Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

There are two privilege escalation vulnerabilities in the Wacom update helper. The update helper is a utility installed alongside the macOS application for Wacom tablets. The application interacts with the tablet and allows the user to manage it. These vulnerabilities could allow an attacker with local access to raise their privileges to root.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Wacom to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Wacom update helper tool startProcess privilege escalation vulnerability (TALOS-2018-0760/CVE-2019-5012)

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.

Read the complete vulnerability advisory here for additional information.

Wacom update helper tool start/stopLaunchDProcess privilege escalation vulnerability (TALOS-2018-0761/CVE-2019-5013)

An exploitable privilege escalation vulnerability exists in the Wacom update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under root context. A user with local access can use this vulnerability to raise load arbitrary launchD agents. An attacker would need local access to the machine for a successful exploit.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that the Wacom driver on macOS, versions 6.3.32.2 and 6.3.32.3 are affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48850, 48851