Microsoft has shed light on a patched security flaw in Apple’s macOS that, if successfully exploited, could allow an attacker running as root to bypass the operating system’s system integrity protections (SYPT) and install malicious kernel drivers by downloading third-party kernel extensions.
The vulnerability in question CVE-2024-44243 (CVSS Score: 5.5), a moderate bug that was fixed by Apple in the framework macOS Sequoia 15.2 released last month. The iPhone maker described it as a “configuration issue” that could allow a malicious app to modify protected parts of the file system.
“Bypassing SIP can have serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits,” Jonathan Barr Orr of the Microsoft Threat Intelligence team said.
SIP, also called rootless, is a security framework which aims to prevent malware installed on a Mac from interfering with protected parts of the operating system, including /System, /usr, /bin, /sbin, /var, and applications that come preinstalled on the device.
It works by providing various protections against the root user account, allowing only Apple-signed processes that have special write rights to system files, such as Apple software updates and Apple installers, to modify these protected parts.
Two rights specific to SIP are given below –
- com.apple.rootless.install, which removes SIP file system restrictions for a process with this privilege
- com.apple.rootless.install.heritable, which removes SIP file system restrictions for the process and all its child processes by inheriting com.apple.rootless.install
CVE-2024-44243, the latest SIP bypass discovered by Microsoft in macOS after CVE-2021-30892 (Rootless) and CVE-2023-32369 (Migraine), uses the Storage Kit daemon (storagekitd) privilege “com.apple.rootless.install.heritable” to bypass SIP protection.
Specifically, this is achieved by taking advantage of “StorageKitd’s ability to invoke arbitrary processes without proper validation or privilege stripping” to deliver a new filesystem package to /Library/Filesystems – a StorageKitd child process – and redefine the binaries associated with Drive. A utility that can then be run during certain operations, such as disk repair.
“Because an attacker who can run as root can dump a new filesystem in /Library/Filesystems, he can later run storagekitd to create custom binaries, thus bypassing SIP,” Barr Orr said. “Running an erase operation on a newly created file system can also bypass SIP protection.”
The disclosure comes nearly three months after Microsoft also detailed another security flaw in Apple’s Transparency, Consent and Control (TCC) system in macOS (CVE-2024-44133CVSS score: 5.5) – aka HM Surf – which can be used to access sensitive data.
“Prohibiting third-party code from running in the kernel can improve the reliability of macOS, but the trade-off is that it reduces the monitoring capabilities of security solutions,” Bar Orr said.
“When SIP is bypassed, the entire operating system can no longer be considered trustworthy, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to avoid detection.”
