Josh Pitts

**Name of the Vulnerable Software and Affected Versions** osquery versions prior to 3.2.7 **Description** A maliciously crafted Universal/fat binary can evade third-party code signing checks in osquery, allowing unsigned code to execute. This occurs because the full inspection of the Universal/fat binary is not completed, leading the user of the third-party tool to believe the code is signed by Apple. **Recommendations** For osquery versions prior to 3.2.7, update to version 3.2.7 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: F-Secure XFENCE and Little Flocker (affected versions not specified) Description: A maliciously crafted Universal/fat binary can evade third-party code signing checks. This occurs because the tool does not complete a full inspection of the Universal/fat binary, leading the user to believe the code is signed by Apple when, in fact, malicious unsigned code will execute. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Objective-See KnockKnock (affected versions not specified) Objective-See LuLu (affected versions not specified) Objective-See TaskExplorer (affected versions not specified) Objective-See WhatsYourSign (affected versions not specified) Objective-See procInfo (affected versions not specified) Description: A maliciously crafted Universal/fat binary can evade third-party code signing checks, allowing unsigned code to execute. This occurs because the third-party tool does not complete a full inspection of the Universal/fat binary, leading the user to believe the code is signed by Apple. Recommendations: For Objective-See KnockKnock, consider implementing full inspection of Universal/fat binaries to prevent evasion of code signing checks. For Objective-See LuLu, consider implementing full inspection of Universal/fat binaries to prevent evasion of code signing checks. For Objective-See TaskExplorer, consider implementing full inspection of Universal/fat binaries to prevent evasion of code signing checks. For Objective-See WhatsYourSign, consider implementing full inspection of Universal/fat binaries to prevent evasion of code signing checks. For Objective-See procInfo, consider implementing full inspection of Universal/fat binaries to prevent evasion of code signing checks.

Name of the Vulnerable Software and Affected Versions: Google Santa and molcodesignchecker (affected versions not specified) Description: An issue allows a maliciously crafted Universal/fat binary to evade third-party code signing checks. This occurs because the tool does not complete a full inspection of the Universal/fat binary, leading the user to believe the code is signed by Apple, when in fact malicious unsigned code will execute. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Yelp OSXCollector (affected versions not specified) Description: A maliciously crafted Universal/fat binary can evade third-party code signing checks in Yelp OSXCollector. This occurs because the tool does not complete a full inspection of the Universal/fat binary, leading to the execution of malicious unsigned code. The user of the third-party tool may mistakenly believe the code is signed by Apple. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Carbon Black Cb Response (affected versions not specified) Description: A maliciously crafted Universal/fat binary can evade third-party code signing checks. This occurs because the third-party tool does not complete a full inspection of the Universal/fat binary, leading the user to believe the code is signed by Apple, when in fact the malicious unsigned code will execute. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: VirusTotal (affected versions not specified) Description: An issue was discovered where a maliciously crafted Universal/fat binary can evade third-party code signing checks. This occurs because the third-party tool does not complete a full inspection of the Universal/fat binary, leading the user to believe the code is signed by Apple, when in fact the malicious unsigned code will execute. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Little Snitch versions 4.0 through 4.0.6 Description: The issue arises from the use of the `SecStaticCodeCheckValidityWithErrors()` function without the `kSecCSCheckAllArchitectures` flag, which results in the failure to validate all architectures stored in a fat binary. An attacker can craft a malicious fat binary containing multiple architectures, causing Little Snitch to incorrectly treat the running process as having no code signature while indicating that the binary on disk has a valid code signature. This could lead to confusion among users about the validity of the code signature. Recommendations: For Little Snitch versions 4.0 through 4.0.6, consider updating to a version that includes the fix for this issue, as using the `SecStaticCodeCheckValidityWithErrors()` function with the `kSecCSCheckAllArchitectures` flag would resolve the problem. However, since the fixed version is not specified, at the moment, there is no information about a newer version that contains a fix for this vulnerability.