CVE-2019-6238

Vulnerability

The vulnerability is a validation issue in how macOS handles symlinks during the processing of installer packages. This flaw existed in the Installer component, which processes .pkg files. When a package contains a malicious symlink, the validation check was insufficient, allowing the symlink to point to an unintended location. The issue affects macOS Mojave 10.14.3 and earlier, macOS High Sierra, and macOS Sierra. It is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, and Security Update 2019-002 Sierra [1].

Exploitation

An attacker would need to craft a maliciously constructed package (.pkg) that contains a symlink with a specially crafted path. The package must then be processed by the Installer application. No special privileges or prior access to the target system are required to trigger the vulnerability, but the user must open the malicious package. The attacker could deliver the package via a website, email attachment, or other means [1].

Impact

Successful exploitation could lead to arbitrary code execution on the affected system. By exploiting the symlink validation flaw, an attacker could write files to arbitrary locations, potentially leading to privilege escalation or arbitrary code execution with the privileges of the user processing the package. The exact level of compromise depends on the content placed at the target location [1].

Mitigation

Apple released fixes in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, and Security Update 2019-002 Sierra on March 25, 2019 [1]. Users should update to these versions or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog (as of this writing).