U-240: Apple Remote Desktop Encryption Failure Lets Remote Users Obtain Potentially Sensitive Information

August 21, 2012 - 7:00am

PROBLEM:

Apple Remote Desktop Encryption Failure Lets Remote Users Obtain Potentially Sensitive Information

PLATFORM:

Apple Remote Desktop after 3.5.1 and prior to 3.6.1

ABSTRACT:

A remote user can monitor potentially sensitive information.

reference LINKS:

Apple.com
Apple Article: HT5433
SecurityTracker Alert ID: 1027420
CVE-2012-0681

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability was reported in Apple Remote Desktop. When a user connects to a third-party VNC server with the 'Encrypt all network data' setting enabled, network data is not encrypted. A remote user monitoring the network can obtain ostensibly encrypted data.

Impact:

A remote user with the ability to monitor network connections can obtain potentially sensitive information.

Solution:

The vendor has issued a fix. (3.6.1) Apple Support Downloads.

Energy.gov

Office of the Chief Information Officer

Office of the Chief Information Officer

All Offices

You are here