Mac OS X Server v10.6.5 (10H575)

2010-11-22T00:00:00
ID MACOSX_SERVER_10H575.NASL
Type nessus
Reporter Tenable
Modified 2018-07-14T00:00:00

Description

A memory aliasing issue in Dovecot's handling of user names in Mac OS X Server v10.6.5 may result in a user receiving mail intended for other users.

Note that this vulnerability arises only on Mac OS X Server systems when Dovecot is configured as a mail server.

                                        
                                            #TRUSTED 56c302167b66fbba513f7af020f9effacd54677e424fdc0c52475c9533ecb819a6113e4e91394917fbb86e827a7233dcf748d425f1d0629c5034c14d083c559ac03b342ece418e5a0cb62b4a661a9d7ef57bf644f034899248fb08589c430d855cbab37fc1ae3a9d3e48cdd1525ccc9cdb0f6b1b9eb14c5894eb14a5101e1029d85809700a73bc3b8163b762dce29c2c193347c1041be49e47c83128646ff99e8b5b29926100ba5e861c3075f3d14ca937a56c3501ca523c49813d3b0e7d0ad5652237912e8e4f9e15b5e430ed554de76dc5d993b14db8054f9450cfebf2ded73233f47d323d1d97bc6c236c14caae51fa309f01ad63f5e9bcfa89371e0124797608b15b2f210b79e10725712a32b29df815525e2549ead5a1983b5472f65f340933598b96a4bfd3df17671bb1ed05414a029a7cb6468b4e9b7477bf53e9a7c08da45d943e16b80f74af494bd81271bef4909aa71fe7a38af6944263dfc683c3b0c8978258fe393932d40c41957f05f8567dfc61e4583dffbded39a9a4caf7a1c8b89cacc649d114c5c405e4778eb39e27d4e450930cbda63ab48df631808525cc900c0fe3d7f59856401288e7a86f0bdbb569a9c0c6494f8c2a2d1f90d7d3cb9d7800949c05686ec9f98afc3a72454e01d1cc710af302b21741bc44c082c01ea6048555c1ee30645f0d270b44824e30d87ea947266f7f8b15de1a96feafaf11
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);


include("compat.inc");


if (description)
{
  script_id(50681);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

  script_cve_id("CVE-2010-4011");
  script_bugtraq_id(44874);

  script_name(english:"Mac OS X Server v10.6.5 (10H575)");
  script_summary(english:"Checks ProductBuildVersion in /System/Library/CoreServices/ServerVersion.plist");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has an application that may be affected by an
information disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"A memory aliasing issue in Dovecot's handling of user names in Mac OS
X Server v10.6.5 may result in a user receiving mail intended for
other users. 

Note that this vulnerability arises only on Mac OS X Server systems
when Dovecot is configured as a mail server."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT4452"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://lists.apple.com/archives/security-announce/2010/Nov/msg00001.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade to Mac OS X Server v10.6.5 (10H575) or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("macosx_server_services.nasl");
  script_require_keys("Host/uname", "MacOSX/Server/Version");

  exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

function exec(cmd)
{
  local_var ret, buf;

  if (islocalhost())
    buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
  else
  {
    ret = ssh_open_connection();
    if (!ret) exit(1, "ssh_open_connection() failed.");
    buf = ssh_cmd(cmd:cmd);
    ssh_close_connection();
  }

  return buf;
}


uname = get_kb_item("Host/uname");
if (!uname) exit(0, "The 'Host/uname' KB item is missing.");

# Mac OS X 10.6 only.
if (!egrep(pattern:"Darwin.* 10\.", string:uname)) exit(0, "The remote Mac is not running Mac OS X 10.6.");


version = get_kb_item("MacOSX/Server/Version");
if (!version) exit(1, "Failed to retrieve the Mac OS X Server version.");
if ("Server 10.6" >!< version) exit(0, "The host is running "+version+" and thus not affected.");


# And check it.
#
# nb: Apple says only 10H574 is affected.
if ("(10H574)" >< version)
{
  # Unless we're paranoid, make sure Dovecot is being used for mail.
  gs_opt = get_kb_item("global_settings/report_paranoia");
  if (gs_opt && gs_opt != 'Paranoid')
  {
    status = get_kb_item("MacOSX/Server/mail/Status");
    if (!status) exit(1, "Failed to retrieve the status of the 'mail' service.");

    if ("RUNNING" >!< status)
      exit(0, "The mail service is not running, and thus the host is not affected.");

    cmd = 'serveradmin settings mail:postfix:mailbox_transport';
    buf = exec(cmd:cmd);
    if (!buf) exit(1, "Failed to run '"+cmd+"'.");

    if (!eregmatch(pattern:'mailbox_transport *= *"dovecot"', string:buf)) 
      exit(0, "The mail service does not use Dovecot, and thus the host is not affected.");

    report_trailer = '';
  }
  else report_trailer = 
    '\n' +
    'Note, though, that Nessus did not check whether the mail service is\n' +
    'running or Dovecot is in use because of the Report Paranoia setting in\n' +
    'effect when this scan was run.\n';

  gs_opt = get_kb_item("global_settings/report_verbosity");
  if (gs_opt && gs_opt != 'Quiet')
  {
    version = strstr(version, "Server ") - "Server ";

    report = 
      '\n  Installed system version : ' + version + 
      '\n  Fixed system version     : 10.6.5 (10H575)\n';
    if (report_trailer) report += report_trailer;

    security_warning(port:0, extra:report);
  }
  else security_warning(0);

  exit(0);
}
else exit(0, "The remote host is not affected since Mac OS X Server build version "+version+" is installed.");