CVE-2023-41902 – This vulnerability allows attackers to escalate... (How to Fix)

Q: What is the severity of CVE-2023-41902?

CVE-2023-41902 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to escalate privileges on macOS systems by exploiting an XPC misconfiguration in CoreCode MacUpdater. Attackers can craft malicious .pkg files that, when processed by vulnerable versions, enable unauthorized privilege escalation. This affects users running MacUpdater versions before 2.3.8 or 3.x before 3.1.2.

📋 TL;DR

This vulnerability allows attackers to escalate privileges on macOS systems by exploiting an XPC misconfiguration in CoreCode MacUpdater. Attackers can craft malicious .pkg files that, when processed by vulnerable versions, enable unauthorized privilege escalation. This affects users running MacUpdater versions before 2.3.8 or 3.x before 3.1.2.

💻 Affected Systems

Products:

CoreCode MacUpdater

Versions: Versions before 2.3.8 and 3.x before 3.1.2

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires macOS as the underlying operating system.

📦 What is this software?

Macupdater by Corecode

View all CVEs affecting Macupdater →

Macupdater by Corecode

View all CVEs affecting Macupdater →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing installation of persistent malware, data theft, and complete system control.

🟠

Likely Case

Local privilege escalation to root, enabling installation of additional malicious software and bypassing macOS security controls.

🟢

If Mitigated

No impact if patched versions are used or if malicious .pkg files are prevented from reaching the system.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring user interaction with malicious files.

🏢 Internal Only: MEDIUM - Internal users could exploit this if they can deliver malicious .pkg files to target systems, but requires local access or social engineering.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open a malicious .pkg file. Public proof-of-concept exists in the referenced GitHub gist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.8 for version 2.x, 3.1.2 for version 3.x

Vendor Advisory: https://www.corecode.io/macupdater/history2.html and https://www.corecode.io/macupdater/history3.html

Restart Required: No

Instructions:

1. Open MacUpdater. 2. Go to 'Check for Updates' in the menu. 3. Install the available update to version 2.3.8 or 3.1.2. 4. Alternatively, download the latest version from the official website and install it.

🔧 Temporary Workarounds

Disable automatic .pkg processing

macos

Configure macOS to not automatically open .pkg files and require manual verification

Restrict .pkg file sources

macos

Only allow .pkg files from trusted sources and implement application whitelisting

🧯 If You Can't Patch

Uninstall MacUpdater if not essential for operations
Implement strict controls on .pkg file execution and educate users about the risks of opening untrusted packages

🔍 How to Verify

Check if Vulnerable:

Check MacUpdater version in the application's 'About' menu or by running: /Applications/MacUpdater.app/Contents/MacOS/MacUpdater --version

Check Version:

/Applications/MacUpdater.app/Contents/MacOS/MacUpdater --version

Verify Fix Applied:

Verify version is 2.3.8 or higher for version 2.x, or 3.1.2 or higher for version 3.x

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events in macOS system logs
MacUpdater process spawning with elevated privileges unexpectedly

Network Indicators:

Downloads of suspicious .pkg files from untrusted sources

SIEM Query:

process_name:"MacUpdater" AND parent_process_name:"launchd" AND process_integrity_level:"System"

📊 Metadata

CVE ID: CVE-2023-41902

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: September 20, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/NSEcho/5d048a0796ceef59d6b1df1659bd1057 Third Party Advisory
https://www.corecode.io/macupdater/history2.html Release Notes
https://www.corecode.io/macupdater/history3.html Release Notes
https://gist.github.com/NSEcho/5d048a0796ceef59d6b1df1659bd1057 Third Party Advisory
https://www.corecode.io/macupdater/history2.html Release Notes
https://www.corecode.io/macupdater/history3.html Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41902, you might also want to check these: