ID

VAR-200610-0022


CVE

CVE-2006-4399


TITLE

Apple Workgroup Manager fails to properly enable ShadowHash passwords

Trust: 0.8

sources: CERT/CC: VU#847468

DESCRIPTION

User interface inconsistency in Workgroup Manager in Apple Mac OS X 10.4 through 10.4.7 appears to allow administrators to change the authentication type from crypt to ShadowHash passwords for accounts in a NetInfo parent, when such an operation is not actually supported, which could result in less secure password management than intended. Apple Workgroup Manager fails to properly enable ShadowHash passwords in a NetInfo parent. Workgroup Manager may appear to use ShadowHash passwords when crypt is used. Adobe Flash Player fails to properly handle malformed strings. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities. These issue affect Mac OS X and various applications including CFNetwork, Safari, Kernel, ImageIO, LoginWindow, System Preferences, QuickDraw Manager, and Workgroup Manager. Apple Mac OS X versions prior to 10.4.8 are vulnerable to these issues. There are loopholes in the implementation of Workgroup Manager. Remote administrators can change the encryption method of secret password authentication in network information, when a real password is not actually enabled. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Adobe Flash Player Multiple Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA21865 VERIFY ADVISORY: http://secunia.com/advisories/21865/ CRITICAL: Highly critical IMPACT: Security Bypass, System access WHERE: >From remote SOFTWARE: Macromedia Flash 8.x http://secunia.com/product/7024/ Macromedia Flash MX 2004 http://secunia.com/product/3192/ Macromedia Flash MX Professional 2004 http://secunia.com/product/3191/ Macromedia Flash Player 7.x http://secunia.com/product/2634/ Macromedia Flash Player 8.x http://secunia.com/product/6153/ Macromedia Flex 1.x http://secunia.com/product/5246/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. visiting a malicious website. 2) An unspecified error can be exploited to bypass the "allowScriptAccess" option. 3) Unspecified errors exist in the way the ActiveX control is invoked by Microsoft Office products on Windows. SOLUTION: Update to version 9.0.16.0 or another fixed version (see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stuart Pearson, Computer Terrorism UK Ltd, for reporting one of the vulnerabilities. 2) Reported by the vendor. 3) Reported by the vendor. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb06-11.html OTHER REFERENCES: Microsoft: http://www.microsoft.com/technet/security/advisory/925143.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.32

sources: NVD: CVE-2006-4399 // CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // JVNDB: JVNDB-2006-000655 // BID: 20271 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // PACKETSTORM: 49912

AFFECTED PRODUCTS

vendor:apple computermodel: - scope: - version: -

Trust: 2.4

vendor:adobemodel: - scope: - version: -

Trust: 1.6

vendor:microsoftmodel: - scope: - version: -

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.5

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.6

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.7

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.4.3

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:v10.4 to v10.4.7 up to version

Trust: 0.8

vendor:applemodel:mac osscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac os serverscope:neversion:x10.4.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.3

Trust: 0.3

vendor:cosmicperlmodel:directory proscope:eqversion:10.0.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.1.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.0.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.03

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.1

Trust: 0.3

sources: CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // BID: 20271 // JVNDB: JVNDB-2006-000655 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-4399
value: LOW

Trust: 1.0

CARNEGIE MELLON: VU#451380
value: 33.41

Trust: 0.8

CARNEGIE MELLON: VU#168372
value: 14.29

Trust: 0.8

NVD: CVE-2006-4399
value: LOW

Trust: 0.8

CNNVD: CNNVD-200610-013
value: LOW

Trust: 0.6

VULHUB: VHN-20507
value: LOW

Trust: 0.1

VULMON: CVE-2006-4399
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2006-4399
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-20507
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#451380 // CERT/CC: VU#168372 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // JVNDB: JVNDB-2006-000655 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-4399

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-200610-013

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200610-013

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-000655

PATCH

title:Mac OS X 10.4.8 Update (Intel)url:http://www.apple.com/support/downloads/macosx1048updateintel.html

Trust: 0.8

title:Mac OS X 10.4.8 Update (PPC)url:http://www.apple.com/support/downloads/macosx1048updateppc.html

Trust: 0.8

title:Mac OS X 10.4.8 and Security Update 2006-006url:http://docs.info.apple.com/article.html?artnum=304460-ja

Trust: 0.8

title:Mac OS X 10.4.8 Update (Intel)url:http://www.apple.com/jp/ftp-info/reference/macosx1048updateintel.html

Trust: 0.8

title:Mac OS X 10.4.8 Update (PPC)url:http://www.apple.com/jp/ftp-info/reference/macosx1048updateppc.html

Trust: 0.8

sources: JVNDB: JVNDB-2006-000655

EXTERNAL IDS

db:SECUNIAid:22187

Trust: 3.4

db:CERT/CCid:VU#847468

Trust: 3.4

db:NVDid:CVE-2006-4399

Trust: 2.9

db:USCERTid:TA06-275A

Trust: 2.9

db:BIDid:20271

Trust: 2.9

db:OSVDBid:29276

Trust: 1.8

db:SECUNIAid:21865

Trust: 1.7

db:SECTRACKid:1016958

Trust: 1.7

db:VUPENid:ADV-2006-3852

Trust: 1.7

db:CERT/CCid:VU#451380

Trust: 0.8

db:CERT/CCid:VU#168372

Trust: 0.8

db:USCERTid:SA06-275A

Trust: 0.8

db:JVNDBid:JVNDB-2006-000655

Trust: 0.8

db:CNNVDid:CNNVD-200610-013

Trust: 0.7

db:XFid:29302

Trust: 0.6

db:CERT/CCid:TA06-275A

Trust: 0.6

db:APPLEid:APPLE-SA-2006-09-29

Trust: 0.6

db:VULHUBid:VHN-20507

Trust: 0.1

db:VUPENid:2006/3852

Trust: 0.1

db:VULMONid:CVE-2006-4399

Trust: 0.1

db:PACKETSTORMid:49912

Trust: 0.1

sources: CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // BID: 20271 // JVNDB: JVNDB-2006-000655 // PACKETSTORM: 49912 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

