Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1503
OS X Mavericks v10.9
23 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OS X Mavericks
Publisher: Apple
Operating System: OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Unauthorised Access -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5192 CVE-2013-5191 CVE-2013-5190
CVE-2013-5189 CVE-2013-5188 CVE-2013-5187
CVE-2013-5186 CVE-2013-5185 CVE-2013-5184
CVE-2013-5183 CVE-2013-5182 CVE-2013-5181
CVE-2013-5180 CVE-2013-5179 CVE-2013-5178
CVE-2013-5177 CVE-2013-5176 CVE-2013-5175
CVE-2013-5174 CVE-2013-5173 CVE-2013-5172
CVE-2013-5171 CVE-2013-5170 CVE-2013-5169
CVE-2013-5168 CVE-2013-5167 CVE-2013-5166
CVE-2013-5165 CVE-2013-5145 CVE-2013-5142
CVE-2013-5141 CVE-2013-5139 CVE-2013-5138
CVE-2013-5135 CVE-2013-4073 CVE-2013-3954
CVE-2013-3950 CVE-2013-1944 CVE-2013-1667
CVE-2013-0249 CVE-2012-1150 CVE-2012-0876
CVE-2012-0845 CVE-2011-4944 CVE-2011-3427
CVE-2011-3389 CVE-2011-2391
Reference: ASB-2013.0113
ASB-2013.0082
ESB-2013.1264
ESB-2013.0987
ESB-2013.0579
ESB-2013.0561
ESB-2013.0535
ESB-2013.0444
Original Bulletin:
http://http//support.apple.com/kb/HT6000
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-10-22-3 OS X Mavericks v10.9
OS X Mavericks v10.9 is now available and addresses the following:
Application Firewall
Impact: socketfilterfw --blockApp may not block applications from
receiving network connections
Description: The socketfilterfw command line tool's --blockApp
option did not properly block applications from receiving network
connections. This issue was addressed through improved handling of
the --blockApp options.
CVE-ID
CVE-2013-5165 : Alexander Frangis of PopCap Games
App Sandbox
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
disallowing sandboxed applications from specifying arguments.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
Bluetooth
Impact: A malicious local application could cause an unexpected
system termination
Description: The Bluetooth USB host controller deleted interfaces
needed for later operations. This issue was addressed by retaining
the interface until it is no longer needed.
CVE-ID
CVE-2013-5166 : Stefano Bianchi Mazzone, Mattia Pagnozzi, and
Aristide Fattori of Computer and Network Security Lab (LaSER),
Universita degli Studi di Milano
CFNetwork
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies.
CVE-ID
CVE-2013-5167 : Graham Bennett, Rob Ansaldo of Amherst College
CFNetwork SSL
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were used.
These versions are subject to a protocol weakness when using block
ciphers. A man-in-the-middle attacker could have injected invalid
data, causing the connection to close but revealing some information
about the previous data. If the same connection was attempted
repeatedly the attacker may eventually have been able to decrypt the
data being sent, such as a password. This issue was addressed by
enabling TLS 1.2.
CVE-ID
CVE-2011-3389
Console
Impact: Clicking on a malicious log entry may lead to unexpected
application execution
Description: This update modified the behavior of Console when
clicking on a log entry with an attached URL. Rather than opening the
URL, Console will now preview the URL with Quick Look.
CVE-ID
CVE-2013-5168 : Aaron Sigel of vtty.com
CoreGraphics
Impact: Windows may be visible over the lock screen after display
sleep
Description: A logic issue existed in CoreGraphics's handling of
display sleep mode, resulting in data corruption that could result in
windows being visible over the lock screen. The issue is addressed
through improved handling of display sleep.
CVE-ID
CVE-2013-5169
CoreGraphics
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-5170 : Will Dormann of the CERT/CC
CoreGraphics
Impact: An unprivileged application may be able to log keystrokes
entered into other applications even when secure input mode is
enabled
Description: By registering for a hotkey event, an unprivileged
application could log keystrokes entered into other applications even
when secure input mode was enabled. This issue was addressed by
additional validation of hotkey events.
CVE-ID
CVE-2013-5171
curl
Impact: Multiple vulnerabilities in curl
Description: Multiple vulnerabilities existed in curl, the most
serious of which may lead to arbitrary code execution. These issues
were addressed by updating curl to version 7.30.0
CVE-ID
CVE-2013-0249
CVE-2013-1944
dyld
Impact: An attacker who has arbitrary code execution on a device may
be able to persist code execution across reboots
Description: Multiple buffer overflows existed in dyld's
openSharedCacheFile() function. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2013-3950 : Stefan Esser
IOKitUser
Impact: A malicious local application could cause an unexpected
system termination
Description: A null pointer dereference existed in IOCatalogue. This
issue was addressed through additional type checking.
