Sign-up

ID

VAR-200808-0320


CVE

CVE-2008-3438


TITLE

Apple Mac OS X  Vulnerability to execute arbitrary code in

Trust: 0.8

sources: JVNDB: JVNDB-2008-003325

DESCRIPTION

Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. Mac OS X is the operating system of Apple Computer

Trust: 1.71

sources: NVD: CVE-2008-3438 // JVNDB: JVNDB-2008-003325 // VULHUB: VHN-33563

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:gteversion:10.0.0

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.5.4

Trust: 1.0

vendor:アップルmodel:apple mac os xscope:eqversion: -

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.0.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.1

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.2

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.3

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.1.4

Trust: 0.6

vendor:applemodel:mac os xscope:eqversion:10.0.2

Trust: 0.6

sources: JVNDB: JVNDB-2008-003325 // CNNVD: CNNVD-200808-018 // NVD: CVE-2008-3438

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-3438
value: HIGH

Trust: 1.0

NVD: CVE-2008-3438
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200808-018
value: HIGH

Trust: 0.6

VULHUB: VHN-33563
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-3438
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-33563
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2008-3438
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2008-3438
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-33563 // JVNDB: JVNDB-2008-003325 // CNNVD: CNNVD-200808-018 // NVD: CVE-2008-3438

PROBLEMTYPE DATA

problemtype:CWE-494

Trust: 1.0

problemtype:Incomplete integrity verification of downloaded code (CWE-494) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-94

Trust: 0.1

sources: VULHUB: VHN-33563 // JVNDB: JVNDB-2008-003325 // NVD: CVE-2008-3438

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200808-018

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-200808-018

PATCH

title:Top Pageurl:http://www.apple.com/macosx/

Trust: 0.8

sources: JVNDB: JVNDB-2008-003325

EXTERNAL IDS

db:NVDid:CVE-2008-3438

Trust: 3.3

db:JVNDBid:JVNDB-2008-003325

Trust: 0.8

db:FULLDISCid:20080728 TOOL RELEASE: [EVILGRADE] - USING DNS CACHE POISONING TO EXPLOIT POOR UPDATE IMPLEMENTATIONS

Trust: 0.6

db:CNNVDid:CNNVD-200808-018

Trust: 0.6

db:BIDid:83450

Trust: 0.1

db:VULHUBid:VHN-33563

Trust: 0.1

sources: VULHUB: VHN-33563 // JVNDB: JVNDB-2008-003325 // CNNVD: CNNVD-200808-018 // NVD: CVE-2008-3438

REFERENCES

url:http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html

Trust: 1.7

url:http://www.infobyte.com.ar/down/francisco%20amato%20-%20evilgrade%20-%20eng.pdf

Trust: 1.7

url:http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz

Trust: 1.1

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3438

Trust: 0.8

sources: VULHUB: VHN-33563 // JVNDB: JVNDB-2008-003325 // CNNVD: CNNVD-200808-018 // NVD: CVE-2008-3438

SOURCES

db:VULHUBid:VHN-33563
db:JVNDBid:JVNDB-2008-003325
db:CNNVDid:CNNVD-200808-018
db:NVDid:CVE-2008-3438

LAST UPDATE DATE

2025-04-10T23:05:19.453000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-33563date:2008-09-05T00:00:00
db:JVNDBid:JVNDB-2008-003325date:2024-03-04T01:50:00
db:CNNVDid:CNNVD-200808-018date:2008-09-05T00:00:00
db:NVDid:CVE-2008-3438date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:VULHUBid:VHN-33563date:2008-08-01T00:00:00
db:JVNDBid:JVNDB-2008-003325date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200808-018date:2008-08-01T00:00:00
db:NVDid:CVE-2008-3438date:2008-08-01T14:41:00