CVE-2019-5013: 
Wacom Tablet Driver vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2019-5013) was discovered in the Wacom driver version 6.3.32-3's update helper service, specifically in the start/stopLaunchDProcess command. The vulnerability was discovered in January 2019 and publicly disclosed on May 16, 2019. The affected component is the Wacom update helper utility that is installed alongside the Wacom Tablet macOS application (Talos Report).

The vulnerability exists in the startLaunchDProcess and stopLaunchDProcess functions of the helper tool. The service runs as root and listens locally over XPC. The vulnerability occurs when the command takes a user-supplied string argument and executes launchctl under root context. The issue has been assigned a CVSS v3.0 base score of 7.1 (HIGH) with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, and is classified as CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (Talos Report).

The vulnerability allows an attacker with local access to load arbitrary launchD agents with root privileges. This enables an attacker to control all root services on the computer, including the ability to launch any arbitrary agent or stop and delete existing agents. The impact is particularly severe as it crosses a privilege boundary, allowing regular users to control LaunchAgents and LaunchDaemons that should only be manageable by the root user (Talos Report).

Wacom acknowledged the vulnerability and released a fix in driver version 6.3.34 on May 15, 2019 (Talos Report).