Alertus Desktop Notification for OS X sets insecure permissions for configuration and other files
Original Release date: 23 Jun 2016 | Last revised: 23 Jun 2016

Overview
Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files, which may enable an unprivileged attacker to disable notifications and modify content locally.

Description

CWE-276: Incorrect Default Permissions – CVE-2016-5087
Alertus Desktop Notification is mass emergency notification software designed to receive and display alerts on PC and Mac client systems. Alertus Desktop Notification for OS X, version 2.9.30.1700 and earlier, sets insecure permissions for configuration and other files by default, which may enable an unprivileged, local attacker to disable notifications and modify content.

Impact

A local, unprivileged attacker may modify or remove configuration or other files to disable notifications or alter content.

Solution

Vendor Information (Learn More)
Vendor
Status
Date Notified
Date Updated
Alertus Technologies
Affected
10 May 2016
22 Jun 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
3.2
AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal
2.6
E:F/RL:OF/RC:C
Environmental
3.0
CDP:L/TD:M/CR:ND/IR:ND/AR:H

References

Credit
Thanks to Gerrit DeWitt of Georgia State University for reporting this vulnerability.
This document was written by Joel Land.

Other Information
CVE IDs: CVE-2016-5087
Date Public: 23 Jun 2016
Date First Published: 23 Jun 2016
Date Last Updated: 23 Jun 2016
Document Revision: 13

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply