Cisco Trust Agent Local Privilege Escalation Vulnerability

Cisco Trust Agent versions 2.1(103) and prior contain a vulnerability when running on Apple Mac OS X that could allow an unauthenticated, local user to bypass security restrictions and gain unauthorized access to the affected system.

This vulnerability exists due to improper display of user notifications. An unauthenticated, local attacker with physical access to an affected system can exploit this vulnerability by interacting with pop-up messages. By interacting with these items on a system’s desktop, the attacker can gain access to the System Preferences of an affected system with root privileges. As a result, the attacker could make configuration changes to the affected system, including modifying user account passwords.

Cisco confirmed this vulnerability in a security response and released updated software.

To exploit this vulnerability, an unauthenticated attacker requires physical access to an affected system. Although the attacker has no control over the notifications sent to the system, when a notification is sent, the attacker can click on it and cause a menu bar to appear. The menu bar can allow the attacker to access the System Preferences control panel with root privileges. This can allow the attacker to make configuration changes to the affected system, such as modifying user account passwords. By changing some settings, the attacker could take complete control over the affected system.

Cisco has indicated that this vulnerability only affects CTA installed on Mac OS X systems. CTA installed on Windows or Linux operating systems are not affected.