Details of VAR-200306-0061

ID

VAR-200306-0061

CVE

CVE-2003-0378

TITLE

Mac OS X LDAP plugins transmit user credentials in clear text

Trust: 0.8

sources: CERT/CC: VU#467828

DESCRIPTION

The Kerberos login authentication feature in Mac OS X, when used with an LDAPv3 server and LDAP bind authentication, may send cleartext passwords to the LDAP server when the AuthenticationAuthority attribute is not set. Versions 10.2 and later of Apple's MacOS X operating system include support for the Lightweight Directory Access Protocol (LDAP). A vulnerability in the way some of these versions of MacOS X handle authentication in certain environments could expose user's passwords in plaintext as they're transmitted across the network. It has been reported that Mac OS X may leak plain text passwords in a network that uses Kerberos. This could allow an attacker to gain unauthorized access to systems. Mac OS X is an operating system used on Mac machines, based on the BSD system. After authenticating the user with an encrypted password, the login window returns and attempts a simple bind to the server that transmits the account password in clear text

Trust: 1.98

sources: NVD: CVE-2003-0378 // CERT/CC: VU#467828 // BID: 7832 // VULHUB: VHN-7207

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.2	Trust: 1.0
vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	10.2	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.2	Trust: 0.3

sources: CERT/CC: VU#467828 // BID: 7832 // CNNVD: CNNVD-200306-078 // NVD: CVE-2003-0378

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2003-0378
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#467828
value:	7.76
Trust: 0.8
CNNVD:	CNNVD-200306-078
value:	HIGH
Trust: 0.6
VULHUB:	VHN-7207
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2003-0378
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-7207
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#467828 // VULHUB: VHN-7207 // CNNVD: CNNVD-200306-078 // NVD: CVE-2003-0378

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2003-0378

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200306-078

TYPE

Configuration Error

Trust: 0.9

sources: BID: 7832 // CNNVD: CNNVD-200306-078

EXTERNAL IDS

db:	CERT/CC	id:	VU#467828	Trust: 2.5
db:	NVD	id:	CVE-2003-0378	Trust: 2.0
db:	SECUNIA	id:	8945	Trust: 0.8
db:	SECTRACK	id:	1006922	Trust: 0.8
db:	CNNVD	id:	CNNVD-200306-078	Trust: 0.7
db:	BID	id:	7832	Trust: 0.4
db:	VULHUB	id:	VHN-7207	Trust: 0.1

sources: CERT/CC: VU#467828 // VULHUB: VHN-7207 // BID: 7832 // CNNVD: CNNVD-200306-078 // NVD: CVE-2003-0378

REFERENCES

url:	http://docs.info.apple.com/article.html?artnum=107579	Trust: 2.8
url:	http://www.kb.cert.org/vuls/id/467828	Trust: 1.7
url:	http://www.secunia.com/advisories/8945/	Trust: 0.8
url:	http://securitytracker.com/alerts/2003/jun/1006922.html	Trust: 0.8
url:	http://docs.info.apple.com/article.html?artnum=120223	Trust: 0.3

sources: CERT/CC: VU#467828 // VULHUB: VHN-7207 // BID: 7832 // CNNVD: CNNVD-200306-078 // NVD: CVE-2003-0378

CREDITS

Apple Vendor

Trust: 0.6

sources: CNNVD: CNNVD-200306-078

SOURCES

db:	CERT/CC	id:	VU#467828
db:	VULHUB	id:	VHN-7207
db:	BID	id:	7832
db:	CNNVD	id:	CNNVD-200306-078
db:	NVD	id:	CVE-2003-0378

LAST UPDATE DATE

2024-08-14T14:23:07.940000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#467828	date:	2003-06-23T00:00:00
db:	VULHUB	id:	VHN-7207	date:	2008-09-05T00:00:00
db:	BID	id:	7832	date:	2009-07-11T22:06:00
db:	CNNVD	id:	CNNVD-200306-078	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2003-0378	date:	2008-09-05T20:34:10.817

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#467828	date:	2003-06-04T00:00:00
db:	VULHUB	id:	VHN-7207	date:	2003-06-16T00:00:00
db:	BID	id:	7832	date:	2003-06-05T00:00:00
db:	CNNVD	id:	CNNVD-200306-078	date:	2003-06-16T00:00:00
db:	NVD	id:	CVE-2003-0378	date:	2003-06-16T04:00:00