CVE-2020-27614: macOS XPC privilege escalation

Problem type

Incorrect Access Control / XPC LPE

Description

AnyDesk 6.0.2 for macOS contains a privileged XPC service that does not properly validate client requests. An attacker can exploit this service and use the installation routines provided by it to change the permissions of an arbitrary file or directory in the filesystem.

Impact

An attacker that can execute code with user permissions can use this vulnerability to change permissions of protected system directories. This can be used to escalate to root privileges through launchd.

Affected products

The vulnerability affects AnyDesk for macOS versions 6.0.2 and older.

Resolution

The vulnerability has been fixed in AnyDesk for macOS version 6.0.3.