A new medium-severity vulnerability was discovered that could let attackers bypass Apple’s highly regarded system integrity protection (SIP) in macOS by loading third-party kernel extensions.
Bypassing SIP could lead to serious consequences, said Microsoft Threat Intelligence in a Jan. 13 blog post, such as making it easier for attackers to install rootkits, create persistent malware, bypass Apple’s transparency, consent and control (TCC), and expand the attack surface for additional exploits.
A fix for the vulnerability — CVE-2024-44243 — was included in security updates released by Apple on Dec. 11 after Microsoft shared it's findings with the Cupertino, California-based Apple.
Jaron Bradley, director of threat labs at Jamf, explained that many of Apple's security measures operate under the assumption that attackers cannot bypass SIP, making any successful exploit of SIP highly significant.
“While finding an exploit for SIP is challenging, it remains a coveted target for bug researchers and attackers,” said Bradley. “Typically, attackers rely on social-engineering techniques to trick users into interacting with some of the operating system's prompts. However, an exploit of SIP could let an attacker bypass these prompts, hide malicious files in protected areas of the system, and potentially gain deeper access.”
Mayuresh Dani, manager of security research at the Qualys Threat Research Unit, said bypassing SIP could let threat actors install rootkits and similar functionality, allowing persistent backdoors to the vulnerable system.
Dani said security teams should proactively monitor processes with special entitlements since attackers can exploit them to bypass SIP. Teams should also maintain the behavior of these processes, said Dani, who added that security pros should limit applications that use third-party kernel extensions.
“These should be enabled only when absolutely necessary and have strict monitoring guidelines,” said Dani.
Lawrence Pingree, vice president at Dispersive, added that here's another example in which people need to recognize that all operating systems have vulnerabilities.
Although Apple has done a great job at maintaining security over time, including the design of its internal authorization and isolation permissions system, Pingree said that researchers can find a new vulnerability at any time.
“Patching as quickly as possible is the best answer and relying on a solid disaster recovery plan is critical to today's operations,” said Pingree. “We need to get better at rolling patches and being more reliant on rapid recovery in the event of a bad patch, like in the CrowdStrike outage. We need to focus on rapid recovery to usher in real-time patching and live-patching technologies alongside zero-trust isolation, enclaves and micro-segmentation strategies.”
