CVE-2020-25533

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct a situation where the same PID is used for running two different programs at different times, by leveraging a race condition during crafted use of posix_spawn.

CVSS v3 7.0 HIGH
CVSS v2.0 6.9 MEDIUM

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:malwarebytes:malwarebytes:*:*:*:*:-:macos:*:*

History

26 Jan 2021, 21:47

Type	Values Removed	Values Added
CPE	cpe:2.3:a:malwarebytes:malwarebytes:::::-:mac_os::	cpe:2.3:a:malwarebytes:malwarebytes:::::-:macos::

23 Jan 2021, 01:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:malwarebytes:malwarebytes:::::-:mac_os::
CWE		CWE-362
References	~~(MISC) https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/ -~~	(MISC) https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/ - Exploit, Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.9 v3 : 7.0

15 Jan 2021, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-01-15 22:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-25533

Mitre link : CVE-2020-25533

CVE.ORG link : CVE-2020-25533

JSON object : View

Products Affected

malwarebytes

malwarebytes

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2020-25533", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2021-01-15T22:15:13.100", "references": [{"url": "https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct a situation where the same PID is used for running two different programs at different times, by leveraging a race condition during crafted use of posix_spawn."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Malwarebytes versiones anteriores a 4.0 en macOS. Una aplicaci\u00f3n maliciosa pudo llevar a cabo una acci\u00f3n privilegiada dentro del demonio de inicio de Malwarebytes. El servicio privilegiado comprob\u00f3 inapropiadamente unas conexiones XPC al confiar en el PID en lugar del token de auditor\u00eda. Un atacante puede crear una situaci\u00f3n en la que es usado el mismo PID para ejecutar dos programas diferentes en momentos diferentes, al aprovechar una condici\u00f3n de carrera durante un uso de posix_spawn dise\u00f1ado"}], "lastModified": "2021-01-26T21:47:55.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:malwarebytes:malwarebytes:*:*:*:*:-:macos:*:*", "vulnerable": true, "matchCriteriaId": "038124F4-B015-43E1-8D31-DCAFBC4242BA", "versionEndExcluding": "4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}