CVE-2019-8606

Vulnerability

A validation issue existed in the handling of symlinks in macOS prior to version 10.14.5. This allowed a local user to bypass the normal security checks for loading kernel extensions. The affected versions are macOS Mojave 10.14.4 and earlier, macOS High Sierra 10.13.6, and macOS Sierra 10.12.6 [1]. The issue is addressed in macOS Mojave 10.14.5 by improving the validation of symlinks [1].

Exploitation

An attacker needs local user access to the system. By crafting a malicious symlink that points to an unsigned kernel extension, the attacker can trick the system into loading it. No additional authentication or user interaction beyond having a local account is required.

Impact

A successful exploit allows a local user to load unsigned kernel extensions, which can lead to arbitrary code execution with kernel-level privileges, potentially resulting in full compromise of the system.

Mitigation

Apple released macOS Mojave 10.14.5 on May 13, 2019, which fixes this issue [1]. Users should update to the latest version of macOS. There is no evidence of this CVE being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.