Apple OS X Memory Consumption And Daemon Outage Vulnerabilities

Summary

The glob implementation in tnftpd (formerly lukemftpd), as used in Apple OS X before 10.11, allows remote attackers to cause a denial of service (memory consumption and daemon outage) via a STAT command containing a crafted pattern, as demonstrated by multiple instances of the {..,..,..}/* substring.

Credit:

Details

Vulnerable Systems:
 * Apple OS X before 10.11

Immune Systems:
 * Apple OS X after 10.11

A remote attacker may be able to deny service to the FTP server. A glob-processing issue existed in tnftpd. This issue was addressed through improved glob validation.

CVE Information:
CVE-2015-5917

Disclosure Timeline:
Original release date: 10/09/2015
Last revised: 10/09/2015

Categories: News