Sign-up

ID

VAR-200809-0192


CVE

CVE-2008-3618


TITLE

Apple Mac OS X file sharing allows authenticated remote access to files and directories

Trust: 0.8

sources: CERT/CC: VU#126787

DESCRIPTION

The File Sharing pane in the Sharing preference pane in Apple Mac OS X 10.5 through 10.5.4 does not inform users that the complete contents of their own home directories are shared for their own use, which might allow attackers to leverage other vulnerabilities and access files for which sharing was unintended. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----

Trust: 2.79

sources: NVD: CVE-2008-3618 // CERT/CC: VU#126787 // JVNDB: JVNDB-2008-001727 // BID: 31189 // VULHUB: VHN-33743 // PACKETSTORM: 70024

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.5.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.5.3

Trust: 1.6

vendor:apple computermodel: - scope: - version: -

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.5 to v10.5.4

Trust: 0.8

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.3

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.2

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3.1

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.11

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:ilifescope:eqversion:8.0

Trust: 0.3

vendor:applemodel:aperturescope:eqversion:2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.5.5

Trust: 0.3

vendor:applemodel:ilife supportscope:neversion:8.3.1

Trust: 0.3

sources: CERT/CC: VU#126787 // BID: 31189 // JVNDB: JVNDB-2008-001727 // CNNVD: CNNVD-200809-221 // NVD: CVE-2008-3618

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-3618
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#126787
value: 1.01

Trust: 0.8

NVD: CVE-2008-3618
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200809-221
value: CRITICAL

Trust: 0.6

VULHUB: VHN-33743
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-3618
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-33743
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#126787 // VULHUB: VHN-33743 // JVNDB: JVNDB-2008-001727 // CNNVD: CNNVD-200809-221 // NVD: CVE-2008-3618

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-33743 // JVNDB: JVNDB-2008-001727 // NVD: CVE-2008-3618

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200809-221

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200809-221

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-001727

PATCH
title:Security Update 2008-006url:http://support.apple.com/kb/HT3137
Trust: 0.8
title:Security Update 2008-006url:http://support.apple.com/kb/HT3137?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-001727

EXTERNAL IDS
db:CERT/CCid:VU#126787
Trust: 3.6
db:BIDid:31189
Trust: 2.8
db:NVDid:CVE-2008-3618
Trust: 2.8
db:USCERTid:TA08-260A
Trust: 2.6
db:SECTRACKid:1020883
Trust: 2.5
db:VUPENid:ADV-2008-2584
Trust: 1.7
db:XFid:45175
Trust: 1.4
db:USCERTid:SA08-260A
Trust: 0.8
db:JVNDBid:JVNDB-2008-001727
Trust: 0.8
db:CERT/CCid:TA08-260A
Trust: 0.6
db:APPLEid:APPLE-SA-2008-09-15
Trust: 0.6
db:CNNVDid:CNNVD-200809-221
Trust: 0.6
db:VULHUBid:VHN-33743
Trust: 0.1
db:PACKETSTORMid:70024
Trust: 0.1
sources:
            
            
            CERT/CC: VU#126787 // 
            
            
            
            VULHUB: VHN-33743 // 
            
            
            
            BID: 31189 // 
            
            
            
            JVNDB: JVNDB-2008-001727 // 
            
            
            
            PACKETSTORM: 70024 // 
            
            
            
            CNNVD: CNNVD-200809-221 // 
            
            
            
            NVD: CVE-2008-3618

REFERENCES
url:http://www.kb.cert.org/vuls/id/126787
Trust: 2.8
url:http://www.securityfocus.com/bid/31189
Trust: 2.5
url:http://www.us-cert.gov/cas/techalerts/ta08-260a.html
Trust: 2.5
url:http://securitytracker.com/id?1020883
Trust: 2.5
url:http://lists.apple.com/archives/security-announce//2008/sep/msg00005.html
Trust: 1.7
url:http://www.frsirt.com/english/advisories/2008/2584
Trust: 1.4
url:http://xforce.iss.net/xforce/xfdb/45175
Trust: 1.4
url:http://www.vupen.com/english/advisories/2008/2584
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/45175
Trust: 1.1
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3618
Trust: 0.8
url:http://jvn.jp/cert/jvnta08-260a/index.html
Trust: 0.8
url:http://jvn.jp/tr/trta08-260a
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3618
Trust: 0.8
url:http://www.us-cert.gov/cas/alerts/sa08-260a.html
Trust: 0.8
url:http://support.apple.com/kb/ht3137
Trust: 0.3
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.kb.cert.org/vuls/byid?searchview&query=apple_security_update_2008_006>
Trust: 0.1
url:http://support.apple.com/kb/ht1338?viewlocale=en_us>
Trust: 0.1
url:http://www.us-cert.gov/cas/techalerts/ta08-260a.html>
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
url:http://support.apple.com/kb/ht3137>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/reading_room/securing_browser/>
Trust: 0.1
sources:
            
            
            CERT/CC: VU#126787 // 
            
            
            
            VULHUB: VHN-33743 // 
            
            
            
            BID: 31189 // 
            
            
            
            JVNDB: JVNDB-2008-001727 // 
            
            
            
            PACKETSTORM: 70024 // 
            
            
            
            CNNVD: CNNVD-200809-221 // 
            
            
            
            NVD: CVE-2008-3618

CREDITS
Pete Finnigan※ pete@peterfinnigan.demon.co.uk※Esteban Martinez FayoJoxean Koret※ joxeankoret@yahoo.es※Alexander Kornbrust※ ak@red-database-security.com※Amichai Shulman※ shulman@imperva.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200809-221

SOURCES
db:CERT/CCid:VU#126787
db:VULHUBid:VHN-33743
db:BIDid:31189
db:JVNDBid:JVNDB-2008-001727
db:PACKETSTORMid:70024
db:CNNVDid:CNNVD-200809-221
db:NVDid:CVE-2008-3618

LAST UPDATE DATE
2025-04-10T21:15:54.847000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#126787date:2008-10-14T00:00:00
db:VULHUBid:VHN-33743date:2017-08-08T00:00:00
db:BIDid:31189date:2008-11-13T22:34:00
db:JVNDBid:JVNDB-2008-001727date:2008-10-10T00:00:00
db:CNNVDid:CNNVD-200809-221date:2008-11-15T00:00:00
db:NVDid:CVE-2008-3618date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:CERT/CCid:VU#126787date:2008-09-16T00:00:00
db:VULHUBid:VHN-33743date:2008-09-16T00:00:00
db:BIDid:31189date:2008-09-15T00:00:00
db:JVNDBid:JVNDB-2008-001727date:2008-10-10T00:00:00
db:PACKETSTORMid:70024date:2008-09-16T21:50:37
db:CNNVDid:CNNVD-200809-221date:2008-09-16T00:00:00
db:NVDid:CVE-2008-3618date:2008-09-16T23:00:01.243