Sign-up

ID

VAR-200809-0191


CVE

CVE-2008-3617


TITLE

Apple Mac OS X file sharing allows authenticated remote access to files and directories

Trust: 0.8

sources: CERT/CC: VU#126787

DESCRIPTION

Remote Management and Screen Sharing in Apple Mac OS X 10.5 through 10.5.4, when used to set a password for a VNC viewer, displays additional input characters beyond the maximum password length, which might make it easier for attackers to guess passwords that the user believed were longer. Apple Mac OS X Leopard does not accurately reflect which files and directories are available via sharing. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. The password field can display more than 8 characters, that is, extra characters are used in the password. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----

Trust: 2.79

sources: NVD: CVE-2008-3617 // CERT/CC: VU#126787 // JVNDB: JVNDB-2008-001726 // BID: 31189 // VULHUB: VHN-33742 // PACKETSTORM: 70024

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.5.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.2

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.4

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.3

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.3

Trust: 1.6

vendor:apple computermodel: - scope: - version: -

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.5 to v10.5.4

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5 to v10.5.4

Trust: 0.8

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.3

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.2

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:ilifescope:eqversion:8.0

Trust: 0.3

vendor:applemodel:aperturescope:eqversion:2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.5.5

Trust: 0.3

vendor:applemodel:ilife supportscope:neversion:8.3.1

Trust: 0.3

sources: CERT/CC: VU#126787 // BID: 31189 // JVNDB: JVNDB-2008-001726 // CNNVD: CNNVD-200809-220 // NVD: CVE-2008-3617

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-3617
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#126787
value: 1.01

Trust: 0.8

NVD: CVE-2008-3617
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200809-220
value: MEDIUM

Trust: 0.6

VULHUB: VHN-33742
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2008-3617
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-33742
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#126787 // VULHUB: VHN-33742 // JVNDB: JVNDB-2008-001726 // CNNVD: CNNVD-200809-220 // NVD: CVE-2008-3617

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-33742 // JVNDB: JVNDB-2008-001726 // NVD: CVE-2008-3617

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200809-220

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-200809-220

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-001726

PATCH
title:Security Update 2008-006url:http://support.apple.com/kb/HT3137
Trust: 0.8
title:Security Update 2008-006url:http://support.apple.com/kb/HT3137?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-001726

EXTERNAL IDS
db:NVDid:CVE-2008-3617
Trust: 2.8
db:BIDid:31189
Trust: 2.8
db:USCERTid:TA08-260A
Trust: 2.6
db:SECTRACKid:1020882
Trust: 2.5
db:VUPENid:ADV-2008-2584
Trust: 1.7
db:XFid:45174
Trust: 1.4
db:CERT/CCid:VU#126787
Trust: 1.1
db:USCERTid:SA08-260A
Trust: 0.8
db:JVNDBid:JVNDB-2008-001726
Trust: 0.8
db:CERT/CCid:TA08-260A
Trust: 0.6
db:APPLEid:APPLE-SA-2008-09-15
Trust: 0.6
db:CNNVDid:CNNVD-200809-220
Trust: 0.6
db:VULHUBid:VHN-33742
Trust: 0.1
db:PACKETSTORMid:70024
Trust: 0.1
sources:
            
            
            CERT/CC: VU#126787 // 
            
            
            
            VULHUB: VHN-33742 // 
            
            
            
            BID: 31189 // 
            
            
            
            JVNDB: JVNDB-2008-001726 // 
            
            
            
            PACKETSTORM: 70024 // 
            
            
            
            CNNVD: CNNVD-200809-220 // 
            
            
            
            NVD: CVE-2008-3617

REFERENCES
url:http://www.securityfocus.com/bid/31189
Trust: 2.5
url:http://www.us-cert.gov/cas/techalerts/ta08-260a.html
Trust: 2.5
url:http://securitytracker.com/id?1020882
Trust: 2.5
url:http://lists.apple.com/archives/security-announce//2008/sep/msg00005.html
Trust: 1.7
url:http://www.frsirt.com/english/advisories/2008/2584
Trust: 1.4
url:http://xforce.iss.net/xforce/xfdb/45174
Trust: 1.4
url:http://www.vupen.com/english/advisories/2008/2584
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/45174
Trust: 1.1
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3617
Trust: 0.8
url:http://jvn.jp/cert/jvnta08-260a/index.html
Trust: 0.8
url:http://jvn.jp/tr/trta08-260a
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3617
Trust: 0.8
url:http://www.us-cert.gov/cas/alerts/sa08-260a.html
Trust: 0.8
url:http://support.apple.com/kb/ht3137
Trust: 0.3
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.kb.cert.org/vuls/id/126787
Trust: 0.3
url:http://www.kb.cert.org/vuls/byid?searchview&query=apple_security_update_2008_006>
Trust: 0.1
url:http://support.apple.com/kb/ht1338?viewlocale=en_us>
Trust: 0.1
url:http://www.us-cert.gov/cas/techalerts/ta08-260a.html>
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
url:http://support.apple.com/kb/ht3137>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/reading_room/securing_browser/>
Trust: 0.1
sources:
            
            
            CERT/CC: VU#126787 // 
            
            
            
            VULHUB: VHN-33742 // 
            
            
            
            BID: 31189 // 
            
            
            
            JVNDB: JVNDB-2008-001726 // 
            
            
            
            PACKETSTORM: 70024 // 
            
            
            
            CNNVD: CNNVD-200809-220 // 
            
            
            
            NVD: CVE-2008-3617

CREDITS
Pete Finnigan※ pete@peterfinnigan.demon.co.uk※Esteban Martinez FayoJoxean Koret※ joxeankoret@yahoo.es※Alexander Kornbrust※ ak@red-database-security.com※Amichai Shulman※ shulman@imperva.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200809-220

SOURCES
db:CERT/CCid:VU#126787
db:VULHUBid:VHN-33742
db:BIDid:31189
db:JVNDBid:JVNDB-2008-001726
db:PACKETSTORMid:70024
db:CNNVDid:CNNVD-200809-220
db:NVDid:CVE-2008-3617

LAST UPDATE DATE
2025-04-10T20:55:41.320000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#126787date:2008-10-14T00:00:00
db:VULHUBid:VHN-33742date:2017-08-08T00:00:00
db:BIDid:31189date:2008-11-13T22:34:00
db:JVNDBid:JVNDB-2008-001726date:2008-10-10T00:00:00
db:CNNVDid:CNNVD-200809-220date:2008-11-15T00:00:00
db:NVDid:CVE-2008-3617date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:CERT/CCid:VU#126787date:2008-09-16T00:00:00
db:VULHUBid:VHN-33742date:2008-09-16T00:00:00
db:BIDid:31189date:2008-09-15T00:00:00
db:JVNDBid:JVNDB-2008-001726date:2008-10-10T00:00:00
db:PACKETSTORMid:70024date:2008-09-16T21:50:37
db:CNNVDid:CNNVD-200809-220date:2008-09-16T00:00:00
db:NVDid:CVE-2008-3617date:2008-09-16T23:00:01.210