Details of VAR-201609-0252

ID

VAR-201609-0252

CVE

CVE-2016-4754

TITLE

Apple OS X Server of ServerDocs Server Vulnerabilities that can break cryptographic protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2016-004957

DESCRIPTION

ServerDocs Server in Apple OS X Server before 5.2 supports the RC4 cipher, which might allow remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. Apple macOS Server is prone to an security vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions and perform unauthorized actions. Versions prior to Apple macOS Server 5.2 are vulnerable. Apple OS X Server is a set of Unix-based server operating software developed by Apple (Apple). The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. ServerDocs Server is one of the service components. A remote attacker could exploit this vulnerability to crack the password protection mechanism. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-09-20-4 macOS Server 5.2 macOS Server 5.2 is now available and addresses the following: apache Available for: macOS 10.12 Sierra Impact: A remote attacker may be able to proxy traffic through an arbitrary server Description: An issue existed in the handling of the HTTP_PROXY environment variable. This issue was addressed by not setting the HTTP_PROXY environment variable from CGI. CVE-2016-4694 : Dominic Scheirlinck and Scott Geary of Vend ServerDocs Server Available for: macOS 10.12 Sierra Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: RC4 was removed as a supported cipher. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJX4YD4AAoJEIOj74w0bLRGbWQP+gOZSLCIIprhLJ6wLJp1Hbb+ gxS09PZJSp32xDnmyMdzcKUFsQ8UfO9iSZBs7Yge8nAjQLxKt/dlopXZPIg4t4GY qSx1wOZ3yj+74LBnhEG/KVeibl8JH9MJEnhWMB9cwMbnQnROc72F418R+Ic8QPXg 4t4tgKWYWR+vS2Gx+FOvIat68siUjsU8G9jvs3wqKbTzuicDEFCDoK9MYQRdcV6Z fluIN4qFb3z0tJihq9WrZlkiARPe5cf8or1aynDpPNSxmMnJV+wv5xnbqx7kPOcE cuqhmy3SUn40jbIFPzuXmnypn1MDS9RxU6T2w/o3EU71h+w5ImLE86MlTEQPVmJJ fapPvjPSqe6iNA7o4sXZ9dfodZtfP9v6fxuoUqfoYRRTIoYECYk2MzhEUfxe64VE f17H0suurHhXuBDF5Q3k6yO5zoijwq7A3sGv9Kgq6lPuBgKWYqJY14t7YVx81Myi yUbAfXqErypxvCgrX2/AO/ItEPK5DlDK555DbWjd01Jnfy2ckae7W6lBulfYgMNG SP6j1KdgM+aH4Av2JxgBxPXoBnUzGZYnEbc4iy/17GzQruAmU0q59wm4XhzC/84W 5m9Ti+tDODPGqJpYFytB11z9X8Jtj9zK0F4T/+QHQO/BJbWLZzbYWrd3jslOIb1W iGD5h8KmNhjoS3LLutKE =HbXq -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2016-4754 // JVNDB: JVNDB-2016-004957 // BID: 93061 // VULHUB: VHN-93573 // VULMON: CVE-2016-4754 // PACKETSTORM: 138794

AFFECTED PRODUCTS

vendor:	apple	model:	os x server	scope:	lte	version:	5.1	Trust: 1.0
vendor:	apple	model:	macos server	scope:	lt	version:	5.2 (macos sierra 10.12)	Trust: 0.8
vendor:	apple	model:	os x server	scope:	eq	version:	5.1	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x4.1.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x3.2.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x3.2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x3.1.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.2.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.2.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.2.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.1.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x5.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x4.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x4.0	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x3.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x3.0	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.0	Trust: 0.3
vendor:	apple	model:	macos server	scope:	ne	version:	5.2	Trust: 0.3

sources: BID: 93061 // JVNDB: JVNDB-2016-004957 // CNNVD: CNNVD-201609-487 // NVD: CVE-2016-4754

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4754
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-4754
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201609-487
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-93573
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2016-4754
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-4754
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-93573
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4754
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-93573 // VULMON: CVE-2016-4754 // JVNDB: JVNDB-2016-004957 // CNNVD: CNNVD-201609-487 // NVD: CVE-2016-4754

