Mac OS X : OS X Server < 2.1.1 Multiple Vulnerabilities

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

The remote host is missing an update for OS X Server that fixes several
security issues.

Description :

The remote Mac OS X 10.8 host has a version of OS X Server installed
that is prior to 2.1.1. It is, therefore, affected by the following
vulnerabilities :

- When the xml2 contrib module is enabled in PostgreSQL,
an unprivileged database user can read or write
arbitrary files, subject to the privileges under which
the PostgreSQL server runs, when processing specially-
crafted XSLT documents. (CVE-2012-3488)

- An unprivileged database user can read arbitrary files,
subject to the privileges under which the PostgreSQL
server runs, because 'xml_parse()' attempts to fetch
external files or URLs as needed to resolve DTD and
entity references in an XML value. (CVE-2012-3489)

- A malicious XMPP server can spoof domains via a Verify
Response or an Authorization Response because the Jabber
server processes unsolicited XMPP Server Dialback
responses. (CVE-2012-3525)

See also :

http://support.apple.com/kb/HT5533
http://lists.apple.com/archives/security-announce/2012/Oct/msg00000.html

Solution :

Upgrade to Mac OS X Server version 2.1.1 or later.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: MacOS X Local Security Checks

Nessus Plugin ID: 62801 ()

Bugtraq ID: 55072
55074
55167

CVE ID: CVE-2012-3488
CVE-2012-3489
CVE-2012-3525

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial