Exploitation for Priv-Esc × Trellix Agent for macOS

A publicly-reported instance of Exploitation for Priv-Esc bypassing Trellix Agent for macOS, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Trellix Agent for macOS

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

unknown

Disclosed

2023-06-09

Config / version noted

Yes

Provenance

feedly.com
disclosed 2023-06-09 · original source · via exa

Reported as

command injection vulnerability in Trellix Agent for macOS prior to version 5.7.9 allows local users to place an arbitrary file

Mechanism

Uncontrolled search path element (CWE-427) in Trellix Agent for macOS. A local attacker can place a malicious file in /Library/Trellix/Agent/bin/. When the TA deployment feature is triggered, the agent executes the file, leading to command injection and potential full system compromise.

Detection & mitigation

Monitor file creation events in /Library/Trellix/Agent/bin/ for unexpected or unsigned binaries, and enforce strict permissions on that directory to prevent unauthorized writes. Ensure Trellix Agent is updated to version 5.7.9 or later to remediate the vulnerability.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.