Vulnerabilities > CVE-2009-2843 - Cryptographic Issues vulnerability in Apple mac OS X and mac OS X Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
apple
CWE-310
nessus

Summary

Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accepts expired certificates for applets, which makes it easier for remote attackers to execute arbitrary code via an applet.

Vulnerable Configurations

Part Description Count
OS
Apple
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_JAVA_10_6_UPDATE1.NASL
    descriptionThe remote Mac OS X host is running a version of Java for Mac OS X 10.6 that is missing Update 1. The remote version of this software contains several security vulnerabilities, including some that may allow untrusted Java applets to obtain elevated privileges and lead to execution of arbitrary code with the privileges of the current user.
    last seen2019-10-28
    modified2009-12-04
    plugin id43003
    published2009-12-04
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43003
    titleMac OS X : Java for Mac OS X 10.6 Update 1
    code
    #TRUSTED 834ded35955353ba6117eb742cc77276907797dc2bad38dc90223fe06270609d860d47c005d91eaa298c1621561ac837a08e099300c0c46a6427388cf2cc2d006434f821b2cea37ba209fa86fa26ea45ae4f56cb830454b2c55c5a959cd81ea14065dbd62a3595c954f4bece7679ad327d450f6b3ef661777c69d6081a3adb4bad39e08a351ad80641f4cacfc2675ba15f5776b8ab64a83714c6f62fe74161f8665ed13984b8663b95dc52c0f98fa1d57031435b50e2083a195aab9fabe364e91a6f67ab8ba42cb9c4955b0e3e87351f876925bb548799c30ade71cbf53ae66af76f352858d3839e0e1ad08084464039576c3a9e777f0a30be66d647e0e86eabd774c03dca2e6bfceacfec1d9bc0af278bca3a9da2f165fb72adfb189a4dbd0d99a5225ceea5e5891d1dcae4e7bdf8cbc77e8e0dbe623f0e9898d8add062c7c3d42b4547a71806b3bf27f10ca5953765766d38c266efbd1bbae2f03440e8561650f141d3c69bd50213d4f79ce20c1029b9cfe2d29eae856277c3cfa2989dbdf64a096198de2ff2d987afa3d4af0273aadfca5927513514a4370b888033917c7df45478e4e1a245b7cfc35ef9519aaf7200e2da7a13f9d73d4aaf9a79e741ff6904fddbbe8f81574eea0fc221af40a298429a1d0004b72ca745d8a756b09e2504fd053319bdf9abecdf4dea95e97f49eb50ab89501efdc58b1588c52416736a14
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43003);
      script_version("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");
    
      script_cve_id(
        "CVE-2009-2843",
        "CVE-2009-3728",
        "CVE-2009-3865",
        "CVE-2009-3866",
        "CVE-2009-3867",
        "CVE-2009-3868",
        "CVE-2009-3869",
        "CVE-2009-3871",
        "CVE-2009-3872",
        "CVE-2009-3873",
        "CVE-2009-3874",
        "CVE-2009-3875",
        "CVE-2009-3877",
        "CVE-2009-3884"
      );
      script_bugtraq_id(36881, 37206);
    
      script_name(english:"Mac OS X : Java for Mac OS X 10.6 Update 1");
      script_summary(english:"Checks version of the JavaVM framework");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has a version of Java that is affected by multiple
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote Mac OS X host is running a version of Java for Mac OS X
    10.6 that is missing Update 1.
    
    The remote version of this software contains several security
    vulnerabilities, including some that may allow untrusted Java applets
    to obtain elevated privileges and lead to execution of arbitrary code
    with the privileges of the current user."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.apple.com/kb/HT3969"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.securityfocus.com/advisories/18434"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to Java for Mac OS X 10.6 Update 1 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    script_cwe_id(310);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages");
    
      exit(0);
    }
    
    
    include("misc_func.inc");
    include("ssh_func.inc");
    include("macosx_func.inc");
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    function exec(cmd)
    {
      local_var ret, buf;
    
      if (islocalhost())
        buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
      else
      {
        ret = ssh_open_connection();
        if (!ret) exit(1, "ssh_open_connection() failed.");
        buf = ssh_cmd(cmd:cmd);
        ssh_close_connection();
      }
      if (buf !~ "^[0-9]") exit(1, "Failed to get the version - '"+buf+"'.");
    
      buf = chomp(buf);
      return buf;
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    # Mac OS X 10.6 only.
    if (!egrep(pattern:"Darwin.* 10\.", string:uname)) exit(0, "The remote Mac is not running Mac OS X 10.6 and thus is not affected.");
    
    plist = "/System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/version.plist";
    cmd = string(
      "cat ", plist, " | ",
      "grep -A 1 CFBundleVersion | ",
      "tail -n 1 | ",
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''
    );
    version = exec(cmd:cmd);
    if (!strlen(version)) exit(1, "Can't get version info from '"+plist+"'.");
    
    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);
    
