Apple's Spotlight indexes files across devices to provide quick search capabilities via the Spotlight interface. Spotlight can be abused by an attacker with local privileges to create/overwrite arbitrary files as root.
High - Exploiting the vulnerability will give a local unprivileged attacker root level privileges.
Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.
CVE-2022-26704
CWE-61: UNIX Symbolic Link (Symlink) Following
Base Score: 7.8 - Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L
Apple's Spotlight indexes files across devices to provide quick search capabilities via the Spotlight interface. Archives and drives will automatically be indexed by Spotlight, and, where possible and appropriate, a directory will be created and populated with myriad files and databases that aid Spotlight’s fast searching. The two processes creating and managing the Spotlight archive are mds and mds_stores, which are both subject to their own sandbox policies. The vast majority of the files created during Spotlight’s indexing are done so securely, but at least two use open system calls that follow symbolic links. Additionally, the Mac OS sandbox cannot detect hard linked files and thus the policies aren’t conceived with hard links in mind. This allows arbitrary file overwrites as root and possible privilege escalation.
The issue was fixed by Apple's July 20th, 2022 security updates. Update your device to the relevant new version for your device to address the vulnerability.
- Joshua Mason, Mandiant
- 12-Apr-2022 - Issue reported to Apple
- 15-Jul-2022 - Issue confirmed by Apple and patch planned
- 20-Jul-2022 - Patches released for affected operating systems/devices.