Mac OS X < 10.10 Multiple Vulnerabilities (POODLE) (Shellshock)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is missing a Mac OS X update that fixes multiple
vulnerabilities.

Description :

The remote host is running a version of Mac OS X is prior to version
10.10. This update contains several security-related fixes for the
following components :

- 802.1X
- AFP File Server
- apache
- App Sandbox
- Bash
- Bluetooth
- Certificate Trust Policy
- CFPreferences
- CoreStorage
- CUPS
- Dock
- fdesetup
- iCloud Find My Mac
- IOAcceleratorFamily
- IOHIDFamily
- IOKit
- Kernel
- LaunchServices
- LoginWindow
- Mail
- MCX Desktop Config Profiles
- NetFS Client Framework
- QuickTime
- Safari
- Secure Transport
- Security
- Security - Code Signing

Note that successful exploitation of the most serious issues can
result in arbitrary code execution.

See also :

https://support.apple.com/kb/HT6535
http://www.securityfocus.com/archive/1/533720/30/0/threaded
http://seclists.org/oss-sec/2014/q3/650
https://www.invisiblethreat.ca/post/shellshock/
http://www.nessus.org/u?e40f2f5a
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
http://www.nessus.org/u?c1fbcc64

Solution :

Upgrade to Mac OS X version 10.10 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true