Vulnerabilities > CVE-2009-2201 - Cryptographic Issues vulnerability in Apple Xsan 1.0/1.2/1.3
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The screensharing feature in the Admin application in Apple Xsan before 2.2 places a cleartext username and password in a URL within an error dialog, which allows physically proximate attackers to obtain credentials by reading this dialog.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 36385 CVE(CAN) ID: CVE-2009-2201 Xsan是一个企业级的存储网络解决方案,Xsan Admin是用于简化SAN管理的应用。 通过Xsan Admin进行屏幕共享可能会提供包含有用户名和口令的出错对话框,能够查看用户显示的攻击者可以读取明文的用户凭据。 Apple Xsan 2.1.1 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/support/downloads/ |
| id | SSV:12316 |
| last seen | 2017-11-19 |
| modified | 2009-09-16 |
| published | 2009-09-16 |
| reporter | Root |
| title | Apple Xsan Admin出错消息信息泄露漏洞 |
References
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00005.html
- http://osvdb.org/58133
- http://secunia.com/advisories/36673
- http://support.apple.com/kb/HT3797
- http://www.securityfocus.com/bid/36385
- http://www.securitytracker.com/id?1022904
- http://www.vupen.com/english/advisories/2009/2644
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53232