Products Little Snitch Little Snitch Mini Micro Snitch LaunchBar Internet Access Policy Viewer More Products Shop Support Blog

CVE-2019-13013

Local Privilege Escalation

In an internal audit, Objective Development has found a privilege escalation vulnerability in the privileged helper tool of Little Snitch. The privileged helper exposes an XPC interface on a globally available communication endpoint without additional authorization checks on connecting clients. The XPC API is therefore available to any local process and allows listing of directories and copying of files with root privileges.

For more details from a developer's point of view, see our blog post .

Affected Versions

The vulnerability exists in Little Snitch version 4.3 to 4.3.2. The issue is resolved in version 4.4. Note that only computers are vulnerable where a user has requested a Diagnostics Report on one of the affected versions. The Diagnostics Report is a hidden menu option which is only available while holding the option key.

Mitigation

We recommend upgrading to Little Snitch 4.4.1 or higher. If an upgrade is not possible for whatever reason, remove the privileged helper by executing the following commands in a Terminal window:

sudo launchctl unload /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist
sudo rm -f /Library/PrivilegedHelperTools/at.obdev.LittleSnitchHelper.LSHelperService
sudo rm -f /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist

When a "Diagnostics Report" is generated via Little Snitch Configuration, the privileged helper is automatically reinstalled. So either avoid generating a Diagnostics Report or remove the privileged helper again immediately after generating the report.

Little Snitch

Features What’s New Download Release Notes Upgrade

Little Snitch Mini

Features Compare

Other Products

LaunchBar Micro Snitch IAP Viewer

Resources

Internet Access Policy Blog Support Contact Us Lost License

Resources

Internet Access Policy Blog Support Contact Us Lost License

Company

About Us Press Privacy Policy Terms

 

Little Snitch

LaunchBar

© 2025 Objective Development Software GmbH

EnglishDeutsch