Vulnerability Details : CVE-2017-13903
An issue was discovered in certain Apple products. iOS before 11.2.1 is affected. tvOS before 11.2.1 is affected. The issue involves the "HomeKit" component. It allows remote attackers to modify the application state by leveraging incorrect message handling, as demonstrated by use of an Apple Watch to obtain an encryption key and unlock a door.
Products affected by CVE-2017-13903
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-13903
0.60%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-13903
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2017-13903
-
http://www.securitytracker.com/id/1040008
Apple iOS HomeKit Bug Lets Remote Users Access and Control HomeKit Smart Accessories - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/102182
Apple iOS and tvOS CVE-2017-13903 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://support.apple.com/HT208357
About the security content of iOS 11.2.1 - Apple SupportVendor Advisory
-
https://support.apple.com/HT208359
About the security content of tvOS 11.2.1 - Apple SupportVendor Advisory
-
https://www.engadget.com/2017/12/21/apple-ignored-a-major-homekit-security-flaw-for-six-weeks/
Apple ignored a major HomeKit security flaw for six weeksPress/Media Coverage
Jump to