Microsoft has make clear a now-patched safety flaw impacting Apple macOS that, if efficiently exploited, might have allowed an attacker operating as “root” to bypass the working system’s System Integrity Safety (SIP) and set up malicious kernel drivers by loading third-party kernel extensions.
The vulnerability in query is CVE-2024-44243 (CVSS rating: 5.5), a medium-severity bug that was addressed by Apple as a part of macOS Sequoia 15.2 launched final month. The iPhone maker described it as a “configuration issue” that might allow a malicious app to switch protected elements of the file system.
“Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits,” Jonathan Bar Or of the Microsoft Risk Intelligence crew stated.
SIP, additionally known as rootless, is a safety framework that goals to stop malicious software program put in on a Mac from tampering with the protected elements of the working system, together with /System, /usr, /bin, /sbin, /var, and the apps that come pre-installed on the gadget.
It really works by imposing varied protections towards the basis person account, permitting modification of those protected elements solely by processes which might be signed by Apple and have particular entitlements to jot down to system recordsdata, equivalent to Apple software program updates and Apple installers.
The 2 entitlements particular to SIP are under –
- com.apple.rootless.set up, which lifts SIP’s file system restrictions for a course of with this entitlement
- com.apple.rootless.set up.heritable, which lifts SIP’s file system restrictions for a course of and all its youngster processes by inheriting the com.apple.rootless.set up entitlement
CVE-2024-44243, the newest SIP bypass found by Microsoft in macOS after CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine), exploits the Storage Equipment daemon’s (storagekitd) “com.apple.rootless.install.heritable” entitlement to get round SIP protections.
Particularly, that is achieved by profiting from “storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges” to ship a brand new file system bundle to /Library/Filesystems – a baby technique of storagekitd – and override the binaries related to the Disk Utility, which might then be triggered throughout sure operations equivalent to disk restore.
“Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP,” Bar Or stated. “Triggering the erase operation on the newly created file system can bypass SIP protections as well.”
The disclosure comes almost three months after Microsoft additionally detailed one other safety flaw in Apple’s Transparency, Consent, and Management (TCC) framework in macOS (CVE-2024-44133, CVSS rating: 5.5) – aka HM Surf – that could possibly be exploited to entry delicate knowledge.
“Prohibiting third-party code to run in the kernel can increase macOS reliability, the tradeoff being that it reduces monitoring capabilities for security solutions,” Bar Or stated.
“If SIP is bypassed, the entire operating system can no longer be considered reliable, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to evade detection.”
