Mac OS X AFP Shared Folders Unauthenticated Access (Security Update 2010-006) (uncredentialed check)

high Nessus Plugin ID 49308

Synopsis

The remote host is missing a Mac OS X update that fixes a security issue.

Description

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2010-006 applied.

This security update fixes an issue in AFP Server by which a remote attacker with knowledge of an account name on the affected system may be able to bypass the password validation and access AFP shared folders.

Note that this issue is only exploitable when File Sharing is enabled, and it is not by default.

Solution

Install Security Update 2010-006 or later.

See Also

http://support.apple.com/kb/HT4361

http://lists.apple.com/archives/security-announce/2010/sep/msg00004.html

Plugin Details

Severity: High

ID: 49308

File Name: afp_malformed_password.nbin

Version: 1.78

Type: remote

Family: Misc.

Published: 9/21/2010

Updated: 7/17/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: AFP/hostname

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/20/2010

Vulnerability Publication Date: 9/20/2010

Reference Information

CVE: CVE-2010-1820

BID: 43341