Code Validation Flaw in Little Snitch by Objective Development
CVE-2018-10470

5.3MEDIUM

Key Information:

Vendor: Objective Development Software Gmbh
Status: Little Snitch
Vendor: CVE Published:; 12 June 2018

🔔 Create Objective Development Software Gmbh Vulnerability Alert

What is CVE-2018-10470?

Little Snitch versions 4.0 to 4.0.6 exhibit a vulnerability due to the improper use of the SecStaticCodeCheckValidityWithErrors() function, which fails to validate all architectures in fat binaries. Consequently, this oversight allows an attacker to craft a malicious fat binary with multiple architectures, leading Little Snitch to mistakenly classify the running process as lacking a code signature while indicating a valid signature on disk. This inconsistency can mislead users regarding the authenticity of the code signature.

Affected Version(s)

Little Snitch 4.0 - 4.0.6

References

https://obdev.at/cve/2018-10470-8FRWkW4oH8.html

x_refsource_CONFIRM

https://www.okta.com/security-blog/2018/06/issues-around-...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 12, 2018
Vulnerability Reserved
Apr 27, 2018

JSON