Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-41775: "direct" Desktop App for macOS fails to restrict access permissions

Improper access control vulnerability in ‘direct’ Desktop App for macOS ver 2.6.0 and earlier allows a local attacker to bypass access restriction and to use camrea, microphone, etc. of the device where the product is installed without the user’s consent.

CVE
Open in Source
#vulnerability#mac#windows#auth

Published:2023/09/06 Last Updated:2023/09/06

Overview

“direct” Desktop App for macOS provided by L is B Corp. fails to restrict access permissions.

Products Affected

  • “direct” Desktop App for macOS ver 2.6.0 and earlier

Description

“direct” Desktop App for macOS provided by L is B Corp. fails to restrict access permissions (CWE-284).
The access control mechanism provided by macOS "TCC (Transparency Consent and Control)" may be bypassed.

Impact

Camrea, microphone, etc. of the device where the product is installed may be used without the user’s consent. As a result, the recorded image/audio data may be obtained.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Note that the existence of the vulnerability has not been confirmed in the App’s Windows version, but as it is using a similar mechanism as the Mac version, an update has been released for it as well.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Credit

Koh M. Nakagawa of FFRI Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE