Sign-up

ID

VAR-200610-0022


CVE

CVE-2006-4399


TITLE

Apple Workgroup Manager fails to properly enable ShadowHash passwords

Trust: 0.8

sources: CERT/CC: VU#847468

DESCRIPTION

User interface inconsistency in Workgroup Manager in Apple Mac OS X 10.4 through 10.4.7 appears to allow administrators to change the authentication type from crypt to ShadowHash passwords for accounts in a NetInfo parent, when such an operation is not actually supported, which could result in less secure password management than intended. Apple Workgroup Manager fails to properly enable ShadowHash passwords in a NetInfo parent. Workgroup Manager may appear to use ShadowHash passwords when crypt is used. Adobe Flash Player fails to properly handle malformed strings. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities. These issue affect Mac OS X and various applications including CFNetwork, Safari, Kernel, ImageIO, LoginWindow, System Preferences, QuickDraw Manager, and Workgroup Manager. Apple Mac OS X versions prior to 10.4.8 are vulnerable to these issues. There are loopholes in the implementation of Workgroup Manager. Remote administrators can change the encryption method of secret password authentication in network information, when a real password is not actually enabled. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Adobe Flash Player Multiple Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA21865 VERIFY ADVISORY: http://secunia.com/advisories/21865/ CRITICAL: Highly critical IMPACT: Security Bypass, System access WHERE: >From remote SOFTWARE: Macromedia Flash 8.x http://secunia.com/product/7024/ Macromedia Flash MX 2004 http://secunia.com/product/3192/ Macromedia Flash MX Professional 2004 http://secunia.com/product/3191/ Macromedia Flash Player 7.x http://secunia.com/product/2634/ Macromedia Flash Player 8.x http://secunia.com/product/6153/ Macromedia Flex 1.x http://secunia.com/product/5246/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. visiting a malicious website. 2) An unspecified error can be exploited to bypass the "allowScriptAccess" option. 3) Unspecified errors exist in the way the ActiveX control is invoked by Microsoft Office products on Windows. SOLUTION: Update to version 9.0.16.0 or another fixed version (see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stuart Pearson, Computer Terrorism UK Ltd, for reporting one of the vulnerabilities. 2) Reported by the vendor. 3) Reported by the vendor. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb06-11.html OTHER REFERENCES: Microsoft: http://www.microsoft.com/technet/security/advisory/925143.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.32

sources: NVD: CVE-2006-4399 // CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // JVNDB: JVNDB-2006-000655 // BID: 20271 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // PACKETSTORM: 49912

AFFECTED PRODUCTS

vendor:apple computermodel: - scope: - version: -

Trust: 2.4

vendor:adobemodel: - scope: - version: -

Trust: 1.6

vendor:microsoftmodel: - scope: - version: -

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.6

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.7

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.3

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:v10.4 to v10.4.7 up to version

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.3

Trust: 0.3

vendor:cosmicperlmodel:directory proscope:eqversion:10.0.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.03

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1

Trust: 0.3

sources: CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // BID: 20271 // JVNDB: JVNDB-2006-000655 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-4399
value: LOW

Trust: 1.0

CARNEGIE MELLON: VU#451380
value: 33.41

Trust: 0.8

CARNEGIE MELLON: VU#168372
value: 14.29

Trust: 0.8

NVD: CVE-2006-4399
value: LOW

Trust: 0.8

CNNVD: CNNVD-200610-013
value: LOW

Trust: 0.6

VULHUB: VHN-20507
value: LOW

Trust: 0.1

VULMON: CVE-2006-4399
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2006-4399
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-20507
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#451380 // CERT/CC: VU#168372 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // JVNDB: JVNDB-2006-000655 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-4399

