fkie_cve-2025-21606
Vulnerability from fkie_nvd
Published
2025-01-17 21:15
Modified
2025-01-17 21:15
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name `eu.exelban.Stats.SMC.Helper`. The associated binary, eu.exelban.Stats.SMC.Helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as setting fan modes, adjusting fan speeds, and executing the `powermetrics` command. The root cause of this vulnerability lies in the `shouldAcceptNewConnection` method, which unconditionally returns YES (or true), allowing any XPC client to connect to the service without any form of verification. As a result, unauthorized clients can establish a connection to the Mach service and invoke methods exposed by the HelperTool interface. An attacker can exploit this vulnerability to modify the hardware settings of the user’s device and execute arbitrary code with root privileges. This issue has been addressed in version 2.11.21 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/exelban/stats/commit/c10759f7a186efdd82ddd818dae2ac1f853691fc
security-advisories@github.comhttps://github.com/exelban/stats/security/advisories/GHSA-qwhf-px96-7f6v
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name `eu.exelban.Stats.SMC.Helper`. The associated binary, eu.exelban.Stats.SMC.Helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as setting fan modes, adjusting fan speeds, and executing the `powermetrics` command. The root cause of this vulnerability lies in the `shouldAcceptNewConnection` method, which unconditionally returns YES (or true), allowing any XPC client to connect to the service without any form of verification. As a result, unauthorized clients can establish a connection to the Mach service and invoke methods exposed by the HelperTool interface. An attacker can exploit this vulnerability to modify the hardware settings of the user\u2019s device and execute arbitrary code with root privileges. This issue has been addressed in version 2.11.21 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "stats es un monitor macOS sistema para la barra de men\u00fa. La aplicaci\u00f3n Stats es vulnerable a una escalada de privilegios locales debido a la implementaci\u00f3n insegura de su servicio XPC. La aplicaci\u00f3n registra un servicio Mach con el nombre `eu.exelban.Stats.SMC.Helper`. El binario asociado, eu.exelban.Stats.SMC.Helper, es una herramienta auxiliar privilegiada dise\u00f1ada para ejecutar acciones que requieren privilegios elevados en nombre del cliente, como configurar los modos del ventilador, ajustar las velocidades del ventilador y ejecutar el comando `powermetrics`. La causa ra\u00edz de esta vulnerabilidad radica en el m\u00e9todo `shouldAcceptNewConnection`, que devuelve incondicionalmente YES (o true), lo que permite que cualquier cliente XPC se conecte al servicio sin ning\u00fan tipo de verificaci\u00f3n. Como resultado, los clientes no autorizados pueden establecer una conexi\u00f3n con el servicio Mach e invocar m\u00e9todos expuestos por la interfaz HelperTool. Un atacante puede explotar esta vulnerabilidad para modificar la configuraci\u00f3n de hardware del dispositivo del usuario y ejecutar c\u00f3digo arbitrario con privilegios de superusario. Este problema se ha solucionado en la versi\u00f3n 2.11.21 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-21606",
  "lastModified": "2025-01-17T21:15:11.420",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-17T21:15:11.420",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/exelban/stats/commit/c10759f7a186efdd82ddd818dae2ac1f853691fc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/exelban/stats/security/advisories/GHSA-qwhf-px96-7f6v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.