PT-2018-18421 · Zenmate · Zenmate
Benjamin Watson
+1
·
Published
2018-03-15
·
Updated
2020-05-11
·
CVE-2018-8076
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
ZenMate version 1.5.4 for macOS
Description:
The issue is related to a type confusion problem within the com.zenmate.chron-xpc LaunchDaemon component. This component implements an XPC service that uses an insecure XPC API, potentially allowing an attacker to pass an XPC object of the wrong type to the xpc connection create from endpoint function. However, due to internal checks implemented by Apple in recent macOS and OS X versions, exploitation of this issue would likely result in a denial of service.
Recommendations:
For ZenMate version 1.5.4, consider disabling the com.zenmate.chron-xpc LaunchDaemon component as a temporary workaround to minimize the risk of exploitation.
Fix
Incorrect Type Conversion or Cast
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zenmate