Vulnerabilities > CVE-2010-1804 - Unspecified vulnerability in Apple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apple
nessus

Summary

Unspecified vulnerability in the network bridge functionality on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 allows remote attackers to cause a denial of service (networking outage) via a crafted DHCP reply.

Nessus

NASL familyMisc.
NASL idAIRPORT_FIRMWARE_7_5_2.NASL
descriptionAccording to the firmware version collected via SNMP, the remote Apple Time Capsule / AirPort Base Station / AirPort Extreme Base Station is affected by multiple remote vulnerabilities. - An integer overflow exists in the
last seen2020-06-01
modified2020-06-02
plugin id51342
published2010-12-17
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/51342
titleApple Time Capsule and AirPort Base Station Firmware < 7.5.2 (APPLE-SA-2010-12-16-1)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(51342);
  script_version("1.10");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id(
    "CVE-2008-4309", 
    "CVE-2009-2189", 
    "CVE-2010-0039", 
    "CVE-2009-1574", 
    "CVE-2010-1804"
  );
  script_bugtraq_id(32020, 34765, 45489, 45490, 45491);

  script_name(english:"Apple Time Capsule and AirPort Base Station Firmware < 7.5.2 (APPLE-SA-2010-12-16-1)");
  script_summary(english:"Checks firmware version through SNMP");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote network device is affected by multiple remote
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to the firmware version collected via SNMP, the remote
Apple Time Capsule / AirPort Base Station / AirPort Extreme Base
Station is affected by multiple remote vulnerabilities. 

  - An integer overflow exists in the 
    'netsnmp_create_subtree_cache' function that can be 
    exploited using a specially crafted SNMPv3 packet to
    crash the SNMP server. (CVE-2008-4309)
  
  - A remote attacker may be able to crash the racoon
    daemon by sending specially crafted fragmented ISAKMP
    packets, thereby triggering a NULL pointer dereference.
    (CVE-2009-1574)
  
  - By sending a large number of Router Advertisement (RA) 
    and Neighbor Discovery (ND) packets, an attacker on the
    local network can exhaust the base station's resources, 
    causing it to restart unexpectedly. (CVE-2009-2189)
  
  - An attacker with write access to an FTP server inside 
    the NAT may be able to use a malicious PORT command to
    bypass IP-based restrictions for the service. 
    (CVE-2010-0039)
  
  - If the device has been configured to act as a bridge or
    configured in Network Address Translation (NAT) mode
    with a default host enabled (not the default), an
    attacker may be able to cause the device to stop 
    responding using a specially crafted DHCP reply.
    (CVE-2010-1804)"
  );
  # http://web.archive.org/web/20110408175458/http://support.apple.com/kb/HT3549
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.nessus.org/u?7875828e"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://lists.apple.com/archives/security-announce/2010/Dec/msg00001.html"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the firmware to version 7.5.2 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/12/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/17");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("snmp_airport_version.nasl");
  script_require_keys("Host/Airport/Firmware");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("Host/Airport/Firmware");
fixed_version = "7.5.2";

if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    report = 
      '\n  Installed version : ' + version + 
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_hole(port:0, extra:report);
  }
  else { security_hole(0); }
}
else { exit(0, "The remote host is not affected since the remote firmware version " + version + " is installed."); }