Allele Security Alert
ASA-2019-00527
Identifier(s)
ASA-2019-00527, CVE-2019-13013, CVE-2019-13014
Title
Privilege escalation vulnerability due to an exposed XPC interface
Vendor(s)
Objective Development Software GmbH
Product(s)
Little Snitch
Affected version(s)
Little Snitch versions 4.3 to 4.3.2
Fixed version(s)
Little Snitch version 4.4
Proof of concept
Unknown
Description
In an internal audit, Objective Development has found a privilege escalation vulnerability in the privileged helper tool of Little Snitch. The privileged helper exposes an XPC interface on a globally available communication endpoint without additional authorization checks on connecting clients. The XPC API is therefore available to any local process and allows listing of directories and copying of files with root privileges.
Technical details
Unknown
Workaround
If an upgrade is not possible for whatever reason, remove the privileged helper by executing the following commands in a Terminal window:
sudo launchctl unload /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist
sudo rm -f /Library/PrivilegedHelperTools/at.obdev.LittleSnitchHelper.LSHelperService
sudo rm -f /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist
When a “Diagnostics Report” is generated via Little Snitch Configuration, the privileged helper is automatically reinstalled. So either avoid generating a Diagnostics Report or remove the privileged helper again immediately after generating the report.
Credits
Objective Development Software GmbH
Reference(s)
CVE-2019-13013
https://obdev.at/cve/2019-13013-OSv2mEFD3z.html
The story behind CVE-2019-13013
https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/
CVE-2019-13013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13013
CVE-2019-13013
https://nvd.nist.gov/vuln/detail/CVE-2019-13013
CVE-2019-13014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13014
CVE-2019-13014
https://nvd.nist.gov/vuln/detail/CVE-2019-13014
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019