Authentication bypass and privilege escalation flaws enable memory corruption and unauthorized process termination, including system crashes. Since there’s no verification that the calling process has permission to signal the target process, attackers can effectively send SIGTERM to any process on the system, including critical system processes like launchd, causing immediate system crashes. The vulnerabilities affecting the SMB filesystem client used for mounting remote file shares represent a significant security risk, as SMB has been the preferred file sharing protocol since macOS Big Sur. Remote code execution possible through kernel heap overflow in SMB2 compression handling, allowing system compromise. This leads to _free_NegotiationToken being called on uninitialized memory, which ultimately invokes _asn1_free() using the uninitialized token type as a template to parse and free the garbage data. The flaw occurs when processing compressed SMB2 data using chained compression algorithms, including SMB2_COMPRESSION_LZNT1, SMB2_COMPRESSION_LZ77, and SMB2_COMPRESSION_LZ77_HUFFMAN. This creates a heap memory overflow condition where attackers can control both the overflow quantity and influence the size of the allocated memory being corrupted, potentially up to 32MB (2*kDefaultMaxIOSize). The flaw has been addressed by implementing proper memory initialization using memset() before the NegotiationToken is used. This flaw allows any unprivileged process to register arbitrary process IDs with the kernel’s multichannel SMB notification system. Security experts recommend applying the patches immediately through macOS system updates. When the gss_decapsulate_token function fails during authentication, the code jumps to the free_negtoken_3 label, bypassing the initialization logic for the NegotiationToken structure.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 09:55:29 +0000