Vulnerability Note VU#897628

Apple Mac OS X may allow network accounts to bypass service access controls

Original Release date: 02 Oct 2006 | Last revised: 02 Oct 2006

Overview

Apple Mac OS X may allow network accounts to bypass service access controls. This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

Description

Remote access to a system can be restricted by service access controls via LoginWindow. According to Apple Security Update 2006-006:

    A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls.

Only systems that have been configured to allow network accounts to authenticate without a Globally Unique Identifier, and use service access controls for the LoginWindow are affected by this vulnerability.

Impact

This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

Solution

Upgrade
Apple has addressed this issue in Apple Security Update 2006-006.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected-02 Oct 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported in Apple Security Update 2006-006.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2006-4394
  • Date Public: 29 Sep 2006
  • Date First Published: 02 Oct 2006
  • Date Last Updated: 02 Oct 2006
  • Severity Metric: 2.76
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.