Overview

A local privilege escalation vulnerability in Sophos Endpoint products for MacOS was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.

Sophos would like to thank Csaba Fitzl (@theevilbit) of Offensive Security for responsibly disclosing this issue to Sophos.

The remediation prevented local users from executing arbitrary code with administrator privileges. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.

There is no action required for customers, as updates are installed automatically by default.

Applies to the following Sophos product(s) and version(s)

• Sophos Intercept X Endpoint (Central) for MacOS version 10.0.3 and prior versions
• Sophos Intercept X Endpoint (OPM) for MacOS version 9.10.1 and prior versions
• Sophos Home for MacOS version 10.0.3 and prior versions

Remediation

• Fix included in Intercept X Endpoint (Central) for MacOS version 10.0.4 released March 4, 2021
• Fix included in Intercept X Endpoint (OPM) for MacOS version 9.10.2 released March 4, 2021
• Fix included in Sophos Home for MacOS version 10.0.4 released May 4, 2021

Related Information

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25264