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-200610-013

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200610-013

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2006-000655

PATCH
title:Mac OS X 10.4.8 Update (Intel)url:http://www.apple.com/support/downloads/macosx1048updateintel.html
Trust: 0.8
title:Mac OS X 10.4.8 Update (PPC)url:http://www.apple.com/support/downloads/macosx1048updateppc.html
Trust: 0.8
title:Mac OS X 10.4.8 and Security Update 2006-006url:http://docs.info.apple.com/article.html?artnum=304460-ja
Trust: 0.8
title:Mac OS X 10.4.8 Update (Intel)url:http://www.apple.com/jp/ftp-info/reference/macosx1048updateintel.html
Trust: 0.8
title:Mac OS X 10.4.8 Update (PPC)url:http://www.apple.com/jp/ftp-info/reference/macosx1048updateppc.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2006-000655

EXTERNAL IDS
db:SECUNIAid:22187
Trust: 3.4
db:CERT/CCid:VU#847468
Trust: 3.4
db:NVDid:CVE-2006-4399
Trust: 2.9
db:USCERTid:TA06-275A
Trust: 2.9
db:BIDid:20271
Trust: 2.9
db:OSVDBid:29276
Trust: 1.8
db:SECUNIAid:21865
Trust: 1.7
db:SECTRACKid:1016958
Trust: 1.7
db:VUPENid:ADV-2006-3852
Trust: 1.7
db:CERT/CCid:VU#451380
Trust: 0.8
db:CERT/CCid:VU#168372
Trust: 0.8
db:USCERTid:SA06-275A
Trust: 0.8
db:JVNDBid:JVNDB-2006-000655
Trust: 0.8
db:CNNVDid:CNNVD-200610-013
Trust: 0.7
db:XFid:29302
Trust: 0.6
db:CERT/CCid:TA06-275A
Trust: 0.6
db:APPLEid:APPLE-SA-2006-09-29
Trust: 0.6
db:VULHUBid:VHN-20507
Trust: 0.1
db:VUPENid:2006/3852
Trust: 0.1
db:VULMONid:CVE-2006-4399
Trust: 0.1
db:PACKETSTORMid:49912
Trust: 0.1
sources:
            
            
            CERT/CC: VU#847468 // 
            
            
            
            CERT/CC: VU#451380 // 
            
            
            
            CERT/CC: VU#168372 // 
            
            
            
            VULHUB: VHN-20507 // 
            
            
            
            VULMON: CVE-2006-4399 // 
            
            
            
            BID: 20271 // 
            
            
            
            JVNDB: JVNDB-2006-000655 // 
            
            
            
            PACKETSTORM: 49912 // 
            
            
            
            CNNVD: CNNVD-200610-013 // 
            
            
            
            NVD: CVE-2006-4399

REFERENCES
url:http://www.us-cert.gov/cas/techalerts/ta06-275a.html
Trust: 2.9
url:http://www.kb.cert.org/vuls/id/847468
Trust: 2.7
url:http://www.securityfocus.com/bid/20271
Trust: 2.6
url:http://lists.apple.com/archives/security-announce/2006/sep/msg00002.html
Trust: 1.8
url:http://www.osvdb.org/29276
Trust: 1.8
url:http://securitytracker.com/id?1016958
Trust: 1.8
url:http://secunia.com/advisories/22187
Trust: 1.8
url:http://secunia.com/advisories/21865/
Trust: 1.7
url:http://www.adobe.com/support/security/bulletins/apsb06-11.html
Trust: 1.7
url:http://secunia.com/advisories/22187/
Trust: 1.6
url:http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx
Trust: 1.6
url:http://www.frsirt.com/english/advisories/2006/3852
Trust: 1.4
url:http://www.vupen.com/english/advisories/2006/3852
Trust: 1.2
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/29302
Trust: 1.2
url:http://docs.info.apple.com/article.html?artnum=304460
Trust: 1.1
url:http://www.microsoft.com/technet/security/advisory/925143.mspx
Trust: 0.9
url:http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33
Trust: 0.8
url:http://www.computerterrorism.com/research/ct12-09-2006.htm
Trust: 0.8
url:http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_16494
Trust: 0.8
url:http://www.adobe.com/devnet/security/security_zone/mpsb02-08.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4399
Trust: 0.8
url:http://jvn.jp/cert/jvnta06-275a/index.html
Trust: 0.8
url:http://jvn.jp/tr/trta06-275a/index.html
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-4399
Trust: 0.8
url:http://www.us-cert.gov/cas/alerts/sa06-275a.html
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/29302
Trust: 0.6
url:http://www.apple.com/macosx/
Trust: 0.3
url:/archive/1/447396
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=11810
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/3191/
Trust: 0.1
url:http://secunia.com/product/6153/
Trust: 0.1
url:http://secunia.com/quality_assurance_analyst/
Trust: 0.1
url:http://secunia.com/product/3192/
Trust: 0.1
url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/
Trust: 0.1
url:http://secunia.com/product/2634/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/web_application_security_specialist/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/product/7024/
Trust: 0.1
url:http://secunia.com/product/5246/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#847468 // 
            
