CVE-2022-3421 is a privilege escalation vulnerability affecting Google Drive for Desktop on macOS systems. The vulnerability arises due to improper permissions and ownership checks during the installation process of the Drive for Desktop application. Specifically, the installer expects the directory `/Applications/Google Drive.app/Contents/MacOS` to be owned by the root user. However, an attacker with local non-root user access can pre-create this directory and take ownership of it. When the installer runs for the first time, it places a binary in this directory with execute permissions and sets the setuid bit, which allows the binary to execute with root privileges. Because the attacker owns the directory, they can replace the legitimate binary with a symbolic link (symlink) pointing to another executable. Consequently, the setuid bit is applied to the symlink target, enabling the attacker to execute arbitrary code with root privileges. This vulnerability is categorized under CWE-264, which involves improper permissions, privileges, and access controls. The exploit requires local access to the system and the ability to run the installer for the first time. No known exploits in the wild have been reported as of the publication date. The vulnerability was disclosed on October 17, 2022, and Google recommends upgrading to versions beyond 64.0 to mitigate the issue. The root cause is a classic TOCTOU (time-of-check to time-of-use) race condition combined with insufficient directory ownership validation during installation, allowing privilege escalation from a non-root user to root.

For European organizations, this vulnerability poses a significant risk primarily to macOS endpoints where Google Drive for Desktop is installed and updated. Successful exploitation results in local privilege escalation, allowing an attacker with limited user privileges to gain full root access. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of persistent malware, disabling of security controls, and lateral movement within the network. Organizations relying heavily on Google Drive for Desktop for file synchronization and collaboration may face increased risk of data breaches or operational disruption. The impact is particularly critical in environments with shared or multi-user macOS systems, such as corporate laptops or workstations, where local users may be untrusted or compromised. While remote exploitation is not feasible, the vulnerability facilitates post-compromise escalation, making it a valuable tool for attackers who have already gained limited access. Given the widespread use of Google Drive in European enterprises, especially in sectors like finance, legal, and government, the potential for sensitive data exposure and operational impact is considerable if exploited.

1. Immediate upgrade: Organizations should upgrade Google Drive for Desktop on macOS to version 64.0 or later, where this vulnerability has been addressed. 2. Restrict installer execution: Limit the ability to run the Drive for Desktop installer to trusted administrators only, preventing unprivileged users from initiating the installation or upgrade process. 3. Directory ownership monitoring: Implement monitoring to detect unauthorized changes in ownership or permissions of the `/Applications/Google Drive.app/Contents/MacOS` directory and related paths. 4. Use endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious setuid binary creations or symlink manipulations. 5. Harden macOS security settings: Enforce strict file system permissions and consider using macOS System Integrity Protection (SIP) features to prevent unauthorized modifications to system directories. 6. User privilege management: Minimize the number of users with local administrative privileges and enforce the principle of least privilege to reduce the risk of local exploitation. 7. Audit installation processes: Regularly audit software installation and update procedures to ensure they follow secure practices and verify the integrity and ownership of installation directories.