search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Mac OS X vulnerable to buffer overflow via vpnd daemon

Vulnerability Note VU#706838

Original Release Date: 2005-05-16 | Last Revised: 2005-05-24


Apple Mac OS X contains a buffer overflow in vpnd that could allow a local, authenticated attacker to execute arbitrary code with root privileges.


Mac OS X includes a VPN server called vpnd, which is installed setuid root by default. vpnd fails to validate the length of the Server_id parameter. The Server_id setting may be configured from the command line by using the -i option. Server_id is referenced by the file in the /Library/Preferences/SystemConfiguration directory to load the appropriate configuration file. Using a specially crafted Server_id parameter, an authenticated local attacker could execute arbitrary code with privileges of the vpnd process.

Note that is only present by default on Mac OS X Server. On a standard Mac OS X install, the file must be created manually or by using the graphical network configuration tools.


A local, authenticated attacker could execute arbitrary code with root privileges.


Apply a patch
Apple advises all users to apply Apple Security Update 2005-005, which fixes this flaw and other critical security flaws.


Disallow non-root access to vpnd

Clear the execute bit of the vpnd binary for non-root users.

Vendor Information


Apple Computer Inc. Affected

Updated:  May 17, 2005



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Apple advises all users to apply Apple Security Update 2005-005.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by Jason Aras.

This document was written by Will Dormann, based on the information provided in the iDEFENSE Security Advisory 05.04.05 .

Other Information

CVE IDs: CVE-2005-1343
Severity Metric: 9.38
Date Public: 2005-05-03
Date First Published: 2005-05-16
Date Last Updated: 2005-05-24 13:37 UTC
Document Revision: 13

Sponsored by CISA.