CVE-2018-10470

Published: Jun 12, 2018Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple architectures that may cause a situation where Little Snitch treats the running process as having no code signature at all while erroneously indicating that the binary on disk does have a valid code signature. This could lead to users being confused about whether or not the code signature is valid.

Affected (1)

Products: Objective Development: Little Snitch

Objective Development

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Objective Development Little Snitch	From 4.0 to 4.0.6

Running on/with	Platform Versions
Apple Macos	All versions

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://obdev.at/cve/2018-10470-8FRWkW4oH8.html

Source: office@obdev.at

https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

Source: office@obdev.at

https://obdev.at/cve/2018-10470-8FRWkW4oH8.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.