CVE-2025-70342 Overview
CVE-2025-70342 is a credential interception vulnerability in erase-install, a popular macOS utility used for system reinstallation and erasure operations. The vulnerability exists in versions prior to v40.4 (commit 2c31239) where the application writes swiftDialog credential output to a hardcoded path /var/tmp/dialog.json. This insecure file handling allows an unauthenticated local attacker to intercept administrator credentials entered during reinstall or erase operations by creating a named pipe at the expected file location.
Critical Impact
Local attackers can intercept administrator credentials during macOS reinstall/erase operations, potentially gaining full administrative access to enterprise systems.
Affected Products
- erase-install versions prior to v40.4
- erase-install builds before commit 2c31239fb8519d87577514b3db9ddb0771232a21
- macOS systems using vulnerable erase-install deployments
Discovery Timeline
- 2026-03-04 - CVE-2025-70342 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2025-70342
Vulnerability Analysis
This vulnerability stems from improper permission assignment for critical resources (CWE-732). The erase-install utility writes sensitive credential data to a predictable, world-readable location in the /var/tmp/ directory. When an administrator initiates a reinstall or erase operation and enters their credentials via the swiftDialog interface, these credentials are temporarily stored in /var/tmp/dialog.json.
The fundamental issue is the use of a hardcoded, predictable file path for sensitive credential storage combined with insufficient access controls on this file. Since /var/tmp/ is a shared temporary directory accessible by all users on the system, any local user can monitor or manipulate files created in this location.
Root Cause
The root cause is the hardcoded file path /var/tmp/dialog.json used for storing swiftDialog credential output without proper file permission restrictions. This design flaw allows any local user to predict where credentials will be written and preemptively create a named pipe (FIFO) at that location to intercept the data stream.
Attack Vector
The attack leverages the predictable nature of the credential storage path. An attacker with local access to the system can create a named pipe at /var/tmp/dialog.json before the legitimate erase-install process runs. When an administrator subsequently executes erase-install and enters their credentials, the swiftDialog output is redirected through the attacker's named pipe, allowing real-time credential interception.
The attack requires local access and depends on user interaction (an administrator must initiate the erase-install process and enter credentials), but requires no special privileges to execute. The impact includes potential exposure of administrator credentials, which could lead to complete system compromise.
Detection Methods for CVE-2025-70342
Indicators of Compromise
- Presence of named pipes or symbolic links at /var/tmp/dialog.json
- Unexpected processes monitoring or reading from /var/tmp/dialog.json
- File type anomalies in /var/tmp/ showing FIFO special files where regular files are expected
- Unauthorized user processes with file handles open to the erase-install credential path
Detection Strategies
- Monitor for mkfifo or equivalent system calls creating files in /var/tmp/ matching the pattern dialog.json
- Implement file integrity monitoring on /var/tmp/ to detect preemptive file/pipe creation before erase-install execution
- Audit local user processes that maintain open file descriptors to erase-install temporary paths
- Deploy endpoint detection rules for suspicious named pipe creation in system temporary directories
Monitoring Recommendations
- Enable enhanced auditing for file system operations in /var/tmp/ on managed macOS endpoints
- Configure SentinelOne behavioral AI to detect credential harvesting patterns associated with named pipe interception
- Monitor for process execution chains involving erase-install preceded by suspicious file creation in temporary directories
- Review system logs for unauthorized access attempts to erase-install configuration and credential files
How to Mitigate CVE-2025-70342
Immediate Actions Required
- Update erase-install to version 40.4 or later containing commit 2c31239
- Audit systems for any existing named pipes at /var/tmp/dialog.json before running erase-install
- Restrict physical and remote access to systems where erase-install operations are performed
- Consider running erase-install operations only from secure, single-user environments
Patch Information
The vulnerability is addressed in erase-install version 40.4, specifically in commit 2c31239fb8519d87577514b3db9ddb0771232a21. The fix modifies how credential output is handled to prevent interception via named pipe attacks. Organizations should update to the patched version immediately.
For technical details on the fix, refer to the GitHub commit and the associated pull request.
Workarounds
- Manually verify that /var/tmp/dialog.json does not exist as a named pipe before executing erase-install operations
- Implement pre-execution scripts that check for and remove suspicious files at the hardcoded path
- Run erase-install from single-user mode or recovery environments where local attacker access is limited
- Deploy file system monitoring to alert on named pipe creation in /var/tmp/
# Pre-execution check for named pipe attack
if [ -p /var/tmp/dialog.json ]; then
echo "WARNING: Named pipe detected at credential path - potential attack"
rm -f /var/tmp/dialog.json
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
