Microsoft has make clear a now-patched safety flaw impacting Apple macOS that, if efficiently exploited, may have allowed an attacker operating as “root” to bypass the working system’s System Integrity Safety (SIP) and set up malicious kernel drivers by loading third-party kernel extensions.
The vulnerability in query is CVE-2024-44243 (CVSS rating: 5.5), a medium-severity bug that was addressed by Apple as a part of macOS Sequoia 15.2 launched final month. The iPhone maker described it as a “configuration challenge” that might allow a malicious app to switch protected components of the file system.
“Bypassing SIP may result in severe penalties, reminiscent of growing the potential for attackers and malware authors to efficiently set up rootkits, create persistent malware, bypass Transparency, Consent and Management (TCC), and broaden the assault floor for extra strategies and exploits,” Jonathan Bar Or of the Microsoft Menace Intelligence staff mentioned.
SIP, additionally known as rootless, is a safety framework that goals to forestall malicious software program put in on a Mac from tampering with the protected components of the working system, together with /System, /usr, /bin, /sbin, /var, and the apps that come pre-installed on the system.
It really works by imposing varied protections towards the foundation consumer account, permitting modification of those protected components solely by processes which can be signed by Apple and have particular entitlements to jot down to system information, reminiscent of Apple software program updates and Apple installers.
The 2 entitlements particular to SIP are beneath –
- com.apple.rootless.set up, which lifts SIP’s file system restrictions for a course of with this entitlement
- com.apple.rootless.set up.heritable, which lifts SIP’s file system restrictions for a course of and all its little one processes by inheriting the com.apple.rootless.set up entitlement
CVE-2024-44243, the newest SIP bypass found by Microsoft in macOS after CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine), exploits the Storage Equipment daemon’s (storagekitd) “com.apple.rootless.set up.heritable” entitlement to get round SIP protections.
Particularly, that is achieved by benefiting from “storagekitd’s capability to invoke arbitrary processes with out correct validation or dropping privileges” to ship a brand new file system bundle to /Library/Filesystems – a baby technique of storagekitd – and override the binaries related to the Disk Utility, which may then be triggered throughout sure operations reminiscent of disk restore.
“Since an attacker that may run as root can drop a brand new file system bundle to /Library/Filesystems, they’ll later set off storagekitd to spawn customized binaries, therefore bypassing SIP,” Bar Or mentioned. “Triggering the erase operation on the newly created file system can bypass SIP protections as nicely.”
The disclosure comes practically three months after Microsoft additionally detailed one other safety flaw in Apple’s Transparency, Consent, and Management (TCC) framework in macOS (CVE-2024-44133, CVSS rating: 5.5) – aka HM Surf – that could possibly be exploited to entry delicate information.
“Prohibiting third-party code to run within the kernel can improve macOS reliability, the tradeoff being that it reduces monitoring capabilities for safety options,” Bar Or mentioned.
“If SIP is bypassed, the whole working system can now not be thought of dependable, and with diminished monitoring visibility, risk actors can tamper with any safety options on the system to evade detection.”
