Microsoft has disclosed a recently patched security vulnerability in Apple’s macOS, identified as CVE-2024-44243, which could allow an attacker operating with root privileges to bypass the System Integrity Protection (SIP) of the operating system and install malicious kernel drivers through third-party kernel extensions.
Microsoft reveals macOS vulnerability allowing SIP bypass
This vulnerability, rated with a CVSS score of 5.5 and classified as medium severity, was addressed by Apple in macOS Sequoia 15.2, released last month. Apple categorized the issue as a “configuration issue” that could enable a malicious app to alter protected areas of the file system.
According to Jonathan Bar Or of the Microsoft Threat Intelligence team, “Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.”
SIP, also referred to as rootless, serves as a security framework to prevent malicious software from tampering with essential components of macOS, including directories like /System, /usr, /bin, /sbin, /var, and pre-installed applications. SIP enforces strict permissions on the root account, allowing modifications to these areas only by processes signed by Apple, including Apple software updates.
Two key entitlements associated with SIP are: com.apple.rootless.install, which allows a process to bypass SIP’s file system restrictions, and com.apple.rootless.install.heritable, which extends the same ability to all child processes of the initial process.
The exploitation of CVE-2024-44243 utilizes the “com.apple.rootless.install.heritable” entitlement in the Storage Kit daemon’s (storagekitd) capabilities to circumvent SIP. Attackers can leverage storagekitd’s capability to invoke arbitrary processes without adequate checks to introduce a new file system bundle in /Library/Filesystems, leading to the alteration of binaries linked with the Disk Utility. This could be activated during operations like disk repair.
Bar Or elaborated, stating, “Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP. Triggering the erase operation on the newly created file system can bypass SIP protections as well.”
This revelation follows a previous Microsoft report detailing another vulnerability in macOS’s TCC framework, tracked as CVE-2024-44133, which also risks user data security. Bar Or noted that while SIP enhances macOS reliability, it simultaneously limits the oversight capabilities of security solutions.
Jaron Bradley, director of Threat Labs at Jamf, emphasized SIP’s significance, stating it is a prime target for both researchers and attackers, with many of Apple’s security protocols predicated on SIP being invulnerable. “An exploit of SIP could allow an attacker to bypass these prompts, hide malicious files in protected areas of the system, and potentially gain deeper access,” he added.
Cybersecurity professionals are urged to keep macOS systems up to date, as the latest patch addresses this critical vulnerability, which was resolved in the December 11 Apple security update. Without SIP, attackers could deploy rootkits or persistent malware undetected, even without physical access to the machines.
Experts recommend that security teams vigilantly monitor processes with special entitlements that might circumvent SIP. Mayuresh Dani, manager of security research at Qualys, suggested that “teams should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP.”
Additionally, unusual disk management activities and atypical privileged user behaviors should be monitored to bolster security against these types of attacks. As vulnerabilities like CVE-2024-44243 illustrate, organizations should cautiously manage third-party kernel extensions and only enable them when absolutely necessary, coupled with stringent monitoring protocols.
The flaw discovered by Microsoft not only showcases a continuity in security issues but also highlights the vulnerabilities present within macOS, such as the recent detection of the “Banshee” infostealer malware, which reportedly evaded Apple’s antivirus measures due to a stolen encryption algorithm.
Microsoft’s analysis indicates that this specific flaw arises from the Storage Kit daemon’s role in overseeing disk operations, allowing possible exploitation by embedding custom code in third-party file systems, including Tuxera, Paragon, EaseUS, and iBoysoft.
Featured image credit: Szabo Viktor/Unsplash