REFERENCES

url:http://www.us-cert.gov/cas/techalerts/ta06-275a.html

Trust: 2.9

url:http://www.kb.cert.org/vuls/id/847468

Trust: 2.7

url:http://www.securityfocus.com/bid/20271

Trust: 2.6

url:http://lists.apple.com/archives/security-announce/2006/sep/msg00002.html

Trust: 1.8

url:http://www.osvdb.org/29276

Trust: 1.8

url:http://securitytracker.com/id?1016958

Trust: 1.8

url:http://secunia.com/advisories/22187

Trust: 1.8

url:http://secunia.com/advisories/21865/

Trust: 1.7

url:http://www.adobe.com/support/security/bulletins/apsb06-11.html

Trust: 1.7

url:http://secunia.com/advisories/22187/

Trust: 1.6

url:http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx

Trust: 1.6

url:http://www.frsirt.com/english/advisories/2006/3852

Trust: 1.4

url:http://www.vupen.com/english/advisories/2006/3852

Trust: 1.2

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/29302

Trust: 1.2

url:http://docs.info.apple.com/article.html?artnum=304460

Trust: 1.1

url:http://www.microsoft.com/technet/security/advisory/925143.mspx

Trust: 0.9

url:http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33

Trust: 0.8

url:http://www.computerterrorism.com/research/ct12-09-2006.htm

Trust: 0.8

url:http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_16494

Trust: 0.8

url:http://www.adobe.com/devnet/security/security_zone/mpsb02-08.html

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4399

Trust: 0.8

url:http://jvn.jp/cert/jvnta06-275a/index.html

Trust: 0.8

url:http://jvn.jp/tr/trta06-275a/index.html

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-4399

Trust: 0.8

url:http://www.us-cert.gov/cas/alerts/sa06-275a.html

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/29302

Trust: 0.6

url:http://www.apple.com/macosx/

Trust: 0.3

url:/archive/1/447396

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=11810

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/product/3191/

Trust: 0.1

url:http://secunia.com/product/6153/

Trust: 0.1

url:http://secunia.com/quality_assurance_analyst/

Trust: 0.1

url:http://secunia.com/product/3192/

Trust: 0.1

url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/

Trust: 0.1

url:http://secunia.com/product/2634/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/web_application_security_specialist/

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/product/7024/

Trust: 0.1

url:http://secunia.com/product/5246/

Trust: 0.1

sources: CERT/CC: VU#847468 // CERT/CC: VU#451380 // CERT/CC: VU#168372 // VULHUB: VHN-20507 // VULMON: CVE-2006-4399 // BID: 20271 // JVNDB: JVNDB-2006-000655 // PACKETSTORM: 49912 // CNNVD: CNNVD-200610-013 // NVD: CVE-2006-4399

CREDITS

The vendor credits Adam Bryzak of Queensland University of Technology, Tom Saxton of Idle Loop Software Design, Dino Dai Zovi of Matasano Security, Patrick Gallagher of Digital Peaks Corporation, Ragnar Sundblad of the Royal Institute of Technology, Stockh

Trust: 0.3

sources: BID: 20271

SOURCES

db:CERT/CCid:VU#847468
db:CERT/CCid:VU#451380
db:CERT/CCid:VU#168372
db:VULHUBid:VHN-20507
db:VULMONid:CVE-2006-4399
db:BIDid:20271
db:JVNDBid:JVNDB-2006-000655
db:PACKETSTORMid:49912
db:CNNVDid:CNNVD-200610-013
db:NVDid:CVE-2006-4399

LAST UPDATE DATE

2024-11-23T19:56:13.412000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#847468date:2006-11-21T00:00:00
db:CERT/CCid:VU#451380date:2007-07-11T00:00:00
db:CERT/CCid:VU#168372date:2006-11-14T00:00:00
db:VULHUBid:VHN-20507date:2017-07-20T00:00:00
db:VULMONid:CVE-2006-4399date:2017-07-20T00:00:00
db:BIDid:20271date:2006-10-03T18:30:00
db:JVNDBid:JVNDB-2006-000655date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200610-013date:2006-10-09T00:00:00
db:NVDid:CVE-2006-4399date:2024-11-21T00:15:51.840

SOURCES RELEASE DATE

db:CERT/CCid:VU#847468date:2006-10-02T00:00:00
db:CERT/CCid:VU#451380date:2006-09-18T00:00:00
db:CERT/CCid:VU#168372date:2006-09-20T00:00:00
db:VULHUBid:VHN-20507date:2006-10-03T00:00:00
db:VULMONid:CVE-2006-4399date:2006-10-03T00:00:00
db:BIDid:20271date:2006-09-29T00:00:00
db:JVNDBid:JVNDB-2006-000655date:2007-04-01T00:00:00
db:PACKETSTORMid:49912date:2006-09-12T22:17:26
db:CNNVDid:CNNVD-200610-013date:2006-10-03T00:00:00
db:NVDid:CVE-2006-4399date:2006-10-03T04:02:00