ID CVE-2008-4212
Summary Unspecified vulnerability in rlogind in the rlogin component in Mac OS X 10.4.11 and 10.5.5 applies hosts.equiv entries to root despite what is stated in documentation, which might allow remote attackers to bypass intended access restrictions.
References
Vulnerable Configurations
  • cpe:2.3:o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*
    cpe:2.3:o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:*
    cpe:2.3:o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*
    cpe:2.3:o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*
  • cpe:2.3:o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:*
    cpe:2.3:o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 08-08-2017 - 01:32)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
refmap via4
apple APPLE-SA-2008-10-09
bid
  • 31681
  • 31708
confirm http://support.apple.com/kb/HT3216
sectrack 1021028
secunia 32222
vupen ADV-2008-2780
xf macosx-rlogin-weak-security(45785)
statements via4
contributor Tomas Hoger
lastmodified 2008-10-25
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of rsh-server packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The glibcs ruserok function is used to check users authorization against rhosts files. That implementation of ruserok never opens /etc/hosts.equiv for superuser.
Last major update 08-08-2017 - 01:32
Published 10-10-2008 - 10:30
Back to Top