Published:2023/05/25 Last Updated:2023/05/25
JVN#90278893
Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access
Overview
Wacom Tablet Driver installer for macOS contains an improper link resolution before file access vulnerability.
Products Affected
- Wacom Tablet Driver installer, prior to 6.4.2-1 (for macOS)
Description
Wacom Tablet Driver installer for macOS provided by Wacom contains an improper link resolution before file access vulnerability (CWE-59).
Impact
When a user is tricked to execute a small malicious script before executing the affected version of the installer, an arbitrary code may be executed with the root privilege.
Solution
Use the fixed version of the installer
When installing the driver, use the fixed version of the installer, 6.4.2-1 or later.
Vendor Status
| Vendor | Link |
| Wacom | Product Resources |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score:
7.7
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:H/Au:N/C:C/I:C/A:C
Base Score:
7.6
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Koh M. Nakagawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-27529 |
| JVN iPedia |
JVNDB-2023-000054 |