Title

Setuid bit must be removed from Apple Remote Desktop. (Cat II impact)

Discussion

Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program.

Check Content

Open a terminal session and enter the following command. ls -la /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent Verify the file permissions are set to 755 or more restrictive. If not, this is a finding.

Fix Text

Open a terminal session and enter the following command. chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Additional Identifiers

Rule ID: SV-38223r1_rule

Vulnerability ID: V-25283

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.