copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2004.0559 -- APPLE-SA-0024-09-07 -- Security Update 2003-09-07

Date: 08 September 2004
References: ESB-2004.0498  ESB-2004.0569  ESB-2005.0828  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2004.0559 -- APPLE-SA-0024-09-07
                        Security Update 2003-09-07
                             8 September 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Apache 2
                        CoreFoundation
                        IPSec
                        Kerberos
                        lukemftpd
                        OpenLDAP
                        OpenSSH
                        PPPDialer
                        QuickTime Streaming Server
                        rsync
                        Safari
                        SquirrelMail
                        tcpdump
Publisher:              Apple
Operating System:       Mac OS X
                        Mac OS X Server
Impact:                 Increased Privileges
                        Execute Arbitrary Code/Commands
                        Denial of Service
                        Overwrite Arbitrary Files
                        Reduced Security
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0175 CAN-2004-0183 CAN-2004-0184
                        CAN-2004-0361 CAN-2004-0426 CAN-2004-0493
                        CAN-2004-0488 CAN-2004-0521 CAN-2004-0523
                        CAN-2004-0607 CAN-2004-0720 CAN-2004-0794
                        CAN-2004-0821 CAN-2004-0822 CAN-2004-0823
                        CAN-2004-0824 CAN-2004-0825

Ref:                    ESB-2004.0498

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2004-09-07 Security Update 2004-09-07

Security Update 2004-09-07 is now available and delivers security
enhancements for the following system versions:
*  Mac OS X v10.3.5 "Panther"
*  Mac OS X v10.3.4 "Panther"
*  Mac OS X v10.2.8 "Jaguar"
*  Mac OS X Server v10.3.5 "Panther"
*  Mac OS X Server v10.3.4 "Panther"
*  Mac OS X Server v10.2.8 "Jaguar"

Given the relatively recent release of the Mac OS X v10.3.5 Software
Update, this security update is available for both Mac OS X v10.3.4
and Mac OS X v10.3.5.  Customers who are still evaluating Mac OS X
v10.3.5 for large-scale deployment can apply the security update for
Mac OS X v10.3.4 to increase the security of their systems during the
evaluation period.  After updating to Mac OS X v10.3.5, Security
Update 2004-09-07 should be installed onto Mac OS X v10.3.5 even if it
was previously installed on a Mac OS X v10.3.4 system.

This security update is also available for the previous major release,
"Jaguar".  All security enhancements present in the Panther version of
this security update are also available for Jaguar if the issue could
occur on Jaguar systems.

The following components are updated:

Component: Apache 2
CVE-IDs: CAN-2004-0493, CAN-2004-0488
Available for:  Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac
OS X Server v10.3.5
Impact: Exposure to a potential Denial of Service.
Description: The Apache Organization has released Apache version
2.0.50.  This release fixes a number of denial of service
vulnerabilities. We have updated Apache to version 2.0.50 which only
ships with Mac OS X Server, and is off by default.

Component: CoreFoundation
CVE-ID: CAN-2004-0821
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact:  Privileged programs using CoreFoundation can be made to load
a user supplied library.
Description:	Bundles using the CoreFoundation CFPlugIn facilities
can include directions to automatically load plugin executables.  With
a specially crafted bundle this could also occur for privileged
programs, permitting a local privilege escalation. CoreFoundation now
prevents automatic executable loading for bundles that already have a
loaded executable.  Credit to Kikuchi Masashi <kik@ms.u-tokyo.ac.jp>
for reporting this issue.

Component: CoreFoundation
CVE-ID: CAN-2004-0822
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: An environment variable can be manipulated to cause a buffer
overflow which can result in a privilege escalation
Description: By manipulating an environment variable a program could
potentially be made to execute arbitrary code by a local attacker.
This can only be exploited with access to a local account.  Stricter
validity checks are now performed for this environment variable.
Credit to <aaron@vtty.com> for reporting this issue.

Component: IPSec
CVE-ID:  CAN-2004-0607
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact:  When using certificates, unauthenticated hosts may be able to
negotiate an IPSec connection.
Description:	When configured to use X.509 certificates to
authenticate remote hosts, a certificate verification failure does not
abort the key exchange. Mac OS X does not use certificates for IPSec
by default so this issue only affects configurations that have been
manually configured. IPSec now verifies and aborts a key exchange if a
certificate verification failure occurs.

Component: Kerberos
CVE-ID: CAN-2004-0523
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: Multiple buffer overflows in krb5_aname_to_localname for MIT
Kerberos 5 (krb5) 1.3.3 and earlier could permit remote attackers to
execute arbitrary code.
Description: The buffer overflow can only be exploited if
"auth_to_local_names" or "auth_to_local"  support is also configured
in the edu.mit.Kerberos file.   Apple does not enable this by default.
  The security fix was back ported and applied to the Mac OS X versions
of Kerberos. The Mac OS X and Mac OS X Server version of Kerberos is
not susceptible to the recent "double-free" issue reported in the CERT
vulnerability note VU#350792 (CAN-2004-0772). Credit to the MIT
Kerberos Development Team for informing us of this issue.

Component: lukemftpd
CVE-ID: CAN-2004-0794
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: A race condition that can permit an authenticated remote
attacker to cause a denial of service or execute arbitrary code
Description: If the FTP service has been enabled, and a remote
attacker can correctly authenticate, then a race condition would
permit them to stop the FTP service or execute arbitary code. The fix
is to replace the lukemftpd FTP service with tnftpd. lukemftp is
installed but not activated in Mac OS X Server, which instead uses
xftp.  Credit to Luke Mewburn of the NetBSD Foundation for informing
us of this issue.

