Vulnerability Note VU#897628

Apple Mac OS X may allow network accounts to bypass service access controls

Overview

Apple Mac OS X may allow network accounts to bypass service access controls. This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

I. Description

Remote access to a system can be restricted by service access controls via LoginWindow. According to Apple Security Update 2006-006:

A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls.

Only systems that have been configured to allow network accounts to authenticate without a Globally Unique Identifier, and use service access controls for the LoginWindow are affected by this vulnerability.

II. Impact

This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

III. Solution

Upgrade

Apple has addressed this issue in Apple Security Update 2006-006.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apple Computer, Inc.	Vulnerable	2-Oct-2006

References

http://secunia.com/advisories/22187/
http://docs.info.apple.com/article.html?artnum=304460

Credit

This issue was reported in Apple Security Update 2006-006.

This document was written by Chris Taschner.

Other Information

Date Public:	2006-09-29
Date First Published:	2006-10-02
Date Last Updated:	2006-10-02
CERT Advisory:
CVE-ID(s):	CVE-2006-4394
NVD-ID(s):	CVE-2006-4394
US-CERT Technical Alerts:
Metric:	2.76
Document Revision:	14

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader