Apple Fixes Vulnerability In SAN Software

Xsan is a enterprise storage area network (SAN) solution for the Mac OS X and Mac OS X Server operating systems that's commonly used in professional video production, government, and education environments. Xsan's filesystem can link up to 64 machines, share RAID storage volumes, and enable each client to write directly to the centralized file system.

The buffer overflow vulnerability affects the filesystem driver when processing certain unspecified path names, and an attacker would have to have write access to the system in order to exploit the flaw, Symantec said Thursday in a Deepsight Threat Management System bulletin.

Even if they were unable to exploit the vulnerability, an attacker with write access to an Xsan volume could create a denial of service situation affecting all computers connected to the file system, Apple said in a Thursday advisory.

Apple has released Xsan Filesystem version 1.4 to address the issue, which affects all previous versions of the software.

The potential impact of the flaw is limited by the tendency of many companies to install Xsan without connecting it to the Internet, says David Salav, president of Webistix, a Holbrook, N.Y.-based solution provider.

"Most of the customers we work with have installed Xsan in a standalone environment and generally don't connect it to the Internet," said Salav.

Symantec rated the severity of the flaw as 10 on a scale of 10. However, Secunia saw it as less severe, giving it a "less critical" rating, or two on a scale of five.