Sign-up

ID

VAR-201006-0230


CVE

CVE-2010-1377


TITLE

Apple Mac OS X of Open Directory Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-001657

DESCRIPTION

Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencrypted connection upon certain SSL failures, which allows man-in-the-middle attackers to spoof arbitrary network account servers, and possibly execute arbitrary code, via unspecified vectors. The update addresses new vulnerabilities that affect the CUPS, DesktopServices, Folder Manager, Help Viewer, iChat, ImageIO, Network Authorization, Open Directory, Printer Setup, Printing, Ruby, SMB File Server, and Wiki Server components of Mac OS X. The advisory also contains security updates for 13 previously reported issues. This BID is being retired. Apple Mac OS X Open Directory is prone to a security-bypass vulnerability. Attackers able to execute a man-in-the-middle attack can exploit this issue to impersonate the network account server. This may lead to arbitrary code execution with SYSTEM-level privileges. Other attacks may also be possible. This issue affects Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3. NOTE: This issue was previously covered in BID 40871 (Apple Mac OS X Prior to 10.6.4 Multiple Security Vulnerabilities), but has been given its own record to better document it

Trust: 2.25

sources: NVD: CVE-2010-1377 // JVNDB: JVNDB-2010-001657 // BID: 40871 // BID: 40905 // VULHUB: VHN-43982

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.6.3

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.2

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.3

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.0

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:v10.6 to v10.6.3

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6 to v10.6.3

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.6

vendor:applemodel:mac os serverscope:neversion:x10.6.4

Trust: 0.6

vendor:applemodel:mac osscope:neversion:x10.6.4

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

sources: BID: 40871 // BID: 40905 // JVNDB: JVNDB-2010-001657 // CNNVD: CNNVD-201006-289 // NVD: CVE-2010-1377

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1377
value: HIGH

Trust: 1.0

NVD: CVE-2010-1377
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201006-289
value: CRITICAL

Trust: 0.6

VULHUB: VHN-43982
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2010-1377
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-43982
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-43982 // JVNDB: JVNDB-2010-001657 // CNNVD: CNNVD-201006-289 // NVD: CVE-2010-1377

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-43982 // JVNDB: JVNDB-2010-001657 // NVD: CVE-2010-1377

THREAT TYPE

network

Trust: 0.6

sources: BID: 40871 // BID: 40905

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201006-289

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-001657

PATCH
title:HT4188url:http://support.apple.com/kb/HT4188
Trust: 0.8
title:HT4188url:http://support.apple.com/kb/HT4188?viewlocale=ja_JP
Trust: 0.8
title:Mac OS X v10.6.4 Update (Combo)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3705
Trust: 0.6
title:Mac OS X Server v10.6.4 Update Mac mini (Mid 2010)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3709
Trust: 0.6
title:Mac OS X v10.6.4 Updateurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3704
Trust: 0.6
title:Mac OS X Server v10.6.4 Update (Combo)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3708
Trust: 0.6
title:Security Update 2010-004 (Leopard-Client)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3703
Trust: 0.6
title:Mac OS X Server v10.6.4 Updateurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3707
Trust: 0.6
title:Security Update 2010-004 (Leopard-Server)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3702
Trust: 0.6
title:Mac OS X v10.6.4 Update Mac mini (Mid 2010)url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=3706
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2010-001657 // 
            
            
            
            CNNVD: CNNVD-201006-289

EXTERNAL IDS
db:NVDid:CVE-2010-1377
Trust: 2.8
db:VUPENid:ADV-2010-1481
Trust: 2.5
db:SECUNIAid:40220
Trust: 2.5
db:SECTRACKid:1024103
Trust: 2.5
db:BIDid:40871
Trust: 2.0
db:JVNDBid:JVNDB-2010-001657
Trust: 0.8
db:CNNVDid:CNNVD-201006-289
Trust: 0.7
db:APPLEid:APPLE-SA-2010-06-15-1
Trust: 0.6
db:BIDid:40905
Trust: 0.4
db:VULHUBid:VHN-43982
Trust: 0.1
sources:
            
            
            VULHUB: VHN-43982 // 
            
            
            
            BID: 40871 // 
            
            
            
            BID: 40905 // 
            
            
            
            JVNDB: JVNDB-2010-001657 // 
            
            
            
            CNNVD: CNNVD-201006-289 // 
            
            
            
            NVD: CVE-2010-1377

REFERENCES
url:http://securitytracker.com/id?1024103
Trust: 2.5
url:http://secunia.com/advisories/40220
Trust: 2.5
url:http://www.vupen.com/english/advisories/2010/1481
Trust: 2.5
url:http://lists.apple.com/archives/security-announce/2010//jun/msg00001.html
Trust: 1.7
url:http://www.securityfocus.com/bid/40871
Trust: 1.7
url:http://support.apple.com/kb/ht4188
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1377
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1377
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-43982 // 
            
            
            
            BID: 40871 // 
            
            
            
            BID: 40905 // 
            
            
            
            JVNDB: JVNDB-2010-001657 // 
            
            
            
            CNNVD: CNNVD-201006-289 // 
            
            
            
            NVD: CVE-2010-1377

CREDITS
Apple; Adrian 'pagvac' Pastor of GNUCITIZEN, and Tim Starling; Tim Waugh; Luca Carettoni; Michi Ruepp of pianobakery.com; Clint Ruoho of Laconic Security; Kevin Finisterre of digitalmunition.com; MIT Kerberos Team; Joel Johnson, Debian, Brian Almeida; Emm
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201006-289

SOURCES
db:VULHUBid:VHN-43982
db:BIDid:40871
db:BIDid:40905
db:JVNDBid:JVNDB-2010-001657
db:CNNVDid:CNNVD-201006-289
db:NVDid:CVE-2010-1377

LAST UPDATE DATE
2025-04-11T22:31:49.887000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-43982date:2010-06-18T00:00:00
db:BIDid:40871date:2010-06-16T21:59:00
db:BIDid:40905date:2010-06-15T00:00:00
db:JVNDBid:JVNDB-2010-001657date:2010-07-09T00:00:00
db:CNNVDid:CNNVD-201006-289date:2010-06-21T00:00:00
db:NVDid:CVE-2010-1377date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-43982date:2010-06-17T00:00:00
db:BIDid:40871date:2010-06-15T00:00:00
db:BIDid:40905date:2010-06-15T00:00:00
db:JVNDBid:JVNDB-2010-001657date:2010-07-09T00:00:00
db:CNNVDid:CNNVD-201006-289date:2010-06-21T00:00:00
db:NVDid:CVE-2010-1377date:2010-06-17T16:30:01.637