CVE-ID
CVE-2013-5138 : Will Estes
IOSerialFamily
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2013-5139 : @dent1zt
Kernel
Impact: Use of SHA-2 digest functions in the kernel may result in an
unexpected system termination
Description: An incorrect output length was used for the SHA-2
family of digest functions, resulting in a kernel panic when these
functions were used, primarily during IPSec connections. The issue
was addressed through use of the expected output length.
CVE-ID
CVE-2013-5172 : Christoph Nadig of Lobotomo Software, [equinux ag]
Kernel
Impact: Kernel stack memory may be disclosed to local users
Description: An information disclosure issue existed in the msgctl
and segctl APIs. This issue was addressed by initializing data
structures returned from the kernel.
CVE-ID
CVE-2013-5142 : Kenzley Alphonse of Kenx Technology, Inc
Kernel
Impact: A local user may cause a denial of service
Description: The kernel random number generator would hold a lock
while satisfying a request from userspace, allowing a local user to
make a large request and hold the lock for long periods of time,
denying service to other users of the random number generator. This
issue was addressed by releasing and reacquiring the lock for large
requests more frequently.
CVE-ID
CVE-2013-5173 : Jaakko Pero of Aalto University
Kernel
Impact: A local, unpriviledged user may be able to cause an
unexpected system termination
Description: An integer sign issue existed in the handling of tty
reads. This issue was addressed through improved handling of tty
reads.
CVE-ID
CVE-2013-5174 : CESG
Kernel
Impact: A local user may be able to cause kernel memory information
disclosure or an unexpected system termination
Description: An out of bounds read issue existed in the handling of
Mach-O files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-5175
Kernel
Impact: A local user may be able to cause a system hang
Description: An integer truncation issue existed in the handling of
tty devices. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-5176 : CESG
Kernel
Impact: A local user may be able to cause an unexpected system
termination
Description: The kernel would panic when an invalid user-supplied
iovec structure was detected. This issue was addressed through
improved validation of iovec structures.
CVE-ID
CVE-2013-5177 : CESG
Kernel
Impact: Unprivileged processes may be able to cause an unexpected
system termination or arbitrary code execution in the kernel
Description: A memory corruption issue existed in the handling of
arguments to the posix_spawn API. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2013-3954 : Stefan Esser
Kernel
Impact: Source specific multicast program may cause an unexpected
system termination when using Wi-Fi network
Description: An error checking issue existed in the handling of a
multicast packets. This issue was addressed through improved handling
of multicast packets.
CVE-ID
CVE-2013-5184 : Octoshape
Kernel
Impact: An attacker on a local network can cause a denial of service
Description: An attacker on a local network can send specially
crafted IPv6 ICMP packets and cause high CPU load. The issue was
addressed by rate limiting ICMP packets before verifying their
checksum.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Impact: A malicious local application could cause a system hang
Description: An integer truncation issue existed in the kernel
socket interface, which could be leveraged to force the CPU into an
infinite loop. The issue was addressed by using a larger sized
variable.
CVE-ID
CVE-2013-5141 : CESG
Kext Management
Impact: An unauthorized process can disable some loaded kernel
extensions
Description: An issue existed in kext management's handling of IPC
messages from unauthenticated senders. This issue was addressed by
adding additional authorization checks.
CVE-ID
CVE-2013-5145 : "Rainbow PRISM"
LaunchServices
Impact: A file could show the wrong extension.
Description: An issue exited in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego
Libc
Impact: Under unusual circumstances some random numbers may be
predictable
Description: If the kernel random number generator was not
accessible to srandomdev(), the function fell back to an alternative
method which had been removed by optimization, leading to a lack of
randomness. This issue was addressed by modifying the code to be
correct under optimization.
CVE-ID
CVE-2013-5180 : Xi Wang
Mail Accounts
Impact: Mail may not choose the most secure authentication method
available
Description: When auto-configuring a mail account on certain
mailservers, the Mail app would choose plaintext authentication over
CRAM-MD5 authentication. This issue was addressed through improved
logic handling.
CVE-ID
CVE-2013-5181
Mail Header Display
Impact: An unsigned message may appear to be validly signed.
