Sign-up

ID

VAR-200906-0082


CVE

CVE-2009-1679


TITLE

Apple iPhone OS Vulnerability that bypasses policies in profile components

Trust: 0.8

sources: JVNDB: JVNDB-2009-001851

DESCRIPTION

The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1, when installing a configuration profile, can replace the password policy from Exchange ActiveSync with a weaker password policy, which allows physically proximate attackers to bypass the intended policy. Apple iPhone and iPod touch are prone to multiple vulnerabilities. Successfully exploiting these issues may allow attackers to bypass security restrictions, obtain sensitive information, or cause denial-of-service conditions. These issues affect the following: iPhone OS 1.0 through 2.2.1 iPhone OS for iPod touch 1.1 through 2.2.1 This BID is being retired. The following individual records have been created to better document these issues: 35433 Apple iPhone and iPod touch MPEG-4 Video Codec Denial of Service Vulnerability 35434 Apple iPhone and iPod touch Mail Client Information Disclosure Weakness 35436 Apple iPhone and iPod touch Configuration Profile Handling Information Disclosure Vulnerability 35425 Apple iPhone Call Approval Dialog Security Bypass Vulnerability 35445 Apple iPhone and iPod touch ICMP Echo Request Remote Denial of Service Vulnerability 35446 Apple iPhone and iPod touch HTMLSelectElement Denial of Service Vulnerability 35447 Apple iPhone and iPod touch Untrusted Certificate Exception Information Disclosure Vulnerability 35448 Apple iPhone and iPod touch Safari Search History Information Disclosure Vulnerability

Trust: 2.25

sources: NVD: CVE-2009-1679 // JVNDB: JVNDB-2009-001851 // BID: 35414 // BID: 35436 // VULHUB: VHN-39125

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:eqversion:2.0.1

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.5

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.2

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.3

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.0.2

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.1

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.0

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.1.1

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.4

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.0.0

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.0

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.0.0

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.1.1

Trust: 1.0

vendor:applemodel:ipod touchscope:eqversion:*

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.2.1

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.0.2

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.1.2

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:*

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.0.1

Trust: 1.0

vendor:applemodel:iosscope:eqversion:1.0 to 2.2.1

Trust: 0.8

vendor:applemodel:ios for ipod touchscope:eqversion:1.1 to 2.2.1

Trust: 0.8

vendor:applemodel:ipod touchscope:eqversion:2.2.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.4

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.3

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.2.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.4

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.3

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.0.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.0.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:0

Trust: 0.6

vendor:applemodel:ipod touchscope:neversion:3.0

Trust: 0.6

vendor:applemodel:iphonescope:neversion:3.0

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:0

Trust: 0.3

sources: BID: 35414 // BID: 35436 // JVNDB: JVNDB-2009-001851 // CNNVD: CNNVD-200906-314 // NVD: CVE-2009-1679

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1679
value: LOW

Trust: 1.0

NVD: CVE-2009-1679
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200906-314
value: LOW

Trust: 0.6

VULHUB: VHN-39125
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2009-1679
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2009-1679
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-39125
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-39125 // JVNDB: JVNDB-2009-001851 // CNNVD: CNNVD-200906-314 // NVD: CVE-2009-1679

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.1

problemtype:CWE-255

Trust: 0.8

sources: VULHUB: VHN-39125 // JVNDB: JVNDB-2009-001851 // NVD: CVE-2009-1679

THREAT TYPE

local

Trust: 0.9

sources: BID: 35436 // CNNVD: CNNVD-200906-314

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-200906-314

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001851

PATCH
title:HT3639url:http://support.apple.com/kb/HT3639
Trust: 0.8
title:HT3639url:http://support.apple.com/kb/HT3639?viewlocale=ja_JP
Trust: 0.8
title:Apple iPhone Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203141
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2009-001851 // 
            
            
            
            CNNVD: CNNVD-200906-314

EXTERNAL IDS
db:BIDid:35436
Trust: 2.8
db:NVDid:CVE-2009-1679
Trust: 2.8
db:OSVDBid:55239
Trust: 2.5
db:VUPENid:ADV-2009-1621
Trust: 2.5
db:BIDid:35414
Trust: 2.0
db:XFid:51212
Trust: 0.8
db:JVNDBid:JVNDB-2009-001851
Trust: 0.8
db:CNNVDid:CNNVD-200906-314
Trust: 0.6
db:VULHUBid:VHN-39125
Trust: 0.1
sources:
            
            
            VULHUB: VHN-39125 // 
            
            
            
            BID: 35414 // 
            
            
            
            BID: 35436 // 
            
            
            
            JVNDB: JVNDB-2009-001851 // 
            
            
            
            CNNVD: CNNVD-200906-314 // 
            
            
            
            NVD: CVE-2009-1679

REFERENCES
url:http://www.securityfocus.com/bid/35436
Trust: 2.5
url:http://osvdb.org/55239
Trust: 2.5
url:http://www.vupen.com/english/advisories/2009/1621
Trust: 2.5
url:http://support.apple.com/kb/ht3639
Trust: 2.0
url:http://lists.apple.com/archives/security-announce/2009/jun/msg00005.html
Trust: 1.7
url:http://www.securityfocus.com/bid/35414
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/51212
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1679
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/51212
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1679
Trust: 0.8
url:http://www.apple.com/iphone/
Trust: 0.6
url:http://www.apple.com/ipodtouch/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-39125 // 
            
            
            
            BID: 35414 // 
            
            
            
            BID: 35436 // 
            
            
            
            JVNDB: JVNDB-2009-001851 // 
            
            
            
            CNNVD: CNNVD-200906-314 // 
            
            
            
            NVD: CVE-2009-1679

CREDITS
Oskar Lissheim-BoethiusOliver QuasChristian Schmitz
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200906-314

SOURCES
db:VULHUBid:VHN-39125
db:BIDid:35414
db:BIDid:35436
db:JVNDBid:JVNDB-2009-001851
db:CNNVDid:CNNVD-200906-314
db:NVDid:CVE-2009-1679

LAST UPDATE DATE
2024-11-23T20:24:53.740000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-39125date:2017-08-17T00:00:00
db:BIDid:35414date:2009-06-19T23:09:00
db:BIDid:35436date:2009-06-19T16:19:00
db:JVNDBid:JVNDB-2009-001851date:2009-08-06T00:00:00
db:CNNVDid:CNNVD-200906-314date:2022-08-10T00:00:00
db:NVDid:CVE-2009-1679date:2024-11-21T01:03:03.857

SOURCES RELEASE DATE
db:VULHUBid:VHN-39125date:2009-06-19T00:00:00
db:BIDid:35414date:2009-06-17T00:00:00
db:BIDid:35436date:2009-06-17T00:00:00
db:JVNDBid:JVNDB-2009-001851date:2009-08-06T00:00:00
db:CNNVDid:CNNVD-200906-314date:2009-06-19T00:00:00
db:NVDid:CVE-2009-1679date:2009-06-19T16:30:00.327