    # Fixed in version 13.1.0.
    if (
      ver[0] < 13 ||
      (ver[0] == 13 && ver[1] < 1)
    )
    {
      gs_opt = get_kb_item("global_settings/report_verbosity");
      if (gs_opt && gs_opt != 'Quiet')
      {
        report =
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 13.1.0\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else exit(0, "The remote host is not affected since JavaVM Framework version "+version+" is installed.");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_JAVA_10_5_UPDATE6.NASL
    descriptionThe remote Mac OS X host is running a version of Java for Mac OS X 10.5 that is missing Update 6. The remote version of this software contains several security vulnerabilities, including some that may allow untrusted Java applets to obtain elevated privileges and lead to execution of arbitrary code with the privileges of the current user.
    last seen2019-10-28
    modified2009-12-04
    plugin id43002
    published2009-12-04
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43002
    titleMac OS X : Java for Mac OS X 10.5 Update 6
    code
    #TRUSTED 8dd328e0078f792ebc4af8173eca6fd4a493e44b95f98deb3bae4a5ef50bf684840b5ce0fc13e8dc579d7d80c472aa02fb0be459d7204bc2f997213b67cab5deb8458f1126c97f2351e3be681778c1df6f5f787279b0df61c27fc165b63d0b3f8f7bcad7d0963d8aa9e2456d8fe6755228ad3992436b4d7b7f5af9c0f7bdd4063b55f4a19b9dfb6e7c1657012f7441eb91824c5e9072b5593589383bbc6459303c7d501e0575730dc23c8580d36171d4d23def9a4d31bf49c797a09457bbbbd0380bbe7bf6d2c5d3ca73dc556acbcdd735376c9ff0d75be8ff5e2d19236a41d994d0625e49da4105c8c8906d721e35638909265335753c6e9b035f20acadee1d8d4aad779a6665a58f954f51619129d485a935d1c0aadee994d2f5682d855abb27f2a5b6d1d01d7686e450e4ad211eafcc4e6ff7cd2f71ee74c08ec8c8283e7a2bd7e7c64f66c0b655ab4c04f4ec5d851606e8f87fe219428ee0e21222cf6bfe923aa88b795f323413740f50fb8badcda55720c7fc17ae667c3ab4d5f75b6416ba96b6a37f46c2929e213c3eb1c8deba296b4a5fcaa900ec74444ad77a48163839c958922363fafd217b02efa6f3647c36e1b147131915c9e5c7c9e69ae640357921bb1d719f68c0baaeda4a03115515d8a5ec764c7954952067804751bcc05e471a2109247754e13e71e3183bf9156fe6be5069fbe79274f6ab75f60c59b72b
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43002);
      script_version("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");
    
      script_cve_id(
        "CVE-2009-2843",
        "CVE-2009-3728",
        "CVE-2009-3865",
        "CVE-2009-3866",
        "CVE-2009-3867",
        "CVE-2009-3868",
        "CVE-2009-3869",
        "CVE-2009-3871",
        "CVE-2009-3872",
        "CVE-2009-3873",
        "CVE-2009-3874",
        "CVE-2009-3875",
        "CVE-2009-3877",
        "CVE-2009-3884"
      );
      script_bugtraq_id(36881, 37206);
    
      script_name(english:"Mac OS X : Java for Mac OS X 10.5 Update 6");
      script_summary(english:"Checks version of the JavaVM framework");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has a version of Java that is affected by multiple
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote Mac OS X host is running a version of Java for Mac OS X
    10.5 that is missing Update 6.
    
    The remote version of this software contains several security
    vulnerabilities, including some that may allow untrusted Java applets
    to obtain elevated privileges and lead to execution of arbitrary code
    with the privileges of the current user."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.apple.com/kb/HT3970"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.securityfocus.com/advisories/18433"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to Java for Mac OS X 10.5 Update 6 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    script_cwe_id(310);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages");
    
      exit(0);
    }
    
    
    include("misc_func.inc");
    include("ssh_func.inc");
    include("macosx_func.inc");
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    function exec(cmd)
    {
      local_var ret, buf;
    
      if (islocalhost())
        buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
      else
      {
        ret = ssh_open_connection();
        if (!ret) exit(1, "ssh_open_connection() failed.");
        buf = ssh_cmd(cmd:cmd);
        ssh_close_connection();
      }
      if (buf !~ "^[0-9]") exit(1, "Failed to get the version - '"+buf+"'.");
    
      buf = chomp(buf);
      return buf;
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    # Mac OS X 10.5 only.
    if (!egrep(pattern:"Darwin.* 9\.", string:uname)) exit(0, "The remote Mac is not running Mac OS X 10.5 and thus is not affected.");
    
    plist = "/System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/version.plist";
    cmd = string(
      "cat ", plist, " | ",
      "grep -A 1 CFBundleVersion | ",
      "tail -n 1 | ",
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''
    );
    version = exec(cmd:cmd);
    if (!strlen(version)) exit(1, "Can't get version info from '"+plist+"'.");
    
    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);
    
    # Fixed in version 12.5.0.
    if (
      ver[0] < 12 ||
      (ver[0] == 12 && ver[1] < 5)
    )
    {
      gs_opt = get_kb_item("global_settings/report_verbosity");
      if (gs_opt && gs_opt != 'Quiet')
      {
        report =
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 12.5.0\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else exit(0, "The remote host is not affected since JavaVM Framework version "+version+" is installed.");