Detections
Analytics

AgileBits 1Password 6.3.3 Multiple Vulnerabilities (macOS)

medium Nessus Plugin ID 100956

Language:

Synopsis

A password management application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of AgileBits 1Password installed on the remote macOS or Mac OS X host is equal to 6.3.3. It is, therefore, affected by multiple vulnerabilities :

 - A security weakness exists in the internal web browser in which the default protocol that is used is set to HTTP. If a user visits a website without specifying the full URL, the more secure HTTPS protocol will not be used even if it is available. A man-in-the-middle attacker can exploit this to disclose sensitive information. (SIK-2016-039)

 - A security weakness exists in the database of the password manager due to lack of encryption for titles and URLs. An attacker who is able to obtain a copy of the encrypted database can exploit this to disclose the websites for which the user has stored credentials without having to break the cryptography. (SIK-2016-040)

 - A security weakness exists in the password manager due to sending the target domain to the vendor's web server in order to obtain from a server-side cache an icon that represents the respective target website. This issue allows the vendor to track all the sites for which the user has created database entries. (SIK-2016-042)

Solution

Upgrade to a version of AgileBits 1Password that is later than 6.3.3.

See Also

https://team-sik.org/sik-2016-039/

https://team-sik.org/sik-2016-040/

https://team-sik.org/sik-2016-042/

http://www.nessus.org/u?eedc9d32

Plugin Details

Severity: Medium

ID: 100956

File Name: macosx_agilebits_1password_multiple_vulns_01.nasl

Version: 1.2

Type: local

Agent: macosx

Published: 6/21/2017

Updated: 9/4/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: An in depth analysis by tenable researchers revealed the access complexity to be high.

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:agilebits:1password

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, installed_sw/1Password

Patch Publication Date: 9/27/2016

Vulnerability Publication Date: 9/27/2016