Apple lately addressed a macOS vulnerability that enables attackers to bypass System Integrity Safety (SIP) and set up malicious kernel drivers by loading third-party kernel extensions.
System Integrity Safety (SIP), or ‘rootless,’ is a macOS safety function that forestalls malicious software program from altering particular folders and recordsdata by limiting the foundation person account’s powers in protected areas.
SIP permits solely Apple-signed processes or these with particular entitlements, similar to Apple software program updates, to change macOS-protected parts. Disabling SIP usually requires a system restart and booting from macOS Restoration (the built-in restoration system), which requires bodily entry to a compromised machine system.
The safety flaw (tracked as CVE-2024-44243), which may solely be exploited by native attackers with root privileges in low-complexity assaults requiring person interplay, was discovered within the Storage Equipment daemon that handles disk state-keeping.
Profitable exploitation may enable attackers to bypass SIP root restrictions with out bodily entry to put in rootkits (kernel drivers), create persistent, “undeletable” malware, or circumvent Transparency, Consent, and Management (TCC) safety checks to entry victims’ information.
Apple has patched the vulnerability in safety updates for macOS Sequoia 15.2, launched one month in the past, on December 11, 2024.
“System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems,” Microsoft stated at this time in a report that gives extra technical particulars on CVE-2024-44243.
“Bypassing SIP impacts the entire operating system’s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes.”
Microsoft safety researchers have found a number of macOS vulnerabilities in recent times. A SIP bypass dubbed ‘Shrootless‘ (CVE-2021-30892), reported in 2021, additionally permits attackers to carry out arbitrary operations on compromised Macs and probably set up rootkits.
Extra lately, in addition they discovered one other SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a safety flaw generally known as Achilles (CVE-2022-42821), which will be exploited to deploy malware by way of untrusted apps able to bypassing Gatekeeper execution restrictions.
Microsoft principal safety researcher Jonathan Bar Or additionally found ‘powerdir‘ (CVE-2021-30970), one other macOS vulnerability that lets attackers bypass Transparency, Consent, and Management (TCC) know-how to entry macOS customers’ protected information.
