search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Apple Mac OS X may allow network accounts to bypass service access controls

Vulnerability Note VU#897628

Original Release Date: 2006-10-02 | Last Revised: 2006-10-02

Overview

Apple Mac OS X may allow network accounts to bypass service access controls. This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

Description

Remote access to a system can be restricted by service access controls via LoginWindow. According to Apple Security Update 2006-006:

A logic error in loginwindow allows network accounts without GUIDs to bypass service access controls.
Only systems that have been configured to allow network accounts to authenticate without a Globally Unique Identifier, and use service access controls for the LoginWindow are affected by this vulnerability.

Impact

This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls.

Solution

Upgrade
Apple has addressed this issue in Apple Security Update 2006-006.

Vendor Information

897628
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported in Apple Security Update 2006-006.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2006-4394
Severity Metric: 2.76
Date Public: 2006-09-29
Date First Published: 2006-10-02
Date Last Updated: 2006-10-02 20:04 UTC
Document Revision: 15

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis