New macOS Vulnerability Lets Attackers Bypass Apple’s System Integrity Protection (SIP)

Microsoft Threat Intelligence has identified a significant vulnerability in macOS that could allow attackers to bypass Apple’s System Integrity Protection (SIP), a critical security mechanism designed to safeguard the operating system from malicious interference.

This flaw addressed as CVE-2024-44243, enables attackers to load third-party kernel extensions, potentially compromising macOS security by allowing the installation of rootkits, persistent malware, and the evasion of security measures.

The vulnerability was independently discovered by Microsoft researchers and security expert Mickey Jin, both of whom responsibly reported it to Apple through Coordinated Vulnerability Disclosure (CVD).

Apple addressed the issue in the security updates released on December 11, 2024. Microsoft has urged all macOS users to ensure their systems are updated to the latest software to protect against potential exploitation.

Understanding the Impact of a SIP Bypass

System Integrity Protection, also known as “rootless”, restricts system-level operations even for root users, ensuring that key system files, kernel extensions, and settings remain protected. A successful bypass of SIP, however, undermines these protections, allowing attackers to:

• Load arbitrary kernel drivers.
• Modify sensitive operating system components.
• Install rootkits to evade detection.
• Circumvent macOS security frameworks like Apple’s Transparency, Consent, and Control (TCC).

“Bypassing SIP impacts the reliability of the entire macOS operating system,” Microsoft researchers explained. “Once SIP restrictions are bypassed, attackers can tamper with security solutions on the device and expand their foothold for further exploitation.”

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Technical Analysis

The vulnerability revolves around specially entitled macOS processes. Entitlements are permissions granted to specific system processes, enabling them to perform restricted operations.

Attackers can exploit certain entitlements, such as com.apple.rootless.install.heritable, to bypass SIP protections.

For example, a macOS daemon called storagekitd, responsible for managing disk operations, was identified as having SIP-bypassing capabilities.

By installing custom file system bundles and leveraging storagekitd, attackers could run arbitrary processes without proper validation.

This discovery echoes earlier research into SIP vulnerabilities, including previous exploits dubbed “Shrootless” and “Migraine,” reported by Microsoft Defender.

On macOS, filesystems are managed by the Disk Arbitration daemon (diskarbitrationd), supporting both kernel-based (e.g., APFS, HFS+) and userspace filesystems (UserFS). These are implemented as filesystem bundles (*.fs) located in /System/Library/Filesystems or /Library/Filesystems.

Bundles include a dictionary of FSMediaTypes for content hints and specify binaries and arguments for operations like mounting, repairing, and probing.

The storagekitd daemon, interacting with diskarbitrationd, handles mounting via posix_spawn and directly invokes certain operations like disk repair.

An attacker with root access can drop a malicious filesystem bundle into /Library/Filesystems and use storagekitd to execute custom binaries, bypassing System Integrity Protection (SIP).

This exploit extends to operations like erasing the custom filesystem, triggering unauthorized code execution.

These incidents highlight the critical need to monitor processes with special entitlements for suspicious or anomalous behavior.

Using advanced monitoring tools like Microsoft Defender for Endpoint, researchers identified unusual child processes spawned by storagekitd.

This led to the discovery of third-party file systems invoking binaries capable of bypassing SIP restrictions.

Among the culprits were tools from vendors like Paragon, Tuxera, and EaseUS, which, although not themselves malicious, could be exploited by attackers to execute unauthorized operations under the guise of legitimate processes.

Microsoft researchers emphasized that this issue stemmed from a macOS vulnerability in how storagekitd processes were invoked, rather than flaws in the third-party tools themselves.

Microsoft’s findings underline the importance of robust monitoring to detect and thwart attempts to bypass SIP and other critical security mechanisms.

“Comprehensive monitoring of SIP-related entitlements is crucial,” Microsoft stated in its report. “Proactive detection mechanisms allow defenders to stay one step ahead of emerging threats.”

Microsoft praised Apple for promptly addressing the vulnerability and recognized security researcher Mickey Jin for responsibly disclosing the issue.

By sharing the research with the broader security community, Microsoft aims to foster collaboration and encourage proactive defenses against sophisticated threats.

Recommendations for Users and Organizations

• Update macOS immediately: Ensure your system is running the latest updates released on December 11, 2024, or later, which include the fix for CVE-2024-44243.
• Monitor for anomalous behavior: Use tools like Microsoft Defender for Endpoint to detect and respond to suspicious activity involving specially entitled processes.
• Enhance organizational defenses: Implement comprehensive endpoint protection and vulnerability management to reduce risks associated with SIP bypasses and other advanced threats.

The discovery of CVE-2024-44243 underscores the critical need for vigilance in today’s cybersecurity landscape, where collaboration across platforms and organizations plays a vital role in protecting users.

For further insights into this vulnerability, Microsoft has shared detailed technical findings with the security community, continuing its commitment to transparent and responsible disclosure practices.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!