Executive Summary

Summary
Title Alertus Desktop Notification for OS X sets insecure permissions for configuration and other files
Informations
Name VU#302544 First vendor Publication 2016-06-23
Vendor VU-CERT Last vendor Modification 2016-06-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P)
Cvss Base Score 3.6 Attack Range Local
Cvss Impact Score 4.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#302544

Alertus Desktop Notification for OS X sets insecure permissions for configuration and other files

Original Release date: 23 Jun 2016 | Last revised: 23 Jun 2016

Overview

Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files, which may enable an unprivileged attacker to disable notifications and modify content locally.

Description

CWE-276: Incorrect Default Permissions - CVE-2016-5087

Alertus Desktop Notification is mass emergency notification software designed to receive and display alerts on PC and Mac client systems. Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files by default, which may enable an unprivileged, local attacker to disable notifications and modify content.

Impact

A local, unprivileged attacker may modify or remove configuration or other files to disable notifications or alter content.

Solution

Apply an update

The vendor has released version 2.9.31.1710 to address this issue. Users are encouraged to update to the latest version.

For users who may be unable or unwilling to upgrade, the vendor has provided the following guidance:

    We are providing a script that fixes the permissions if an upgrade cannot be performed. Refer to the URL below for script and more information:

    https://helpdesk.alertus.com/solution/articles/3000054559-osx-permissions-patch-script-for-alertus-desktop-osx-2-9-30-1700

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Alertus TechnologiesAffected10 May 201622 Jun 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base3.2AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal2.6E:F/RL:OF/RC:C
Environmental3.0CDP:L/TD:M/CR:ND/IR:ND/AR:H

References

  • http://alertus.com/capabilities/desktop
  • https://helpdesk.alertus.com/solution/articles/3000054559-osx-permissions-patch-script-for-alertus-desktop-osx-2-9-30-1700

Credit

Thanks to Gerrit DeWitt of Georgia State University for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-5087
  • Date Public:23 Jun 2016
  • Date First Published:23 Jun 2016
  • Date Last Updated:23 Jun 2016
  • Document Revision:13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/302544

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-06-29 01:31:21
  • Multiple Updates
2016-06-26 09:35:44
  • Multiple Updates
2016-06-23 17:24:33
  • First insertion