[VS-2018-007] CactusVPN for MacOS Root Privilege Escalation Vulnerability | XPC
CVE ID
CVE-2018-7493
CVSS Score
Vendor
CactusVPN
Product
CactusVPN < 6.0
Vulnerability Details
CactusVPN for MacOS suffers from a root privilege escalation vulnerability in its privileged helper tool. The privileged helper tool implements an XPC interface, which allows arbitrary applications to execute system commands as root.
Vendor Response
Vendor has released an update.
Disclosure Timeline
- 02-21-2018 - Vendor disclosure
- 02-23-2018 - Vendor response
- 02-27-2018 - Vendor submitted update for testing
- 03-02-2018 - VerSprite validated the vulnerability had been fixed
- 03-05-2018 - Vendor released update
- 03-05-2018 - Vendor notified of advisory release
Credit
Benjamin Watson of VerSprite Security (@rotlogix)