            
            
            CERT/CC: VU#451380 // 
            
            
            
            CERT/CC: VU#168372 // 
            
            
            
            VULHUB: VHN-20507 // 
            
            
            
            VULMON: CVE-2006-4399 // 
            
            
            
            BID: 20271 // 
            
            
            
            JVNDB: JVNDB-2006-000655 // 
            
            
            
            PACKETSTORM: 49912 // 
            
            
            
            CNNVD: CNNVD-200610-013 // 
            
            
            
            NVD: CVE-2006-4399

CREDITS
The vendor credits Adam Bryzak of Queensland University of Technology, Tom Saxton of Idle Loop Software Design, Dino Dai Zovi of Matasano Security, Patrick Gallagher of Digital Peaks Corporation, Ragnar Sundblad of the Royal Institute of Technology, Stockh
Trust: 0.3
sources:
            
            
            BID: 20271

SOURCES
db:CERT/CCid:VU#847468
db:CERT/CCid:VU#451380
db:CERT/CCid:VU#168372
db:VULHUBid:VHN-20507
db:VULMONid:CVE-2006-4399
db:BIDid:20271
db:JVNDBid:JVNDB-2006-000655
db:PACKETSTORMid:49912
db:CNNVDid:CNNVD-200610-013
db:NVDid:CVE-2006-4399

LAST UPDATE DATE
2024-09-19T20:32:39.042000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#847468date:2006-11-21T00:00:00
db:CERT/CCid:VU#451380date:2007-07-11T00:00:00
db:CERT/CCid:VU#168372date:2006-11-14T00:00:00
db:VULHUBid:VHN-20507date:2017-07-20T00:00:00
db:VULMONid:CVE-2006-4399date:2017-07-20T00:00:00
db:BIDid:20271date:2006-10-03T18:30:00
db:JVNDBid:JVNDB-2006-000655date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200610-013date:2006-10-09T00:00:00
db:NVDid:CVE-2006-4399date:2017-07-20T01:33:04.850

SOURCES RELEASE DATE
db:CERT/CCid:VU#847468date:2006-10-02T00:00:00
db:CERT/CCid:VU#451380date:2006-09-18T00:00:00
db:CERT/CCid:VU#168372date:2006-09-20T00:00:00
db:VULHUBid:VHN-20507date:2006-10-03T00:00:00
db:VULMONid:CVE-2006-4399date:2006-10-03T00:00:00
db:BIDid:20271date:2006-09-29T00:00:00
db:JVNDBid:JVNDB-2006-000655date:2007-04-01T00:00:00
db:PACKETSTORMid:49912date:2006-09-12T22:17:26
db:CNNVDid:CNNVD-200610-013date:2006-10-03T00:00:00
db:NVDid:CVE-2006-4399date:2006-10-03T04:02:00