CVE-2014-8831

Vulnerability

security_taskgate in Apple OS X before 10.10.2 contains a vulnerability that allows an attacker to read keychain items that are restricted by group access control lists (ACLs). The bug is reachable when a crafted application is signed with either a self-signed certificate or a Developer ID certificate. Affected versions include OS X Yosemite v10.10 and v10.10.1, as well as earlier versions prior to the 10.10.2 update [1].

Exploitation

An attacker must create a malicious application signed with a self-signed or Developer ID certificate. The attacker then needs to convince a user to run this crafted app on the target system. Once executed, the app can leverage the security_taskgate flaw to read keychain items of arbitrary apps that are protected by group ACLs. No additional authentication or privileges beyond the ability to run the app are required [1].

Impact

Successful exploitation allows the attacker to read sensitive keychain items (e.g., passwords, certificates, private keys) that belong to other applications and are restricted by group ACLs. This results in a breach of confidentiality, potentially exposing credentials and other secrets stored in the keychain [1].

Mitigation

Apple addressed this vulnerability in OS X Yosemite v10.10.2 and Security Update 2015-001, released on January 27, 2015. Users should update to the latest version of OS X. No workarounds are documented, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].