Mac OS X Apple File Protocol (AFP) Server Password Validation Flaw Lets Remote Users Acceess AFP Shares
|
|
SecurityTracker Alert ID: 1024462 |
|
SecurityTracker URL: http://securitytracker.com/id/1024462
|
|
CVE Reference:
CVE-2010-1820
(Links to External Site)
|
Date: Sep 20 2010
|
Impact:
Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 10.6 - 10.6.4
|
Description:
A vulnerability was reported in Apple File Protocol (AFP). A remote user can bypass authentication.
A remote user with knowledge of a valid account name on the target system can bypass password validation and access the target AFP shared folders.
Systems prior to Mac OS X v10.6 are not affected.
|
Impact:
A remote user can access AFP shares.
|
Solution:
The vendor has issued a fix (Security Update 2010-006), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at: http://www.apple.com/support/downloads/
For Mac OS X v10.6.4 and Mac OS X Server v10.6.4
The download file is named: SecUpd2010-006Snow.dmg
Its SHA-1 digest is: 84e2c0b95e932be42360273f99581ecf2c25fe34
The vendor's advisory is available at:
http://support.apple.com/kb/HT4361
|
Vendor URL: support.apple.com/kb/HT4361 (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 20 Sep 2010 12:09:33 -0700
Subject: APPLE-SA-2010-09-20-1 Security Update 2010-006
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-09-20-1 Security Update 2010-006
Security Update 2010-006 is now available and addresses the
following:
AFP
CVE-ID: CVE-2010-1820
Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact: A remote attacker may access AFP shared folders without a
valid password
Description: An error handling issue exists in AFP Server. A remote
attacker with knowledge of an account name on a target system may
bypass the password validation and access AFP shared folders. By
default, File Sharing is not enabled. This issue does not affect
systems prior to Mac OS X v10.6.
Security Update 2010-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6.4 and Mac OS X Server v10.6.4
The download file is named: SecUpd2010-006Snow.dmg
Its SHA-1 digest is: 84e2c0b95e932be42360273f99581ecf2c25fe34
Security Update 2010-006 is not presented to Mac OS X v10.5 systems.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJMl5etAAoJEGnF2JsdZQeex3AIAKqmmbzoPH5qQ61DWtsNCfs3
4tatrUl3kuM2K42fhYXBi/U4iO/gK3VyPlCeSKkcDhDqF+zZAyQmlnJkNHU48tgJ
H9aUOIZ6NHdHYhCtvXBjHq8Luw7DZW7buG8hyTgOdRic/ycaRvIkb98t1Dg9kta6
1wK0dX5zsswyB5s7Fuf4CgCPdD/XDScz/M3SgymTRX/1DqGVv7LFDE8t5zF0SZct
Tf8vzhgkKAWKCiBo+UohP5N5kiCMdLfI89BSU//0ORpYBRIhFti+6sebkKigH1/m
xsxW9BJk23MvJEj26Q3hRPWSzHnr1Sh6NinAqe2xW0QvfR3EyupRuw6mv+52rJU=
=QRae
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)
|
|
