A slew of privilege escalation vulnerabilities has been uncovered in the CleanMyMac X utility software.
Developed by MacPaw, CleanMyMac X software is a junk scrubber which wipes away unused and unnecessary files on Apple Mac OS machines.
On Thursday, researchers from Cisco Talos disclosed a total of 13 vulnerabilities found in version 4.04 of the software.
The vulnerabilities are detailed below:
CVE-2018-4032: A privilege escalation vulnerability found in how the software validates inputs. Improper validation in the 'moveItemAtPath' function of the helper protocol, if exploited by attackers by providing the 'nil' value in the to_path argument, can allow applications to access the function and run as root. Non-root users can then delete files from the root system.
CVE-2018-4033: Another privilege escalation vulnerability based on improper validation, this security flaw was found in the 'moveToTrashItemAtPath' function of the helper protocol. If 'nil' is, once again, input, files can be modified as root.
CVE-2018-4034: This privilege escalation flaw was buried in the 'removeItemAtPath' function of the helper protocol. There is no validation of the calling application, which could allow attackers to delete files from the root system by crossing privilege boundaries without any problems.
CVE-2018-4035: The next privilege escalation vulnerability arises from the 'truncateFileAtPath' function of the helper protocol, and improper validation leads to non-root access and the possibility of file deletion at the root level.
CVE-2018-4036: Yet another privilege escalation bug was found in the 'removeKextAtPath' helper protocol function. A lack of calling validation permits apps to access this function at root.
CVE-2018-4037: A privilege escalation bug in the 'removeDiagnosticsLogs' function of the helper protocol exists in the software which, due to improper validation, could permit attackers to delete the main log data from the system without authorized, root access.
CVE-2018-4041: This exploitable privilege escalation bug was found in the 'enableLaunchdAgentAtPath' function of the helper protocol. A lack of validation ensures that main log data can be deleted by non-root users.
CVE-2018-4042: The 'removeLaunchdAgentAtPath' function of the helper protocol also contains a privilege escalation vulnerability, leading to the same consequences due to improper validation measures.
CVE-2018-4043: Yet another privilege escalation flaw was discovered in the 'removeASL' function of the helper protocol. The process is able to call and stop the system daemon for logging and also stops the Apple System Log facility, and as there is no validation of the call function, non-root users can gain access and delete information.
CVE-2018-4044: The 'removePackageWithID' function of the helper protocol is also affected by a privilege escalation issue. When calling this function, attackers can utilize the '--forget' command when calling this function to delete all receipt information about a particular installed package without validation.
CVE-2018-4045: The 'securelyRemoveItemAtPath' function of the helper protocol also contains an exploitable privilege escalation issue due to a lack of validation of the calling application.
CVE-2018-4046: This vulnerability is a denial-of-service error in the helper service. Once again caused by improper input validation, the bug exists in the 'pleaseTerminate' function of the helper protocol. Without authorization, non-root users can terminate this root daemon.
TechRepublic: How to create a security-focused work culture
CVE-2018-4047: The final flaw is a privilege escalation bug in the helper service's 'disableLaunchdAgentAtPath' function. The function calls 'launchtl' which run as root and there is no validation of a calling application, therefore any non-root users are able to uninstall 'launchd' scripts as root.
MacPaw and Talos worked together and a patch was developed before the advisory was released. Users are recommended to update to version 4.2.0 of the software to avoid the risk of exploit.