X, it could affect the user session. The impact is rated critical due to the remote attack vector and lack of required authentication.

Mitigation

Apple addressed this vulnerability in iOS 8.4 and OS X Yosemite v10.10.4, released July 2015 [1][2]. All users should update their devices to these versions or later. No workarounds are available; the only mitigation is to apply the security updates. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.