ID

VAR-201603-0234

CVE

CVE-2016-1774

TITLE

Apple OS X Server of Server App of Time Machine Vulnerability in server where important information is obtained

DESCRIPTION

The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks intended restrictions. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlIf a third party reads unlimited backup data, important information may be obtained. Apple Mac OS X Server is prone to the following security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. Multiple information-disclosure vulnerabilities An attacker can leverage these issues to obtain sensitive information, bypass security restrictions and perform unauthorized actions. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. Server App is a set of server management tools. Time Machine is one of the system backup software components. The vulnerability stems from the fact that the program does not notify the user of the ignored permissions when backing up. This issue was addressed through improved warnings. CVE-ID CVE-2016-1774 : CJKApps Web Server Available for: OS X Yosemite v10.10.5 and later Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: RC4 was removed as a supported cipher. CVE-ID CVE-2016-1777 : Pepi Zawodsky Web Server Available for: OS X Yosemite v10.10.5 and later Impact: A remote user may be able to view sensitive configuration information Description: A file access issue existed in Apache with .DS_Store and .htaccess files. This issue was addressed through improved access restrictions. CVE-ID CVE-2016-1776 : Shawn Pullum of University of California, Irvine Wiki Server Available for: OS X Yosemite v10.10.5 and later Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An access issue existed in some Wiki pages. This issue was addressed through improved access restrictions. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJW8JQQAAoJEBcWfLTuOo7txasP/RcVgQ2t03szn0LLt0PSFjD9 PZg339iTYRk7sCHyNYwEnBeqdyDuO3005d4yaZ2R2OAI8Q806DJSpcTMG8Nu3sm3 xXceiVb/k+sRzh0nJaSHSVkw2GRzElsm5i6b3yFndeVnXF9eDphrjTeV2MFvoTRl t2Ml6IiTu944yJlh/NOmdjQZ+Uc2I+REDbUimeCMJVuuVmtd9UNS5VesC5u1BHyb bDmrd+pazmEjGwWwvxTE4raN7o/st7ZV2uxcjl8/73b/lVy9wBR/J4sxltyWNnm8 PJKbn/J5t8+tqKHupVvOuj4L6GnsOe154oL7bbOmrAhkVBeqBSdUBe9eQNIH0ji3 YwUdyDb3Wy1SyVNvN69tTd+ICTyh7XQQWMUTqV3xgp6tNJ19FXPdv9K/E55n62kw alfIzLhRafLV7NzUbAgsY8iuC6b3YTd9EJM0mDuh8hlTWYRC7N8HEtyxe4hAhfuO wMy1sRXWAiTBIZRJKL8KgAiIf7GdyKOvhgfcoL3dEGe5lw2Z9DCHyRihMOWFo2/Q LsJTxV9grMWN4WJLAm0h9z6AVbIELpRp4HBiq95ndaWm7bZbj6tFCRXvQaMerPut kuXD3izfEVZvtCSs7i4HKPgZLRgFRd687yVYeTSx2nyhOIeKd+tTfmUjMEw06PaT 9p0+e+mVlJlCmWiFIwsu =nxck -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

CJKApps, Pepi Zawodsky, Shawn Pullum of University of California, Irvine and an anonymous researcher

SOURCES

LAST UPDATE DATE

2025-04-13T20:35:00.524000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE