Sign-up

ID

VAR-201003-0135


CVE

CVE-2010-0055


TITLE

Apple Mac OS X of xar Vulnerable to package signature verification processing

Trust: 0.8

sources: JVNDB: JVNDB-2010-001282

DESCRIPTION

xar in Apple Mac OS X 10.5.8 does not properly validate package signatures, which allows attackers to have an unspecified impact via a modified package. xar (eXtensible ARchiver) is prone to a security-bypass vulnerability because it fails to properly verify signatures in a modified xar archive. Attackers can exploit this issue to make modified archives appear to have a valid signature. This may lead to other attacks. Versions prior to xar 1.5.3 are vulnerable. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. A remote attacker forges a modified package as a validly signed package, causing unknown impact

Trust: 1.98

sources: NVD: CVE-2010-0055 // JVNDB: JVNDB-2010-001282 // BID: 39292 // VULHUB: VHN-42660

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.5.8

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.8

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:xarmodel:xarscope:eqversion:1.5.2

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux mipselscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux m68kscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux hppascope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux armelscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linux alphascope:eqversion:5.0

Trust: 0.3

vendor:debianmodel:linuxscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

vendor:xarmodel:xarscope:neversion:1.5.3

Trust: 0.3

sources: BID: 39292 // JVNDB: JVNDB-2010-001282 // CNNVD: CNNVD-201003-450 // NVD: CVE-2010-0055

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-0055
value: HIGH

Trust: 1.0

NVD: CVE-2010-0055
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201003-450
value: CRITICAL

Trust: 0.6

VULHUB: VHN-42660
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2010-0055
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-42660
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-42660 // JVNDB: JVNDB-2010-001282 // CNNVD: CNNVD-201003-450 // NVD: CVE-2010-0055

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2010-001282 // NVD: CVE-2010-0055

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201003-450

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201003-450

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-001282

PATCH
title:HT4077url:http://support.apple.com/kb/HT4077
Trust: 0.8
title:HT4077url:http://support.apple.com/kb/HT4077?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2010-001282

EXTERNAL IDS
db:NVDid:CVE-2010-0055
Trust: 2.8
db:JVNDBid:JVNDB-2010-001282
Trust: 0.8
db:CNNVDid:CNNVD-201003-450
Trust: 0.7
db:BIDid:39292
Trust: 0.4
db:VULHUBid:VHN-42660
Trust: 0.1
sources:
            
            
            VULHUB: VHN-42660 // 
            
            
            
            BID: 39292 // 
            
            
            
            JVNDB: JVNDB-2010-001282 // 
            
            
            
            CNNVD: CNNVD-201003-450 // 
            
            
            
            NVD: CVE-2010-0055

REFERENCES
url:http://lists.apple.com/archives/security-announce/2010//mar/msg00001.html
Trust: 1.7
url:http://support.apple.com/kb/ht4077
Trust: 1.7
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wxq3nrrtc4a3f3gw2rqnatjhydirscbs/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0055
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0055
Trust: 0.8
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wxq3nrrtc4a3f3gw2rqnatjhydirscbs/
Trust: 0.7
url:https://vigilance.fr/vulnerability/xar-privilege-escalation-via-package-signature-validation-31356
Trust: 0.6
url:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572556
Trust: 0.3
url:http://software.cisco.com/download/navigator.html?mdfid=283613663
Trust: 0.3
url:http://code.google.com/p/xar/issues/detail?id=73#c0
Trust: 0.3
url:http://code.google.com/p/xar/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-42660 // 
            
            
            
            BID: 39292 // 
            
            
            
            JVNDB: JVNDB-2010-001282 // 
            
            
            
            CNNVD: CNNVD-201003-450 // 
            
            
            
            NVD: CVE-2010-0055

CREDITS
Michael KisorDamian Put pucik@cc-team.org
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201003-450

SOURCES
db:VULHUBid:VHN-42660
db:BIDid:39292
db:JVNDBid:JVNDB-2010-001282
db:CNNVDid:CNNVD-201003-450
db:NVDid:CVE-2010-0055

LAST UPDATE DATE
2025-04-11T23:09:03.432000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-42660date:2020-01-17T00:00:00
db:BIDid:39292date:2015-04-13T22:24:00
db:JVNDBid:JVNDB-2010-001282date:2010-04-16T00:00:00
db:CNNVDid:CNNVD-201003-450date:2020-01-19T00:00:00
db:NVDid:CVE-2010-0055date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-42660date:2010-03-30T00:00:00
db:BIDid:39292date:2010-03-29T00:00:00
db:JVNDBid:JVNDB-2010-001282date:2010-04-16T00:00:00
db:CNNVDid:CNNVD-201003-450date:2010-03-30T00:00:00
db:NVDid:CVE-2010-0055date:2010-03-30T18:30:00.327