CVE-2018-4400

Vulnerability

A validation issue exists in the afpserver component on macOS and in the AppleAVD component on iOS and watchOS. This affects versions prior to iOS 12.1, macOS Mojave 10.14.1, watchOS 5.1, as well as macOS Sierra 10.12.6 and High Sierra 10.13.6 with security updates [1][2][3].

Exploitation

On macOS, a remote attacker can send specially crafted HTTP requests to an AFP server, exploiting the validation flaw [1]. On iOS, an attacker can deliver a malicious video via FaceTime; processing the video triggers the issue [2]. On watchOS, a malicious application already installed on the device can exploit the vulnerability [3].

Impact

Successful exploitation leads to different outcomes per platform: on macOS, an attacker may compromise the AFP server; on iOS, arbitrary code execution in the context of the FaceTime process; on watchOS, privilege escalation within the watchOS environment [1][2][3].

Mitigation

Apple released fixes on October 30, 2018: iOS 12.1, macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra, and watchOS 5.1. Users should update to these versions [1][2][3].