In an internal audit, Objective Development has found a privilege escalation vulnerability in the privileged helper tool of Little Snitch. The privileged helper exposes an XPC interface on a globally available communication endpoint without additional authorization checks on connecting clients. The XPC API is therefore available to any local process and allows listing of directories and copying of files with root privileges.
For more details from a developer's point of view, see our blog post .
The vulnerability exists in Little Snitch version 4.3 to 4.3.2. The issue is resolved in version 4.4. Note that only computers are vulnerable where a user has requested a Diagnostics Report on one of the affected versions. The Diagnostics Report is a hidden menu option which is only available while holding the option key.
We recommend upgrading to Little Snitch 4.4.1 or higher. If an upgrade is not possible for whatever reason, remove the privileged helper by executing the following commands in a Terminal window:
sudo launchctl unload /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist sudo rm -f /Library/PrivilegedHelperTools/at.obdev.LittleSnitchHelper.LSHelperService sudo rm -f /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist
When a "Diagnostics Report" is generated via Little Snitch Configuration, the privileged helper is automatically reinstalled. So either avoid generating a Diagnostics Report or remove the privileged helper again immediately after generating the report.