Vulnerabilities > CVE-2013-5229 - 7PK - Security Features vulnerability in Apple Remote Desktop and mac OS X

CVSS 3.7 - LOW

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

high complexity

apple

CWE-254

nessus

NVD

Published: 2015-11-14

Updated: 2017-09-14

Summary

The Remote Desktop full-screen feature in Apple OS X before 10.9 and Apple Remote Desktop before 3.7 sends dialog-box text to a connected remote host upon being woken from sleep, which allows physically proximate attackers to bypass intended access restrictions by entering a command in this box.

Vulnerable Configurations

Part	Description	Count
OS	Apple Apple MAC OS X - Apple MAC OS X 10.0 Apple MAC OS X 10.0.0 Apple MAC OS X 10.0.1 Apple MAC OS X 10.0.2 Apple MAC OS X 10.0.3 Apple MAC OS X 10.0.4 Apple MAC OS X 10.1 Apple MAC OS X 10.1.0 Apple MAC OS X 10.1.1 Apple MAC OS X 10.1.2 Apple MAC OS X 10.1.3 Apple MAC OS X 10.1.4 Apple MAC OS X 10.1.5 Apple MAC OS X 10.2 Apple MAC OS X 10.2.0 Apple MAC OS X 10.2.1 Apple MAC OS X 10.2.2 Apple MAC OS X 10.2.3 Apple MAC OS X 10.2.4 Apple MAC OS X 10.2.5 Apple MAC OS X 10.2.6 Apple MAC OS X 10.2.7 Apple MAC OS X 10.2.8 Apple MAC OS X 10.3 Apple MAC OS X 10.3.0 Apple MAC OS X 10.3.1 Apple MAC OS X 10.3.2 Apple MAC OS X 10.3.3 Apple MAC OS X 10.3.4 Apple MAC OS X 10.3.5 Apple MAC OS X 10.3.6 Apple MAC OS X 10.3.7 Apple MAC OS X 10.3.8 Apple MAC OS X 10.3.9 Apple MAC OS X 10.4 Apple MAC OS X 10.4.0 Apple MAC OS X 10.4.1 Apple MAC OS X 10.4.2 Apple MAC OS X 10.4.3 Apple MAC OS X 10.4.4 Apple MAC OS X 10.4.5 Apple MAC OS X 10.4.6 Apple MAC OS X 10.4.7 Apple MAC OS X 10.4.8 Apple MAC OS X 10.4.9 Apple MAC OS X 10.4.10 Apple MAC OS X 10.4.11 Apple MAC OS X 10.5 Apple MAC OS X 10.5.0 Apple MAC OS X 10.5.1 Apple MAC OS X 10.5.2 Apple MAC OS X 10.5.3 Apple MAC OS X 10.5.4 Apple MAC OS X 10.5.5 Apple MAC OS X 10.5.6 Apple MAC OS X 10.5.7 Apple MAC OS X 10.5.8 Apple MAC OS X 10.6.0 Apple MAC OS X 10.6.1 Apple MAC OS X 10.6.2 Apple MAC OS X 10.6.3 Apple MAC OS X 10.6.4 Apple MAC OS X 10.6.5 Apple MAC OS X 10.6.6 Apple MAC OS X 10.6.7 Apple MAC OS X 10.6.8 Apple MAC OS X 10.7.0 Apple MAC OS X 10.7.1 Apple MAC OS X 10.7.2 Apple MAC OS X 10.7.3 Apple MAC OS X 10.7.4 Apple MAC OS X 10.7.5 Apple MAC OS X 10.8.0 Apple MAC OS X 10.8.1 Apple MAC OS X 10.8.2 Apple MAC OS X 10.8.3 Apple MAC OS X 10.8.4 Apple MAC OS X 10.8.5	80
Application	Apple Apple Apple Remote Desktop 1.2.4 Apple Apple Remote Desktop 2.0.0 Apple Apple Remote Desktop 2.1.0 Apple Apple Remote Desktop 2.2 Apple Apple Remote Desktop 3.0 Apple Apple Remote Desktop 3.0.0 Apple Apple Remote Desktop 3.1 Apple Apple Remote Desktop 3.2 Apple Apple Remote Desktop 3.2.1 Apple Apple Remote Desktop 3.2.2 Apple Apple Remote Desktop 3.3 Apple Apple Remote Desktop 3.3.1 Apple Apple Remote Desktop 3.3.2 Apple Apple Remote Desktop 3.4 Apple Apple Remote Desktop 3.5 Apple Apple Remote Desktop 3.5.1 Apple Apple Remote Desktop 3.5.2 Apple Apple Remote Desktop 3.5.3 Apple Apple Remote Desktop 3.5.4 Apple Apple Remote Desktop 3.6 Apple Apple Remote Desktop 3.6.1 Apple Apple Remote Desktop 3.6.2	22

