SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Mac OS X Vendors:   Apple Computer
Mac OS X DS Tools Discloses Passwords to Local Users
SecurityTracker Alert ID:  1021722
SecurityTracker URL:  http://securitytracker.com/id/1021722
CVE Reference:   CVE-2009-0013   (Links to External Site)
Date:  Feb 13 2009
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.4.11, 10.5.6
Description:   A vulnerability was reported in Mac OS X DS Tools. A local user can obtain passwords.

The dscl command-line tool requires passwords as arguments. As a result, a local user can view the process list to obtain passwords, including administrator passwords.

Impact:   A local user can obtain passwords.
Solution:   The vendor has issued a fix as part of Security Update 2009-001, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.5.6
The download file is named: "SecUpd2009-001.dmg"
Its SHA-1 digest is: 08d8e962e2687f01b3cdc4cb386ef4e44992a1e0

For Mac OS X Server 10.5.6
The download file is named: "SecUpdSrvr2009-001.dmg"
Its SHA-1 digest is: b44344f918cbf15266cde2c989c443e455ccd88f

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2009-001Intel.dmg"
Its SHA-1 digest is: e1e1a09d9543fe1a1acc759c5ed11dde58f84e0e

For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2009-001PPC.dmg"
Its SHA-1 digest is: a9158bed12fa6650634bc8f972a7990cddb765d9

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2009-001Univ.dmg"
Its SHA-1 digest is: 6b056d47bbf2566cda7908590fc2ccd0ab4b889f

For Mac OS X Server v10.4.11 (PPC)
The download file is named: "SecUpdSrvr2009-001PPC.dmg"
Its SHA-1 digest is: a9f97ba89b8acc6927779859bbec3787d1fb3b2a

The vendor's advisory is available at:

http://support.apple.com/kb/HT3438

Vendor URL:  support.apple.com/kb/HT1222 (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 12 Feb 2009 23:01:57 -0500
Subject:  Mac OS X


APPLE-SA-2009-02-12 Security Update 2009-001

DS Tools
CVE-ID:  CVE-2009-0013
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.6, Mac OS X Server v10.5.6
Impact:  Passwords supplied to dscl are exposed to other local users
Description:  The dscl command-line tool required that passwords be
passed to it in its arguments, potentially exposing the passwords to
other local users. Passwords exposed include those for users and
administrators. This update makes the password parameter optional,
and dscl will prompt for the password if needed. Credit: Apple.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC