Published:2023/05/25  Last Updated:2023/05/25

JVN#90278893
Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access

Overview

Wacom Tablet Driver installer for macOS contains an improper link resolution before file access vulnerability.

Products Affected

  • Wacom Tablet Driver installer, prior to 6.4.2-1 (for macOS)

Description

Wacom Tablet Driver installer for macOS provided by Wacom contains an improper link resolution before file access vulnerability (CWE-59).

Impact

When a user is tricked to execute a small malicious script before executing the affected version of the installer, an arbitrary code may be executed with the root privilege.

Solution

Use the fixed version of the installer
When installing the driver, use the fixed version of the installer, 6.4.2-1 or later.

Vendor Status

Vendor Link
Wacom Product Resources

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score: 7.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:C/I:C/A:C
Base Score: 7.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Koh M. Nakagawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-27529
JVN iPedia JVNDB-2023-000054