MidnightBSD

Advisories for objective_development

CVE-2017-2675 MEDIUM

Little Snitch version 3.0 through 3.7.3 suffer from a local privilege escalation vulnerability in the installer part. The vulnerability is related to the installation of the configuration file "at.obdev.littlesnitchd.plist" which gets installed to /Library/LaunchDaemons.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
obdev little_snitch 3.0
obdev little_snitch 3.0.2
obdev little_snitch 3.1
obdev little_snitch 3.3.3
objective_development little_snitch 3.7
obdev little_snitch 3.5
objective_development little_snitch 3.6.3
obdev little_snitch 3.0.3
obdev little_snitch 3.3.4
obdev little_snitch 3.6.1
obdev little_snitch 3.6
objective_development little_snitch 3.6.2
objective_development little_snitch 3.7.2
obdev little_snitch 3.1.1
obdev little_snitch 3.3.1
objective_development little_snitch 3.7.1
obdev little_snitch 3.3
obdev little_snitch 3.4.2
obdev little_snitch 3.4.1
obdev little_snitch 3.5.3
obdev little_snitch 3.4
obdev little_snitch 3.5.2
obdev little_snitch 3.0.4
obdev little_snitch 3.5.1
obdev little_snitch 3.0.1
objective_development little_snitch 3.7.3
obdev little_snitch 3.3.2
objective_development little_snitch 3.6.4
CVE-2018-10470 MEDIUM

Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple architectures that may cause a situation where Little Snitch treats the running process as having no code signature at all while erroneously indicating that the binary on disk does have a valid code signature. This could lead to users being confused about whether or not the code signature is valid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,CWE-347,

Products Affected

Vendor Product Version
objective_development little_snitch *