When an application or process tries to establish a network connection for which no rules exist, Little Snitch Agent will show a Connection Alert. The Connection Alert contains information about any code signature issues that the running process or the executable on disk may have.
Little Snitch 4.0 to 4.0.6 contain a vulnerability that allows an attacker to maliciously craft a fat binary that would lead to confusing information being shown by Little Snitch. This is because these versions do not pass the
kSecCSCheckAllArchitectures flag to the
SecStaticCodeCheckValidityWithErrors() function from Security.framework provided by macOS. As a result, not all architectures in the fat binary are checked, leading to a situation where Little Snitch Configuration and Little Snitch Network Monitor would erroneously indicate that the on-disk code signature is valid.
The Little Snitch kernel extension correctly treats the running process’ code signature as not valid, which means that this vulnerability does not affect what network connections are allowed or denied.
This issue is resolved in Little Snitch 4.1.
Credit to Josh Pitts (Okta, Inc.) for discovering this issue. For more details, read Josh’s blog post.