Sign-up

ID

VAR-200711-0320


CVE

CVE-2007-4703


TITLE

Apple Mac OS X In root Process application firewall limit bypass issue

Trust: 0.8

sources: JVNDB: JVNDB-2007-000984

DESCRIPTION

The Application Firewall in Apple Mac OS X 10.5 does not prevent a root process from accepting incoming connections, even when "Block incoming connections" has been set for its associated executable, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X is prone to a weakness that results in unauthorized network access to certain applications. This issue affects the Application Firewall when the 'Set access for specific services and applications' setting is enabled for certain applications. This weakness exposes the computer to unauthorized remote access and can lead to a false sense of security. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. NOTE: The update changes the name of the option and updates the documentation. 3) Changes to Application Firewall settings do not affect processes started by launchd until they are restarted. This may lead to exposure of certain services. The weaknesses and the security issue have been reported in Mac OS X 10.5 (Leopard). SOLUTION: Update to Mac OS X 10.5.1. Mac OS X 10.5.1 Update: http://www.apple.com/support/downloads/macosx1051update.html Mac OS X Server 10.5.1 Update http://www.apple.com/support/downloads/macosxserver1051update.html PROVIDED AND/OR DISCOVERED BY: J\xfcrgen Schmidt ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307004 heise Security: http://www.heise-security.co.uk/articles/98120 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-4703 // JVNDB: JVNDB-2007-000984 // BID: 26460 // VULHUB: VHN-28065 // PACKETSTORM: 61016

AFFECTED PRODUCTS

vendor:applemodel:mac os x serverscope:eqversion:10.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:v10.5

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.5.1

Trust: 0.3

sources: BID: 26460 // JVNDB: JVNDB-2007-000984 // CNNVD: CNNVD-200711-260 // NVD: CVE-2007-4703

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-4703
value: HIGH

Trust: 1.0

NVD: CVE-2007-4703
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200711-260
value: CRITICAL

Trust: 0.6

VULHUB: VHN-28065
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-4703
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-28065
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-28065 // JVNDB: JVNDB-2007-000984 // CNNVD: CNNVD-200711-260 // NVD: CVE-2007-4703

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2007-000984 // NVD: CVE-2007-4703

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200711-260

TYPE

Design Error

Trust: 0.9

sources: BID: 26460 // CNNVD: CNNVD-200711-260

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-000984

PATCH
title:Mac OS X v10.5.1 Updateurl:http://docs.info.apple.com/article.html?artnum=307004-en
Trust: 0.8
title:Mac OS X v10.5.1 Updateurl:http://docs.info.apple.com/article.html?artnum=307004-jp
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-000984

EXTERNAL IDS
db:BIDid:26460
Trust: 2.8
db:NVDid:CVE-2007-4703
Trust: 2.8
db:SECUNIAid:27695
Trust: 2.6
db:SECTRACKid:1018958
Trust: 2.5
db:VUPENid:ADV-2007-3897
Trust: 1.7
db:XFid:38479
Trust: 1.4
db:JVNDBid:JVNDB-2007-000984
Trust: 0.8
db:APPLEid:APPLE-SA-2007-11-15
Trust: 0.6
db:CNNVDid:CNNVD-200711-260
Trust: 0.6
db:VULHUBid:VHN-28065
Trust: 0.1
db:PACKETSTORMid:61016
Trust: 0.1
sources:
            
            
            VULHUB: VHN-28065 // 
            
            
            
            BID: 26460 // 
            
            
            
            JVNDB: JVNDB-2007-000984 // 
            
            
            
            PACKETSTORM: 61016 // 
            
            
            
            CNNVD: CNNVD-200711-260 // 
            
            
            
            NVD: CVE-2007-4703

REFERENCES
url:http://www.securityfocus.com/bid/26460
Trust: 2.5
url:http://securitytracker.com/id?1018958
Trust: 2.5
url:http://docs.info.apple.com/article.html?artnum=307004
Trust: 2.1
url:http://lists.apple.com/archives/security-announce/2007/nov/msg00004.html
Trust: 1.7
url:http://secunia.com/advisories/27695
Trust: 1.7
url:http://www.frsirt.com/english/advisories/2007/3897
Trust: 1.4
url:http://xforce.iss.net/xforce/xfdb/38479
Trust: 1.4
url:http://www.vupen.com/english/advisories/2007/3897
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/38479
Trust: 1.1
url:http://secunia.com/advisories/27695/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-4703
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-4703
Trust: 0.8
url:http://software.cisco.com/download/navigator.html?mdfid=283613663
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
Trust: 0.1
url:http://www.apple.com/support/downloads/macosxserver1051update.html
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://www.apple.com/support/downloads/macosx1051update.html
Trust: 0.1
url:http://secunia.com/product/96/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://www.heise-security.co.uk/articles/98120
Trust: 0.1
sources:
            
            
            VULHUB: VHN-28065 // 
            
            
            
            BID: 26460 // 
            
            
            
            JVNDB: JVNDB-2007-000984 // 
            
            
            
            PACKETSTORM: 61016 // 
            
            
            
            CNNVD: CNNVD-200711-260 // 
            
            
            
            NVD: CVE-2007-4703

CREDITS
Apple
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200711-260

SOURCES
db:VULHUBid:VHN-28065
db:BIDid:26460
db:JVNDBid:JVNDB-2007-000984
db:PACKETSTORMid:61016
db:CNNVDid:CNNVD-200711-260
db:NVDid:CVE-2007-4703

LAST UPDATE DATE
2025-04-10T23:03:33.963000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-28065date:2017-07-29T00:00:00
db:BIDid:26460date:2007-11-15T23:04:00
db:JVNDBid:JVNDB-2007-000984date:2007-12-07T00:00:00
db:CNNVDid:CNNVD-200711-260date:2007-11-16T00:00:00
db:NVDid:CVE-2007-4703date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-28065date:2007-11-15T00:00:00
db:BIDid:26460date:2007-11-15T00:00:00
db:JVNDBid:JVNDB-2007-000984date:2007-12-07T00:00:00
db:PACKETSTORMid:61016date:2007-11-20T16:17:55
db:CNNVDid:CNNVD-200711-260date:2007-11-15T00:00:00
db:NVDid:CVE-2007-4703date:2007-11-15T20:46:00