Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is missing a security update for OS X Server.

Description :

The remote Mac OS X host has a version of OS X Server installed that
is prior to 5.0.3. It is, therefore, affected by the following
vulnerabilities :

- A flaw exists in the mod_headers module that allows HTTP
trailers to replace HTTP headers late during request
processing. A remote attacker can exploit this to inject
arbitrary headers. This can also cause some modules to
function incorrectly or appear to function incorrectly.
(CVE-2013-5704)

- A privilege escalation vulnerability exists due to the
'make check' command not properly invoking initdb to
specify authentication requirements for a database
cluster to be used for tests. A local attacker can
exploit this issue to gain temporary server access and
elevated privileges. (CVE-2014-0067)

- A NULL pointer dereference flaw exists in module
mod_cache. A remote attacker, using an empty HTTP
Content-Type header, can exploit this vulnerability to
crash a caching forward proxy configuration, resulting
in a denial of service if using a threaded MPM.
(CVE-2014-3581)

- A out-of-bounds memory read flaw exists in module
mod_proxy_fcgi. An attacker, using a remote FastCGI
server to send long response headers, can exploit this
vulnerability to cause a denial of service by causing
a buffer over-read. (CVE-2014-3583)

- A flaw exists in module mod_lua when handling a
LuaAuthzProvider used in multiple Require directives
with different arguments. An attacker can exploit this
vulnerability to bypass intended access restrictions.
(CVE-2014-8109)

- An information disclosure vulnerability exists due to
improper handling of restricted column values in
constraint-violation error messages. An authenticated,
remote attacker can exploit this to gain access to
sensitive information. (CVE-2014-8161)

- A flaw exists within the Domain Name Service due to an
error in the code used to follow delegations. A remote
attacker, with a maliciously-constructed zone or query,
can cause the service to issue unlimited queries,
resulting in resource exhaustion. (CVE-2014-8500)

- A flaw exists in the lua_websocket_read() function in
the 'mod_lua' module due to incorrect handling of
WebSocket PING frames. A remote attacker can exploit
this, by sending a crafted WebSocket PING frame after a
Lua script has called the wsupgrade() function, to crash
a child process, resulting in a denial of service
condition. (CVE-2015-0228)

- Multiple vulnerabilities exist due to several buffer
overflow errors related to the 'to_char' functions. An
authenticated, remote attacker can exploit these issues
to cause a denial of service or arbitrary code
execution. (CVE-2015-0241)

- Multiple vulnerabilities exist due to several
stack-based buffer overflow errors in various *printf()
functions. The overflows are due to improper validation
of user-supplied input when formatting a floating point
number where the requested precision is greater than
approximately 500. An authenticated, remote attacker
can exploit these issues to cause a denial of service or
arbitrary code execution. (CVE-2015-0242)

- Multiple vulnerabilities exist due to an overflow
condition in multiple functions in the 'pgcrypto'
extension. The overflows are due to improper validation
of user-supplied input when tracking memory sizes. An
authenticated, remote attacker can exploit these issues
to cause a denial of service or arbitrary code
execution. (CVE-2015-0243)

- A SQL injection vulnerability exists due to improper
sanitization of user-supplied input when handling
crafted binary data within a command parameter. An
authenticated, remote attacker can exploit this issue
to inject or manipulate SQL queries, allowing the
manipulation or disclosure of arbitrary data.
(CVE-2015-0244)

- A NULL pointer dereference flaw exists in the
read_request_line() function due to a failure to
initialize the protocol structure member. A remote
attacker can exploit this flaw, on installations that
enable the INCLUDES filter and has an ErrorDocument 400
directive specifying a local URI, by sending a request
that lacks a method, to cause a denial of service
condition. (CVE-2015-0253)

- A denial of service vulnerability exists due to an error
relating to DNSSEC validation and the managed-keys
feature. A remote attacker can trigger an incorrect
trust-anchor management scenario in which no key is
ready for use, resulting in an assertion failure and
daemon crash. (CVE-2015-1349)

- A flaw exists in PostgreSQL client disconnect timeout
expiration that is triggered when a timeout interrupt
is fired partway through the session shutdown sequence.
(CVE-2015-3165)

- A flaw exists in the printf() functions due to a failure
to check for errors. A remote attacker can use this to
gain access to sensitive information. (CVE-2015-3166)

- The pgcrypto component in PostgreSQL has multiple error
messages for decryption with an incorrect key. A remote
attacker can use this to recover keys from other
systems. (CVE-2015-3167)

- A flaw exists in the chunked transfer coding
implementation due to a failure to properly parse chunk
headers. A remote attacker can exploit this to conduct
HTTP request smuggling attacks. (CVE-2015-3183)

- A flaw exists in the ap_some_auth_required() function
due to a failure to consider that a Require directive
may be associated with an authorization setting rather
than an authentication setting. A remote attacker can
exploit this, if a module that relies on the 2.2 API
behavior exists, to bypass intended access restrictions.
(CVE-2015-3185)

- Multiple unspecified XML flaws exist in the Wiki Server
based on Twisted. (CVE-2015-5911)

See also :

https://support.apple.com/en-us/HT205219
http://www.nessus.org/u?b8a8a151

Solution :

Upgrade to Mac OS X Server version 5.0.3 or later.

Note that OS X Server 5.0.3 is available only for OS X 10.10.5 or
later.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false