search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Alertus Desktop Notification for OS X sets insecure permissions for configuration and other files

Vulnerability Note VU#302544

Original Release Date: 2016-06-23 | Last Revised: 2016-06-23

Overview

Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files, which may enable an unprivileged attacker to disable notifications and modify content locally.

Description

CWE-276: Incorrect Default Permissions - CVE-2016-5087

Alertus Desktop Notification is mass emergency notification software designed to receive and display alerts on PC and Mac client systems. Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files by default, which may enable an unprivileged, local attacker to disable notifications and modify content.

Impact

A local, unprivileged attacker may modify or remove configuration or other files to disable notifications or alter content.

Solution

Apply an update

The vendor has released version 2.9.31.1710 to address this issue. Users are encouraged to update to the latest version.

For users who may be unable or unwilling to upgrade, the vendor has provided the following guidance:

We are providing a script that fixes the permissions if an upgrade cannot be performed. Refer to the URL below for script and more information:

https://helpdesk.alertus.com/solution/articles/3000054559-osx-permissions-patch-script-for-alertus-desktop-osx-2-9-30-1700

Vendor Information

302544
 
Affected   Unknown   Unaffected

Alertus Technologies

Notified:  May 10, 2016 Updated:  June 22, 2016

Statement Date:   June 21, 2016

Status

  Affected

Vendor Statement

* we are providing a script that fixes the permissions if an upgrade cannot be performed

* refer to the URL below for script and more information:

https://helpdesk.alertus.com/solution/articles/3000054559-osx-permissions-patch-script-for-alertus-desktop-osx-2-9-30-1700

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://helpdesk.alertus.com/solution/articles/3000054559-osx-permissions-patch-script-for-alertus-desktop-osx-2-9-30-1700


CVSS Metrics

Group Score Vector
Base 3.2 AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal 2.6 E:F/RL:OF/RC:C
Environmental 3 CDP:L/TD:M/CR:ND/IR:ND/AR:H

References

Credit

Thanks to Gerrit DeWitt of Georgia State University for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2016-5087
Date Public: 2016-06-23
Date First Published: 2016-06-23
Date Last Updated: 2016-06-23 14:00 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.