Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities

Critical Nessus Plugin ID 86066

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote host is missing a security update for OS X Server.

Description

The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the mod_headers module that allows HTTP trailers to replace HTTP headers late during request processing. A remote attacker can exploit this to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly.
(CVE-2013-5704)

- A privilege escalation vulnerability exists due to the 'make check' command not properly invoking initdb to specify authentication requirements for a database cluster to be used for tests. A local attacker can exploit this issue to gain temporary server access and elevated privileges. (CVE-2014-0067)

- A NULL pointer dereference flaw exists in module mod_cache. A remote attacker, using an empty HTTP Content-Type header, can exploit this vulnerability to crash a caching forward proxy configuration, resulting in a denial of service if using a threaded MPM.
(CVE-2014-3581)

- A out-of-bounds memory read flaw exists in module mod_proxy_fcgi. An attacker, using a remote FastCGI server to send long response headers, can exploit this vulnerability to cause a denial of service by causing a buffer over-read. (CVE-2014-3583)

- A flaw exists in module mod_lua when handling a LuaAuthzProvider used in multiple Require directives with different arguments. An attacker can exploit this vulnerability to bypass intended access restrictions.
(CVE-2014-8109)

- An information disclosure vulnerability exists due to improper handling of restricted column values in constraint-violation error messages. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2014-8161)

- A flaw exists within the Domain Name Service due to an error in the code used to follow delegations. A remote attacker, with a maliciously-constructed zone or query, can cause the service to issue unlimited queries, resulting in resource exhaustion. (CVE-2014-8500)

- A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228)

- Multiple vulnerabilities exist due to several buffer overflow errors related to the 'to_char' functions. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0241)

- Multiple vulnerabilities exist due to several stack-based buffer overflow errors in various *printf() functions. The overflows are due to improper validation of user-supplied input when formatting a floating point number where the requested precision is greater than approximately 500. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0242)

- Multiple vulnerabilities exist due to an overflow condition in multiple functions in the 'pgcrypto' extension. The overflows are due to improper validation of user-supplied input when tracking memory sizes. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0243)

- A SQL injection vulnerability exists due to improper sanitization of user-supplied input when handling crafted binary data within a command parameter. An authenticated, remote attacker can exploit this issue to inject or manipulate SQL queries, allowing the manipulation or disclosure of arbitrary data.
(CVE-2015-0244)

- A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253)

- A denial of service vulnerability exists due to an error relating to DNSSEC validation and the managed-keys feature. A remote attacker can trigger an incorrect trust-anchor management scenario in which no key is ready for use, resulting in an assertion failure and daemon crash. (CVE-2015-1349)

- A flaw exists in PostgreSQL client disconnect timeout expiration that is triggered when a timeout interrupt is fired partway through the session shutdown sequence. (CVE-2015-3165)

- A flaw exists in the printf() functions due to a failure to check for errors. A remote attacker can use this to gain access to sensitive information. (CVE-2015-3166)

- The pgcrypto component in PostgreSQL has multiple error messages for decryption with an incorrect key. A remote attacker can use this to recover keys from other systems. (CVE-2015-3167)

- A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183)

- A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions.
(CVE-2015-3185)

- Multiple unspecified XML flaws exist in the Wiki Server based on Twisted. (CVE-2015-5911)

Solution

Upgrade to Mac OS X Server version 5.0.3 or later.

Note that OS X Server 5.0.3 is available only for OS X 10.10.5 or later.

See Also

https://support.apple.com/en-us/HT205219

http://www.nessus.org/u?b8a8a151

Plugin Details

Severity: Critical

ID: 86066

File Name: macosx_server_5_0_3.nasl

Version: 1.9

Type: local

Agent: macosx

Published: 2015/09/22

Updated: 2019/11/22

Dependencies: 50680

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS Score Source: CVE-2015-5911

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:apple:mac_os_x_server

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, MacOSX/Server/Version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/09/16

Vulnerability Publication Date: 2015/09/16

Reference Information

CVE: CVE-2013-5704, CVE-2014-0067, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2014-8161, CVE-2014-8500, CVE-2015-0228, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244, CVE-2015-0253, CVE-2015-1349, CVE-2015-3165, CVE-2015-3166, CVE-2015-3167, CVE-2015-3183, CVE-2015-3185, CVE-2015-5911

BID: 65721, 66550, 71590, 71656, 71657, 72538, 72540, 72542, 72543, 72673, 73040, 73041, 74787, 74789, 74790, 75963, 75964, 75965

APPLE-SA: APPLE-SA-2015-09-16-4