Apple OS X Profile Manager Device Management Private Interface Managed Device Enumeration

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

Apple Profile Manager provides the list of managed devices to
unauthenticated clients.

Description :

Profile Manager on Apple OS X Server before 10.7.5 does not properly
perform authentication for the Device Management private interface,
which allows attackers to enumerate managed devices via unspecified
vectors.

See also :

http://support.apple.com/kb/HT5501
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

Solution :

Upgrade to Apple OS X Server 10.7.5 / 10.8.2 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Mobile Devices

Nessus Plugin ID: 65676 ()

Bugtraq ID: 56247

CVE ID: CVE-2012-3721