Apple OS X authentication issue when recovering from sleep mode


Apple OS X contains an issue with authentication when recovering from sleep mode. This issue exists due to a flaw in the the processing of the text entered in the dialog box upon recovering from sleep mode.

Masaki Katayama of Cyber Risks Laboratory Naviplus CO,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 3.7 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Apple Inc.
  • Apple Remote Desktop versions prior to 3.7
  • Apple Mac OS X Mavericks versions prior to 10.9


When Apple Remote Desktop is used in full screen mode and the remote connection is alive upon entering sleep mode, the text entered in the dialog box upon recovering from sleep mode is sent to the remotely connected host instead of the local host.
This may result in command execution at the remote host.

[Update Apple OS X and Apple Remote Desktop]
The developer has provided fixes for this issue in both Apple OS X and Apple Remote Desktop. Update both OS X and Apple Remote Desktop to the latest versions.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-5229

  1. JVN : JVN#56210048
  2. National Vulnerability Database (NVD) : CVE-2013-5229
Revision History

  • [2015/11/13]
      Web page was published
      References : Content was added
      Vendor Information : Content was added