Details of VAR-201310-0475

ID

VAR-201310-0475

CVE

CVE-2013-5163

TITLE

Apple Mac OS X Directory Service Vulnerability that Prevents Password-Based Authentication

Trust: 0.8

sources: JVNDB: JVNDB-2013-004502

DESCRIPTION

Directory Services in Apple Mac OS X before 10.8.5 Supplemental Update allows local users to bypass password-based authentication and modify arbitrary Directory Services records via unspecified vectors. Apple Mac OS X is prone to a local security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Apple Mac OS X 10.8 through versions 10.8.5 are vulnerable. The issue was addressed through improved credential validation. CVE-ID CVE-2013-5163 : the rookies of 42 OS X v10.8.5 Supplemental Update may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Fox OS X Mountain Lion v10.8.5 The download file is named: OSXUpd10.8.5Supp.dmg Its SHA-1 digest is: 18636c06f0db5b326752628fb7a2dfa3ce077ae1 For OS X Mountain Lion v10.8.4 The download file is named: OSXUpd10.8.5.dmg Its SHA-1 digest is: b115881f8541b2b80f89ff0e37563f2245be445b For OS X Mountain Lion v10.8 and v10.8.3 The download file is named: OSXUpdCombo10.8.5.dmg Its SHA-1 digest is: 5f574ec77678a965f4684d176ec13014d9ffac75 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSTc6mAAoJEPefwLHPlZEwnZIQAJePLWS/A44WfcbaARuIbWWH oBlV13t3iD6gEqsvICNb/XZU5EG/4zSfDKt9gBgpsHR/jcQ8+FNFL2wiu1q/POAv Ecnx8p0oZVFrdL7dVe19TOitc/AleAkgr7E0/efp7tvxcK2B035N+Dc5SHdUVX/9 S9z3pF178Pl0akiMWI2c+iYcAHt1a1SIqTHOLnJlNr1RpIHkZork5uTrpjLl3qs4 7m/fjBg2JLqb6q6IlmyBviFI4StMUd+tPHZ23qPwnUL8L/x2H36566yA03hghsEc 1ZPatK3O+FHoVVgE8q/9GTH/42dG8K5wtF/xqpbyLqTVO79swjmIxW6vhZPXbmqW LBDeZVEx6pvp7qWRlmqyvX2Bl3IuCRp4K8qHN4HsU8F8zko2wviHOyPU4TsB7gEI xsETCtvVLLhImVoJF2Y9vLeAkWazqPIOlFFepeKcNSrN3L02hT3qQXXtZa4fTLON xDYTnHVt8xjTmaApLLYc3jXaeRX03IekGW2cduEwkAvKuOZvh5lQI5OT22qWDgsN 3EaliNghCV7ActzQL8kTzkCOpSB9H34bkwGv5/rbEGQnOn6ROLB6JYuHX11lyJ/Z /Bxn2Jfao3+FR2e8Xp07Z9RHFocwOduGtJziAj3WKjCvw8JzBROqchupsXkVUp6+ v8MP/bVYJ8LepQJm81IK =VYQW -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-5163 // JVNDB: JVNDB-2013-004502 // BID: 62812 // VULHUB: VHN-65165 // PACKETSTORM: 123506

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.4	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.0	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.3	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	lte	version:	10.8.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8 to 10.8.5	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.8.5	Trust: 0.6

sources: JVNDB: JVNDB-2013-004502 // CNNVD: CNNVD-201310-005 // NVD: CVE-2013-5163

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5163
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5163
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201310-005
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65165
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5163
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-65165
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65165 // JVNDB: JVNDB-2013-004502 // CNNVD: CNNVD-201310-005 // NVD: CVE-2013-5163

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-65165 // JVNDB: JVNDB-2013-004502 // NVD: CVE-2013-5163

THREAT TYPE

local

Trust: 0.9

sources: BID: 62812 // CNNVD: CNNVD-201310-005

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201310-005

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004502

PATCH

title:	APPLE-SA-2013-10-03-1	url:	http://lists.apple.com/archives/security-announce/2013/Oct/msg00000.html	Trust: 0.8
title:	HT5964	url:	http://support.apple.com/kb/HT5964	Trust: 0.8
title:	HT5964	url:	http://support.apple.com/kb/HT5964?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2013-004502

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5163	Trust: 2.9
db:	JVNDB	id:	JVNDB-2013-004502	Trust: 0.8
db:	CNNVD	id:	CNNVD-201310-005	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2013-10-03-1	Trust: 0.6
db:	BID	id:	62812	Trust: 0.4
db:	PACKETSTORM	id:	123506	Trust: 0.2
db:	VULHUB	id:	VHN-65165	Trust: 0.1

sources: VULHUB: VHN-65165 // BID: 62812 // JVNDB: JVNDB-2013-004502 // PACKETSTORM: 123506 // CNNVD: CNNVD-201310-005 // NVD: CVE-2013-5163

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2013/oct/msg00000.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5163	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5163	Trust: 0.8
url:	http://www.apple.com	Trust: 0.3
url:	http://www.apple.com/macosx/	Trust: 0.3
url:	http://www.apple.com/support/downloads/	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5163	Trust: 0.1
url:	http://support.apple.com/kb/ht1222	Trust: 0.1
url:	http://gpgtools.org	Trust: 0.1

sources: VULHUB: VHN-65165 // BID: 62812 // JVNDB: JVNDB-2013-004502 // PACKETSTORM: 123506 // CNNVD: CNNVD-201310-005 // NVD: CVE-2013-5163

CREDITS

the rookies of 42

Trust: 0.3

sources: BID: 62812

SOURCES

db:	VULHUB	id:	VHN-65165
db:	BID	id:	62812
db:	JVNDB	id:	JVNDB-2013-004502
db:	PACKETSTORM	id:	123506
db:	CNNVD	id:	CNNVD-201310-005
db:	NVD	id:	CVE-2013-5163

LAST UPDATE DATE

2025-04-11T23:04:04.018000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65165	date:	2013-10-07T00:00:00
db:	BID	id:	62812	date:	2013-10-24T00:50:00
db:	JVNDB	id:	JVNDB-2013-004502	date:	2013-10-08T00:00:00
db:	CNNVD	id:	CNNVD-201310-005	date:	2013-10-08T00:00:00
db:	NVD	id:	CVE-2013-5163	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65165	date:	2013-10-04T00:00:00
db:	BID	id:	62812	date:	2013-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-004502	date:	2013-10-08T00:00:00
db:	PACKETSTORM	id:	123506	date:	2013-10-03T20:11:11
db:	CNNVD	id:	CNNVD-201310-005	date:	2013-10-08T00:00:00
db:	NVD	id:	CVE-2013-5163	date:	2013-10-04T10:44:07.430