Skip to content

v4.2.4-6181c4a

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 Mar 08:27
· 519 commits to main since this release
Immutable release. Only release title and notes can be modified.
v4.2.4-6181c4a
6181c4a
This commit was signed with the committer’s verified signature.
craigjbass Craig J. Bass
SSH Key Fingerprint: 7pzEignCyELNpXvYQiXNLwrYZtuNVaxDWLPVRyZZ/Lc
Verified
Learn about vigilant mode.

Security

Fixes GHSA-wpxj-vhfp-hhvm — protected files were bypassable by local unprivileged processes using the exchangedata(2) syscall or clonefile() without triggering any monitored event.

What changed

The opfilter system extension now subscribes to two additional Endpoint Security authorisation events:

  • ES_EVENT_TYPE_AUTH_EXCHANGEDATA — atomically swaps the data forks of two files. Previously unmonitored, allowing an attacker to silently replace the contents of a protected file without triggering RENAME, UNLINK, CREATE, or TRUNCATE.
  • ES_EVENT_TYPE_AUTH_CLONE — produces a copy-on-write clone of a file. Previously unmonitored, allowing an attacker to duplicate a protected file to an unprotected path without triggering OPEN or COPYFILE.

Both operations are now routed through the existing policy evaluator. All management-deployed and user-configured rules apply.

Upgrade

Users on any prior version should upgrade and reactivate the system extension. Releases prior to this version have been marked with a security warning.

Full Changelog: v4.2.3-d488a1e...v4.2.4-6181c4a

Assets 4
Loading