It became clear that cyber criminals could have been exploited a vulnerability in the Mac OS X firewall Little Snitch to gain privileges on a system or execute arbitrary code in the context of the kernel.
The Synack director of research Patrick Wardle, found that Little Snitch was plagued by a heap overflow which allowed a local user or a piece of malware to escalate their privileges to root or run unsigned code in the kernel.
On January 17, the vulnerability was reported to Objective Development, the developer of Little Snitch, and it was patched 11 days later with the release of version 3.6.2.
According to Objective Development, the versions released in January and later are not affected, and its server logs indicate that a vast majority of users have updated their installations. In addition, the vendor stated that there is no evidence that the vulnerability has been exploited by hackers.
“Patrick is a long-time Little Snitch user and we are in contact at regular intervals,” representatives of Objective Development said. “We appreciate not only what he is doing as a developer but also his contributions to the entire mac community.”
Unlike the vulnerability which was addressed quickly by Objective Development, Wardle said he was displeased that the company only described the flaw in the release notes as a “rare issue that could cause a kernel panic.” According to the expert, users are less likely to patch their installations if the severity of an issue is downplayed.
“The company needs a better procedure to handle reported security vulnerabilities so that their users will be made aware of any such reported issues so they can update and protect themselves,” Wardle stated. “‘Hiding’ a fix for a reported exploitable kernel bug in the release notes as a ‘rare issue that could cause a kernel panic’ borders on dishonestly – IMHO.”
Apart from the kernel heap overflow vulnerability, Wardle also identified several ways to bypass the firewall, including by abusing rules and process-level trust, and simply by simulating user interaction.
“[The bypass methods] afford an attacker or malware the ability to utilize the network (e.g. connect to a command and control server, etc) in an uninhibited manner without generating any alerts from the firewall,” Wardle explained.
The expert thinks that Little Snitch is a decent product and it’s even used by himself. However, he points out that it is trivial to bypass.
“Users should be aware that if an attacker or piece of malware wants to bypass it, they easily could. This is true of most security products – so I’m not trying to single out Little Snitch. Just something users should be aware of,” Wardle said. “However Little Snitch is really really easy to bypass – kinda like Windows firewall products were 10 years ago. I’d expect a little more from a paid security product.”
