A vulnerability was found in CleanMyMac X (affected version unknown) and classified as critical. This issue affects an unknown functionality. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The CleanMyMac X software contains an exploitable privilege escalation vulnerability that exists due to improper input validation. An attacker with local access could use this vulnerability to modify the file system as root.

The bug was discovered 01/02/2019. The weakness was released 01/10/2019 (Website). It is possible to read the advisory at talosintelligence.com. The identification of this vulnerability is CVE-2018-4034 since 01/02/2018. Attacking locally is a requirement. The successful exploitation needs a simple authentication. The technical details are unknown and an exploit is not publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 129015, 129014, 129013 and 129012.

Productinfo

Name

• CleanMyMac X

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion