CVE-2016-8661

EUVD-2016-9500
Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges (EoP) and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to the "OSMalloc" and "copyin" kernel API calls.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
obdevlittle_snitch
3.0
obdevlittle_snitch
3.0.1
obdevlittle_snitch
3.0.2
obdevlittle_snitch
3.0.3
obdevlittle_snitch
3.0.4
obdevlittle_snitch
3.1
obdevlittle_snitch
3.1.1
obdevlittle_snitch
3.3
obdevlittle_snitch
3.3.1
obdevlittle_snitch
3.3.2
obdevlittle_snitch
3.3.3
obdevlittle_snitch
3.3.4
obdevlittle_snitch
3.4
obdevlittle_snitch
3.4.1
obdevlittle_snitch
3.4.2
obdevlittle_snitch
3.5
obdevlittle_snitch
3.5.1
obdevlittle_snitch
3.5.2
obdevlittle_snitch
3.5.3
obdevlittle_snitch
3.6
obdevlittle_snitch
3.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/94352
https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one
http://www.securityfocus.com/bid/94352
https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one