Mac OS X : OS X Server < 3.2.1 Multiple Vulnerabilities

high Nessus Plugin ID 77758

Synopsis

The remote host is missing a security update for OS X Server.

Description

The remote Mac OS X 10.9 host has a version of OS X Server installed that is prior to version 3.2.1. It is, therefore, affected by the following vulnerabilities :

- Multiple vulnerabilities exist within the included PostgreSQL, the more serious of these allow remote code execution or denial of service. (CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, CVE-2014-0066)

- A cross-site scripting vulnerability exists within the Xcode Server. Using a specially crafted website, a remote attacker can exploit this to execute arbitrary code within the server / browser trust relationship.
(CVE-2014-4406)

- A SQL injection vulnerability exists in the Wiki Server due to the improper validation of SQL queries. A remote attacker can exploit this to inject or manipulate SQL queries on the back-end database. (CVE-2014-4424)

Solution

Upgrade to Mac OS X Server version 3.2.1 or later.

See Also

http://support.apple.com/kb/HT6448

Plugin Details

Severity: High

ID: 77758

File Name: macosx_server_3_2_1.nasl

Version: 1.8

Type: local

Agent: macosx

Published: 9/19/2014

Updated: 7/14/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:apple:mac_os_x_server

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, MacOSX/Server/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/17/2014

Vulnerability Publication Date: 9/17/2014

Reference Information

CVE: CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, CVE-2014-0066, CVE-2014-4406, CVE-2014-4424

BID: 65719, 65725, 65731, 65728, 69918, 69935, 65723, 65724, 65727

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

APPLE-SA: APPLE-SA-2014-09-17-5