Leaks user passwords via parameter expansion of variables in command arguments and command substitution.
Tests confirmed these were visible and persisted to externally via standard Crowdstrike agent configuration. Expectation is that these would also be visible to other logging software, malware, and unprivileged users running top or ps commands at the same time as the command execution, as they can typically read command arguments.
Observed cases involved launchctl asuser..., dscl /Local/Default..., security add-generic-password... where ${auth_local_password} is used directly in a command line, and not passed via fd/stdin.
softwareupdate ... on lines 7589 and 7597 also look problematic, but testing was not performed on macOS 12.
"Verbose mode" lines may also present the same issue as above, distinct from 295 and 210.
Leaks user passwords via parameter expansion of variables in command arguments and command substitution.
Tests confirmed these were visible and persisted to externally via standard Crowdstrike agent configuration. Expectation is that these would also be visible to other logging software, malware, and unprivileged users running
toporpscommands at the same time as the command execution, as they can typically read command arguments.Observed cases involved
launchctl asuser...,dscl /Local/Default...,security add-generic-password...where ${auth_local_password} is used directly in a command line, and not passed via fd/stdin.softwareupdate ...on lines 7589 and 7597 also look problematic, but testing was not performed on macOS 12."Verbose mode" lines may also present the same issue as above, distinct from 295 and 210.