Description: A logic issue existed in Mail's handling of unsigned
messages that nevertheless contained a multipart/signed part. The
issue was addressed through improved handling of unsigned messages.
CVE-ID
CVE-2013-5182 : Michael Roitzsch of Technische Universitat Dresden
Mail Networking
Impact: Information may be briefly transferred in plain text when
non-TLS encryption is configured.
Description: When Kerberos authentication was enabled and Transport
Layer Security was disabled, Mail would send some unencrypted data to
the mail server, leading to an unexpected termination of the
connection. The issue was addressed through improved handling of this
configuration.
CVE-ID
CVE-2013-5183 : Richard E. Silverman of www.qoxp.net
OpenLDAP
Impact: The ldapsearch command line tool did not honor the minssf
configuration
Description: The ldapsearch command line tool did not honor the
minssf configuration, which could lead to weak encryption being
allowed unexpectedly. This issue was addressed through improved
handling of the minssf configuration.
CVE-ID
CVE-2013-5185
perl
Impact: Perl scripts may be vulnerable to denial of service.
Description: The rehash mechanism in outdated versions of Perl may
be vulnerable to denial of service in scripts that use untrusted
input as hash keys. The issue is addressed by updating to Perl
5.16.2.
CVE-ID
CVE-2013-1667
Power Management
Impact: The screen lock may not engage after the specified time
period
Description: A locking issue existed in power assertion management.
The issue was addressed through improved lock handling.
CVE-ID
CVE-2013-5186 : David Herman at Sensible DB Design
python
Impact: Multiple vulnerabilities in python 2.7
Description: Multiple vulnerabilities existed in python 2.7.2, the
most serious of which may lead to decryption of the content of a SSL
connection. This update addresses the issues by updating python to
version 2.7.5. Further information is available via the python site
at http://www.python.org/download/releases/
CVE-ID
CVE-2011-3389
CVE-2011-4944
CVE-2012-0845
CVE-2012-0876
CVE-2012-1150
python
Impact: Multiple vulnerabilities in python 2.6
Description: Multiple vulnerabilities existed in python 2.6.7, the
most serious of which may lead to decryption of the content of a SSL
connection. This update addresses the issues by updating python to
version 2.6.8 and applying the patch for CVE-2011-4944 from the
Python project. Further information is available via the python site
at http://www.python.org/download/releases/
CVE-ID
CVE-2011-3389
CVE-2011-4944
CVE-2012-0845
CVE-2012-0876
CVE-2012-1150
ruby
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: A hostname validation issue existed in Ruby's handling
of SSL certificates. This issue was addressed by updating Ruby to
version 2.0.0p247.
CVE-ID
CVE-2013-4073
Security
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by OS X. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Security - Authorization
Impact: An administrator's security preferences may not be respected
Description: The "Require an administrator password to access system
preferences with lock icons" setting allows administrators to add an
additional layer of protection to sensitive system settings. In some
cases where an administrator had enabled this setting, applying a
software update or upgrade could have subsequently disabled the
setting. This issue was addressed through improved handling of
authorization rights.
CVE-ID
CVE-2013-5189 : Greg Onufer
Security - Smart Card Services
Impact: Smart Card Services may be unavailable when certificate
revocation checks are enabled
Description: A logic issue existed in OS X's handling of Smart Card
certificate revocation checks. The issue was addressed through
improved certificate revocation support.
CVE-ID
CVE-2013-5190 : Yongjun Jeon of Centrify Corporation
Screen Lock
Impact: The "Lock Screen" command may not take effect immediately
Description: The "Lock Screen" command in the Keychain Status menu
bar item did not take effect until after the "Require password
[amount of time] after sleep or screen saver begins" setting had
elapsed.
CVE-ID
CVE-2013-5187 : Michael Kisor of OrganicOrb.com, Christian Knappskog
of NTNU (Norwegian University of Science and Technology), Stefan
Gronke (CCC Trier), Patrick Reed
Screen Lock
Impact: A hibernated Mac with Autologin may not require a password
to wake
Description: A Mac with hibernation and autologin enabled may allow
waking from hibernation without prompting for a password. This issue
was addressed through improved lock handling.
CVE-ID
CVE-2013-5188 : Levi Musters
Screen Sharing Server
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A format string vulnerability existed in Screen Sharing
Server's handling of the VNC username.
