CVE-2018-10470

EPSS 0.6%CWE-347

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Jun 2018Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple architectures that may cause a situation where Little Snitch treats the running process as having no code signature at all while erroneously indicating that the binary on disk does have a valid code signature. This could lead to users being confused about whether or not the code signature is valid.

Affected products

Objective Development Software GmbH · Little Snitch

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://obdev.at/cve/2018-10470-8FRWkW4oH8.html https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/