Component: OpenLDAP
CVE-ID: CAN-2004-0823
Available for:  Mac OS X v10.3.4, Mac OS X v10.3.5, Mac OS X Server
v10.3.4, Mac OS X Server v10.3.5
Impact: A crypt password can be used as if it were a plain text password
Description: Backwards compatibility with older LDAP implementations
permits the storing of a crypt password in the userPassword attribute.
Some authentication validation schemes can use this value as if it
were a plain text password.  The fix removes the ambiguity and always
uses this type of field as a crypt password.  This issue does not
occur in Mac OS X 10.2.8.  Credit to Steve Revilak of Kayak Software
Corporation for reporting this issue.

Component: OpenSSH
CVE-ID: CAN-2004-0175
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: A malicious ssh/scp server can overwrite local files
Description: A directory traversal vulnerability in the scp program
permits a malicious remote server to overwrite local files. The
security fix was backported and applied to the Mac OS X versions of
OpenSSH.

Component: PPPDialer
CVE-ID: CAN-2004-0824
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: A malicious user can overwrite system files resulting in a
local privilege escalation
Description: PPP components performed insecure accesses of a file
stored in a world-writeable location.  The fix moves the log files to
a non-world-writeable location.

Component: QuickTime Streaming Server
Available for:  Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac
OS X Server v10.3.5
CVE-ID: CAN-2004-0825
Impact: A denial of service requiring a restart of the QuickTime
Streaming Server
Description: A particular sequence of client operations can cause a
deadlock on the QuickTime Streaming Server. The fix updates the code
to eliminate this deadlock condition.

Component: rsync
CVE-ID: CAN-2004-0426
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: When rsync is run in daemon mode a remote attacker can write
outside of the module path unless the chroot option has been set.
Description: rsync before version 2.6.1 does not properly sanitize
paths when running a read/write daemon with the chroot option turned
off.  The fix updates rsync to version 2.6.2.

Component: Safari
CVE-ID: CAN-2004-0361
Available for:  Mac OS X v10.2.8, Mac OS X Server v10.2.8
Impact: A JavaScript array of negative size can cause Safari to access
out of bounds memory resulting in an application crash.
Description:	 Storing objects into a JavaScript array allocated
with negative size can overwrite memory. Safari now stops processing
JavaScript programs if an array allocation fails.
This security enhancement was previously made available in Safari
1.0.3, and is being applied inside the Mac OS X 10.2.8 operating
system as an extra layer of protection for customers who have not
installed that version of Safari.  This is a specific fix for Mac OS X
v10.2.8 and the issue does not exist in Mac OS X v10.3 or later
systems.

Component: Safari
CVE-ID: CAN-2004-0720
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: An untrusted web site can inject content into a frame intended
to be used by another domain.
Description: A web site that uses multiple frames can have some of its
frames replaced with content from a malicious site if the malicious
site is visited first.  The fix imposes a set of parent/child rules
preventing the attack.

Component: SquirrelMail
CVE-ID: CAN-2004-0521
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: SquirrelMail before 1.4.3 RC1 allows remote attackers to
execute unauthorized SQL statements
Description:  SquirrelMail  before 1.4.3 RC1 is vulnerable to SQL
injection which permits unauthorized SQL statements to be run. The fix
updates SquirrelMail to version 1.4.3a

Component: tcpdump
CVE-IDs: CAN-2004-0183, CAN-2004-0184
Available for:  Mac OS X v10.2.8, Mac OS X v10.3.4, Mac OS X v10.3.5,
Mac OS X Server v10.2.8, Mac OS X Server v10.3.4, Mac OS X Server v10.3.5
Impact: Maliciously crafted packets can cause a crash of a running tcpdump
Description: The detailed printing functions for ISAKMP packets do not
perform correct bounds checking and cause an out-of-bounds read which
results in a crash. The fix updates tcpdump to version 3.8.3.

================================================

Security Update 2004-09-07 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.3.5 "Panther"
=====================================
The download file is named: "SecUpd2004-09-07PanMClient.dmg"
Its SHA-1 digest is:  aa8bc2d78c37778cca3619f42dafdee5775bc7a6

For Mac OS X v10.3.4 "Panther"
=====================================
The download file is named: "SecUpd2004-09-07PanClient.dmg"
Its SHA-1 digest is:  a37cd43439f4e82d05d07924101e370d96dc41a9

For Mac OS X v10.2.8 "Jaguar"
=====================================
The download file is named: "SecUpd2004-09-07JagClient.dmg"
Its SHA-1 digest is:  6f0ee457b5a729ef68fb50fc55417db400b52365

For Mac OS X Server v10.3.5 "Panther"
=====================================
The download file is named: "SecUpdSrvr2004-09-07PanM.dmg"
Its SHA-1 digest is:  8766c93d5675f8d1d9ebec67e80b7a94d16a1858

For Mac OS X Server v10.3.4 "Panther"
=====================================
The download file is named: "SecUpdSrvr2004-09-07PanL.dmg"
Its SHA-1 digest is:  7f4674515ff0172a2df9a451240410ac24459753

For Mac OS X Server v10.2.8 "Jaguar"
=====================================
The download file is named: "SecUpdSrvr2004-09-07Jag.dmg"
Its SHA-1 digest is:  099290119b6f47d935e8d064c36a90b0ad7acaf8

Information will also be posted to the Apple Product Security
web site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQT5bIyh9+71yA2DNAQIAegP+KQR0RysbHLDS84qsaygmbyJs2YgBit6B
/ifVphgRwAlMXimLBWIZoBcc99Bfpi6yVkqnyFoCajqMLK+b6Q5Vml4PdBNiKLof
v/N1gBAjKFX2M2bYnOUqosD9Usm/ENzr+Rp4rCytpKyjDNSw0AN7iaWNBA2NEkoz
JJBOrO5zfaw=
=a32m
-----END PGP SIGNATURE-----