CVE-ID
CVE-2013-5135 : SilentSignal working with iDefense VCP
syslog
Impact: A Guest user may be able to see log messages from previous
Guests
Description: The console log was visible to the Guest user and
contained messages from previous Guest user sessions. This issue was
addressed by making the console log for Guest users visible only to
administrators.
CVE-ID
CVE-2013-5191 : Sven-S. Porst of earthlingsoft
USB
Impact: A malicious local application could cause an unexpected
system termination
Description: The USB hub controller didn't check the port and port
number of requests. The issue was addressed by adding checks of the
port and port number.
CVE-ID
CVE-2013-5192 : Stefano Bianchi Mazzone, Mattia Pagnozzi, and
Aristide Fattori of Computer and Network Security Lab (LaSER),
Universita degli Studi di Milano
Note: OS X Mavericks includes Safari 7.0, which incorporates
the security content of Safari 6.1. For further details see
"About the security content of Safari 6.1" at
http://http//support.apple.com/kb/HT6000
OS X Mavericks v10.9 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSZt0XAAoJEPefwLHPlZEwVhAP/j45V7NmsIKNuHRm0MAvmklW
6KlEW+GeMlYqVL/WeDgmmE1d/Ha0amc7gJvOcO4dWFTWiKPjvSw3tiq4JXjU8z7f
1x2FAok67tIxFVn0mfR5K1TsuOKySgWfOowJfcxM07o8kpxifCR2CvLXqmKR87Zu
ZH0kBbxr2SBDgYDXlXw1MMqa6fqC4YIoEIu33ODZJrD9FMZcD+rqa3viUpbGEAIh
u3M8c+XJ2kO7fq5aLNGZe7F+cf94frTanPuSEG7uRC0XT6TkaCsKrHaxWh6qojnt
wz9BhwGD/QMBloGwnxFw+Vib0mIf66eiC3d3AEUPPa3LWwoRoBR3TfUJcjn3lYOg
QDM92Y5xRg+XwaMS+3FpktFe+VuDrxgOeHjv/EInBnBzQY6QqSTG6IDQ7bB/U3qC
TfM2iredPxbcaYjrxVXPuD0kUSfCEkOqHb4o6Q/HYnCIkcVCBcv41qoMaRII/WzC
JTT4o2JMFOHzLD5H8o/RQAliyDbTTXlJAAmAoq+8rTtGlKg+sfajF0gFyJoI24R6
LGOzAYmfF31bReZCJT239mK25gKNXIkSbIVVwcgQU1BhctaYQl9IemGmquAPWTeR
REZs7JY+PgHXR27XSwCwDy2579Nabuy3ZvlZGRlc4VaBbWaIWb0y84VgQjGWLk0I
U4wsXKqRBANYgzyO/VLw
=/5Xb
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUmc0yxLndAQH1ShLAQIqnA//R5OrAz084zGSuuxnzwNxJhBoNMsg9rnk
k4zrPQrhAq/+TZ3Em6uDXWvHXP/DviWgZKV7V9bA2IGyT9YnkVi1xtGZDw9QqJWZ
WYIfr7X85ImeOGe66c+cVqqF/jUMnQ5qZxueM5BJRhtaUq7Wu5pkRDgAJ2NxC1Cg
D5pa/9QY1NZqldhNstlFaw/UjUQ9Ok78l9u6KIjtYQN0gyvJrtmt0QnVzInOjYPr
5Bbkt9TFoeO6ajEqGd0fKCgydt0PNQJuktvlP4PQE7lNqd+5u3uLTkj+uszrw1E3
1XhNb+YEFY95WJDTdEU3VzQygbKVORruyrFEdMw+ytyvX94jbBbbBfSayT+Thk6z
3QHqL1FxKOjrwJfrZectnewDM7aiqATBv5ARroIi+vgxQyP7n4gKU4HvEcY5UBhp
D52rHiEAb6R9fNwzEFV3gDopmY/AykWWUBW5zfghuqCVRPYygkDPPL67um1+0I/T
4osvzw60+ZYtX/dVSpYq4l0CrT8xAnphj9z0HQM33Y7nQuHjZMcIv0vzTvBms4dc
P7sQcYEJArWRZbKG7iueH2avgVqBJPGpPmjlkeQmOUdjgHoc9l1EUMUPUTpMxJf2
M0G6vX3U/halejhCl/WhARNZRQq7QZrc/RgOPTY8ks7WifMfyNkGIQIhREFaXhqj
pnc3JVUvywc=
=1EBn
-----END PGP SIGNATURE-----