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.9

sources: VULHUB: VHN-93573 // JVNDB: JVNDB-2016-004957 // NVD: CVE-2016-4754

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201609-487

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201609-487

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004957

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2016-09-20-4 macOS Server 5.2	url:	http://lists.apple.com/archives/security-announce/2016/Sep/msg00009.html	Trust: 0.8
title:	HT207171	url:	https://support.apple.com/en-us/HT207171	Trust: 0.8
title:	HT207171	url:	https://support.apple.com/ja-jp/HT207171	Trust: 0.8
title:	Apple OS X Server ServerDocs Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64353	Trust: 0.6
title:	Apple: macOS Server 5.2	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=e43da3314b76935ab942480a3937fdb9	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/apple-squashes-68-security-bugs-with-sierra-release/120738/	Trust: 0.1

sources: VULMON: CVE-2016-4754 // JVNDB: JVNDB-2016-004957 // CNNVD: CNNVD-201609-487

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4754	Trust: 3.0
db:	BID	id:	93061	Trust: 2.1
db:	SECTRACK	id:	1036853	Trust: 1.2
db:	JVN	id:	JVNVU90950877	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-004957	Trust: 0.8
db:	CNNVD	id:	CNNVD-201609-487	Trust: 0.7
db:	VULHUB	id:	VHN-93573	Trust: 0.1
db:	VULMON	id:	CVE-2016-4754	Trust: 0.1
db:	PACKETSTORM	id:	138794	Trust: 0.1

sources: VULHUB: VHN-93573 // VULMON: CVE-2016-4754 // BID: 93061 // JVNDB: JVNDB-2016-004957 // PACKETSTORM: 138794 // CNNVD: CNNVD-201609-487 // NVD: CVE-2016-4754

REFERENCES

url:	http://www.securityfocus.com/bid/93061	Trust: 1.9
url:	http://lists.apple.com/archives/security-announce/2016/sep/msg00009.html	Trust: 1.8
url:	https://support.apple.com/ht207171	Trust: 1.8
url:	http://www.securitytracker.com/id/1036853	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4754	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90950877/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4754	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	https://support.apple.com/en-us/ht201222	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/310.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://support.apple.com/kb/ht207171	Trust: 0.1
url:	https://threatpost.com/apple-squashes-68-security-bugs-with-sierra-release/120738/	Trust: 0.1
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4754	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4694	Trust: 0.1

sources: VULHUB: VHN-93573 // VULMON: CVE-2016-4754 // BID: 93061 // JVNDB: JVNDB-2016-004957 // PACKETSTORM: 138794 // CNNVD: CNNVD-201609-487 // NVD: CVE-2016-4754

CREDITS

Pepi Zawodsky.

Trust: 0.9

sources: BID: 93061 // CNNVD: CNNVD-201609-487

SOURCES

db:	VULHUB	id:	VHN-93573
db:	VULMON	id:	CVE-2016-4754
db:	BID	id:	93061
db:	JVNDB	id:	JVNDB-2016-004957
db:	PACKETSTORM	id:	138794
db:	CNNVD	id:	CNNVD-201609-487
db:	NVD	id:	CVE-2016-4754

LAST UPDATE DATE

2024-11-23T20:39:30.955000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-93573	date:	2017-07-30T00:00:00
db:	VULMON	id:	CVE-2016-4754	date:	2017-07-30T00:00:00
db:	BID	id:	93061	date:	2016-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2016-004957	date:	2016-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201609-487	date:	2016-09-26T00:00:00
db:	NVD	id:	CVE-2016-4754	date:	2024-11-21T02:52:54.070

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-93573	date:	2016-09-25T00:00:00
db:	VULMON	id:	CVE-2016-4754	date:	2016-09-25T00:00:00
db:	BID	id:	93061	date:	2016-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2016-004957	date:	2016-09-30T00:00:00
db:	PACKETSTORM	id:	138794	date:	2016-09-20T15:04:44
db:	CNNVD	id:	CNNVD-201609-487	date:	2016-09-26T00:00:00
db:	NVD	id:	CVE-2016-4754	date:	2016-09-25T10:59:51.003