CVE-2003-0601
CVSS7.5
发布时间 :2004-03-29 00:00:00
修订时间 :2008-09-05 16:34:45
NMCOS    

[原文]Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved.


[CNNVD]Apple Mac OS X Server Workgroup Manager不安全帐户建立漏洞(CNNVD-200403-124)

        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X Server组管理器在建立帐户时不够安全,允许攻击者利用这个新建帐户进行未授权访问或提升权限。
        不过目前没有提供详细漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x_server:10.2.1Apple Mac OS X Server 10.2.1
cpe:/o:apple:mac_os_x_server:10.2.6Apple Mac OS X Server 10.2.6
cpe:/o:apple:mac_os_x_server:10.2.3Apple Mac OS X Server 10.2.3
cpe:/o:apple:mac_os_x_server:10.2.2Apple Mac OS X Server 10.2.2
cpe:/o:apple:mac_os_x_server:10.2.5Apple Mac OS X Server 10.2.5
cpe:/o:apple:mac_os_x_server:10.2Apple Mac OS X Server 10.2
cpe:/o:apple:mac_os_x_server:10.2.4Apple Mac OS X Server 10.2.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0601
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0601
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-124
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/12728
(VENDOR_ADVISORY)  XF  macos-workgroup-gain-access(12728)
http://www.securityfocus.com/bid/8266
(VENDOR_ADVISORY)  BID  8266
http://docs.info.apple.com/article.html?artnum=25631
(VENDOR_ADVISORY)  CONFIRM  http://docs.info.apple.com/article.html?artnum=25631

- 漏洞信息

Apple Mac OS X Server Workgroup Manager不安全帐户建立漏洞
高危 未知
2004-03-29 00:00:00 2005-10-20 00:00:00
远程  
        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X Server组管理器在建立帐户时不够安全,允许攻击者利用这个新建帐户进行未授权访问或提升权限。
        不过目前没有提供详细漏洞细节。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        厂商已经提供了相关补丁,此补丁也可以对Mac OS X客户端进行修补,不过没有安装组管理器的客户端就不需要安装这个补丁:
        Apple MacOS X Server 10.2.6:
        Apple Patch SecurityUpd2003-07-23.dmg
        
        http://docs.info.apple.com/article.html?artnum=120235

- 漏洞信息

7064
Apple Mac OS X Workgroup Manager Default Account Access
Remote / Network Access, Local / Remote Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may allow a malicious user to access a newly created account before it is saved for the first time. The issue is caused by new accounts being available for login before they are saved initially. It is possible that the flaw may allow unauthorized access resulting in a loss of integrity.

- 时间线

2003-07-23 Unknow
2003-07-23 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple Mac OS X Server Workgroup Manager Undisclosed Insecure Account Creation Vulnerability
Unknown 8266
Yes No
2003-07-24 12:00:00 2009-07-11 10:56:00
This vulnerability has been disclosed by the vendor.

- 受影响的程序版本

Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2

- 漏洞讨论

Apple Mac OS X Server Workgroup Manager has been reported prone to an undisclosed insecure account creation vulnerability.

It has been reported the OS X Server Workgroup Manager may create accounts in an insecure manner. This vulnerability may allow an attacker to gain unauthorized access or elevated privileges to an affected system via the newly created account.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released a security update to address this issue. It should be noted that the vendor has reported; because it is possible to install the affected software onto a Mac OS X client system, this security update will also work for these Mac OS X client systems that have the affected software installed. However there is no need to install the Security Update on
Mac OS X client systems that do not have Workgroup Manager installed. The update can be obtained using the software update pane in system preferences or by following the link below.


Apple Mac OS X Server 10.2.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站