Little Snitch version 3.0 through 3.7.3 suffer from a local privilege escalation vulnerability in the installer part. The vulnerability is related to the installation of the configuration file "at.obdev.littlesnitchd.plist" which gets installed to /Library/LaunchDaemons.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| obdev | little_snitch | 3.0 |
| obdev | little_snitch | 3.0.2 |
| obdev | little_snitch | 3.1 |
| obdev | little_snitch | 3.3.3 |
| objective_development | little_snitch | 3.7 |
| obdev | little_snitch | 3.5 |
| objective_development | little_snitch | 3.6.3 |
| obdev | little_snitch | 3.0.3 |
| obdev | little_snitch | 3.3.4 |
| obdev | little_snitch | 3.6.1 |
| obdev | little_snitch | 3.6 |
| objective_development | little_snitch | 3.6.2 |
| objective_development | little_snitch | 3.7.2 |
| obdev | little_snitch | 3.1.1 |
| obdev | little_snitch | 3.3.1 |
| objective_development | little_snitch | 3.7.1 |
| obdev | little_snitch | 3.3 |
| obdev | little_snitch | 3.4.2 |
| obdev | little_snitch | 3.4.1 |
| obdev | little_snitch | 3.5.3 |
| obdev | little_snitch | 3.4 |
| obdev | little_snitch | 3.5.2 |
| obdev | little_snitch | 3.0.4 |
| obdev | little_snitch | 3.5.1 |
| obdev | little_snitch | 3.0.1 |
| objective_development | little_snitch | 3.7.3 |
| obdev | little_snitch | 3.3.2 |
| objective_development | little_snitch | 3.6.4 |
Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple architectures that may cause a situation where Little Snitch treats the running process as having no code signature at all while erroneously indicating that the binary on disk does have a valid code signature. This could lead to users being confused about whether or not the code signature is valid.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-347,CWE-347,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| objective_development | little_snitch | * |