CVE-2019-20856
📋 TL;DR
This vulnerability in Mattermost Desktop App for macOS allows attackers to inject malicious dynamic libraries (dylibs) into the application. This affects macOS users running Mattermost Desktop App versions before 4.3.0, potentially allowing code execution with the application's privileges.
💻 Affected Systems
- Mattermost Desktop App
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the user's privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or persistence mechanism where an attacker with local access can inject malicious code that runs whenever the Mattermost app launches.
If Mitigated
Limited impact if application runs with minimal privileges and proper endpoint security controls are in place to detect dylib injection attempts.
🎯 Exploit Status
Requires local access to the macOS system. Dylib injection is a well-known macOS attack technique with established methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.0 and later
Vendor Advisory: https://mattermost.com/security-updates/
Restart Required: Yes
Instructions:
1. Download Mattermost Desktop App version 4.3.0 or later from official sources. 2. Install the update, replacing the vulnerable version. 3. Restart the application.
🔧 Temporary Workarounds
Disable or restrict Mattermost Desktop App
macOSTemporarily disable the Mattermost Desktop App or restrict its execution until patched.
sudo chmod 000 /Applications/Mattermost.app
Enable macOS Gatekeeper and SIP
macOSEnsure macOS security features like Gatekeeper and System Integrity Protection are enabled to help prevent unauthorized code execution.
csrutil status
spctl --status
🧯 If You Can't Patch
- Use Mattermost web interface instead of desktop app
- Implement application whitelisting to prevent unauthorized dylib loading
🔍 How to Verify
Check if Vulnerable:
Check Mattermost Desktop App version in application menu: Mattermost → About MattermostCheck Version:
defaults read /Applications/Mattermost.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify version is 4.3.0 or higher in About dialog📡 Detection & Monitoring
Log Indicators:
- Unusual dylib loading in macOS console logs
- Unexpected process launches from Mattermost context
Network Indicators:
- Unusual outbound connections from Mattermost process
SIEM Query:
process_name:"Mattermost" AND event_type:"library_load" AND NOT library_path:"/Applications/Mattermost.app/*"