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Nessus

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_REMOTE_DESKTOP_3_7.NASL
description	According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop
last seen	2020-06-01
modified	2020-06-02
plugin id	70609
published	2013-10-25
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/70609
title	Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X)
code	#TRUSTED 4c97c669334f1f0219376afc15431d613ca8bf94323a7f236f47f421b7bc19b5ba5c7567266f71565c74e6e3679a4e15f4ef9e07264a9089a6fde91473e07c38b62cac1e0772a08ad859de1f61c51864f2d721b8b16ed69f9a7ac8905ded2888e7fd9b4b4b9ac0c3bf9cf878ddc51e2cabcaa9550e4d38d3dedf88040a47e5a74c89a471bae53d76574f2d76db3c217f35d8a9728ed2fd8d82eda11ea4ed49a977f834ed12bfcd9fb07c09441e6d51357012633fb2ff5fb09ab67e47bcd2d30867ff782f14df46b6b7eadeeb11a3995a594d62543aeb49b7eca3d6b19d156f29e1945ded26b420d18a243e14c20e74407dcafa812f9ae77094fda1076b14624aa7c52058d0b0114ca4ab7241660d85383602a5d54144e6338162a760a3f64217605505906aa2fae6a00070918d1a98d134aa4ed8209f5434a43b9d803be5d923ca6b7454d19c3ee12ddfa40090e4c445d299b4c66f24e899517d014e05db5d78c110146dfec050751082f6b1df4ae51d01edac211e55687d9c97ab77d6932ec0292eef6e1c9a088370aedd68152fee2bbe2b3f3fd7d7eb2773f9e4e121294fa2b05e9de9803c32a7e648d4ba3d8957ccfb3576cc49a84f5e29e19f1612ad606e0838bb60b9fe9cde09d7f3930e4359b0d68823a1315a11977ce5a90c997702c674ea00f1ba1bce8e271308c523d1de6952275b4556675d07226a845a7c2dbb49 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70609); script_version("1.8"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-5135", "CVE-2013-5136", "CVE-2013-5229"); script_bugtraq_id(63284, 63286); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-6"); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-7"); script_name(english:"Apple Remote Desktop < 3.5.4 / 3.7 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Reads version from Info.plist"); script_set_attribute(attribute:"synopsis", value: "The Mac OS X host has a remote management application that is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Apple Remote Desktop install on the remote host is earlier than 3.5.4 / 3.7. As such, it is potentially affected the following vulnerabilities : - A format string vulnerability exists in Remote Desktop's handling of a VNC username. (CVE-2013-5135) - An information disclosure vulnerability exists because Remote Desktop may use password authentication without warning that the connection would be encrypted if a third-party VNC server supports certain authentication types. Note that this does not affect installs of version 3.5.x or earlier. (CVE_2013-5136) - An authentication bypass vulnerability exists due to a flaw in the full-screen feature that is triggered when handling text entered in the dialog box upon recovering from sleep mode with a remote connection alive. A local attacker can exploit this to bypass intended access restrictions. (CVE-2013-5229)"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5997"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5998"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00007.html"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00008.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apple Remote Desktop 3.5.4 / 3.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_remote_desktop"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/MacOSX/Version"))audit(AUDIT_HOST_NOT, "running Mac OS X"); plist = '/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Info.plist'; cmd = 'plutil -convert xml1 -o - \'' + plist + '\' \| ' + 'grep -A 1 CFBundleShortVersionString \| ' + 'tail -n 1 \| ' + 'sed \'s/.string>\$.\$<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (!strlen(version)) audit(AUDIT_NOT_INST, "Apple Remote Desktop Client"); if (version !~ "^[0-9]") exit(1, "The version does not look valid (" + version + ")."); if ( ereg(pattern:"^3\.[0-4]($\|[^0-9])", string:version) \|\| ereg(pattern:"^3\.5\.[0-3]($\|[^0-9])", string:version) \|\| ereg(pattern:"^3\.6(\.[0-9])?($\|[^0-9.])", string:version) ) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : 3.5.4 / 3.7' + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "Apple Remote Desktop Client", version);

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_9.NASL
description	The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB
last seen	2020-06-01
modified	2020-06-02
plugin id	70561
published	2013-10-23
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/70561
title	Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70561); script_version("1.11"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id( "CVE-2011-2391", "CVE-2011-3389", "CVE-2011-3427", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-0876", "CVE-2012-1150", "CVE-2013-0249", "CVE-2013-1667", "CVE-2013-1944", "CVE-2013-3950", "CVE-2013-3954", "CVE-2013-4073", "CVE-2013-5135", "CVE-2013-5138", "CVE-2013-5139", "CVE-2013-5141", "CVE-2013-5142", "CVE-2013-5145", "CVE-2013-5165", "CVE-2013-5166", "CVE-2013-5167", "CVE-2013-5168", "CVE-2013-5169", "CVE-2013-5170", "CVE-2013-5171", "CVE-2013-5172", "CVE-2013-5173", "CVE-2013-5174", "CVE-2013-5175", "CVE-2013-5176", "CVE-2013-5177", "CVE-2013-5178", "CVE-2013-5179", "CVE-2013-5180", "CVE-2013-5181", "CVE-2013-5182", "CVE-2013-5183", "CVE-2013-5184", "CVE-2013-5185", "CVE-2013-5186", "CVE-2013-5187", "CVE-2013-5188", "CVE-2013-5189", "CVE-2013-5190", "CVE-2013-5191", "CVE-2013-5192", "CVE-2013-5229" ); script_bugtraq_id( 49778, 51239, 51996, 52379, 52732, 57842, 58311, 59058, 60437, 60444, 60843, 62520, 62522, 62523, 62529, 62531, 62536, 63284, 63290, 63311, 63312, 63313, 63314, 63316, 63317, 63319, 63320, 63321, 63322, 63329, 63330, 63331, 63332, 63335, 63336, 63339, 63343, 63344, 63345, 63346, 63347, 63348, 63349, 63350, 63351, 63352, 63353 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2013-10-22-3"); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.x that is prior to version 10.9. The newer version contains multiple security-related fixes for the following components : - Application Firewall - App Sandbox - Bluetooth - CFNetwork - CFNetwork SSL - Console - CoreGraphics - curl - dyld - IOKitUser - IOSerialFamily - Kernel - Kext Management - LaunchServices - Libc - Mail Accounts - Mail Header Display - Mail Networking - OpenLDAP - perl - Power Management - python - ruby - Security - Security - Authorization - Security - Smart Card Services - Screen Lock - Screen Sharing Server - syslog - USB" ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6011"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/23"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); match = eregmatch(pattern:"Mac OS X (10\.[0-9.]+)", string:os); if (!isnull(match)) { version = match[1]; fixed_version = "10.9"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } } exit(0, "The host is not affected as it is running "+os+".");

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References