CVE-2018-10470 in Little Snitch
Summary
by MITRE
Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple architectures that may cause a situation where Little Snitch treats the running process as having no code signature at all while erroneously indicating that the binary on disk does have a valid code signature. This could lead to users being confused about whether or not the code signature is valid.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2020
The vulnerability identified as CVE-2018-10470 affects Little Snitch versions 4.0 through 4.0.6, representing a critical code signature validation flaw that undermines the security assurances provided by the application. This issue stems from the improper implementation of code signature verification mechanisms within the software's security framework. The vulnerability specifically targets the SecStaticCodeCheckValidityWithErrors() function call which is responsible for validating code signatures on macOS applications. When this function is invoked without the kSecCSCheckAllArchitectures flag, the system fails to perform comprehensive validation across all architectures present in a fat binary format. This design oversight creates a significant security gap that allows malicious actors to exploit the system's trust model through carefully crafted binary files.
The technical flaw manifests when an attacker constructs a fat binary containing multiple architectures, with each architecture potentially carrying different security characteristics or malicious payloads. The vulnerability operates at the kernel level through macOS security APIs, specifically leveraging the Security Framework's code signing validation mechanisms. The system's failure to check all architectures means that while the binary may appear to have a valid signature when examined on disk, the running process could be treated as unsigned. This creates a false positive scenario where the application's security checks are bypassed, as Little Snitch incorrectly assumes the process lacks proper code signing. The flaw directly corresponds to CWE-313, which addresses the exposure of sensitive information through improper validation of code signatures, and aligns with ATT&CK technique T1055.001 for privilege escalation through code injection.
The operational impact of this vulnerability extends beyond simple confusion, as it fundamentally undermines the trust model that Little Snitch is designed to maintain. Users may be misled into believing that unsigned processes are properly authenticated, potentially leading to security policy violations or unauthorized network access. The vulnerability creates a situation where legitimate security controls are circumvented without proper detection, as the system's validation process fails to identify malicious code that might be embedded in other architectures within the same binary. This issue particularly affects network monitoring and control systems that rely on code signature validation to prevent unauthorized software execution, potentially allowing attackers to execute malicious code while bypassing network restrictions that would normally prevent such activity.
Mitigation strategies should focus on immediate software updates to versions that address the code signature validation issue, as well as implementing additional monitoring for suspicious binary execution patterns. Organizations should consider deploying supplementary security controls that verify code signatures independently of Little Snitch's validation mechanisms. The fix typically involves ensuring that all code signature validation functions are called with appropriate flags that enforce complete architecture validation. Security administrators should also implement process monitoring to detect anomalous behavior patterns that might indicate exploitation attempts, while maintaining awareness of the ATT&CK tactics that leverage code signing bypass techniques. Regular security assessments should verify that all security applications are properly configured to enforce comprehensive code signature validation across all supported architectures.