Contents:
Researchers discovered an Apple vulnerability that threat actors can use to deploy undeletable malware. In order to exploit CVE-2023-32369, hackers need to previously gain root privileges over the device.
The Apple bug enables them to bypass System Integrity Protection (SIP) and access the victim`s private data by evading Transparency, Consent, and Control (TCC) security checks.
The vulnerability was revealed by Microsoft security researchers and was initially dubbed ”Migraine” since it`s related to macOS migration.
On May 18th, Apple released a patch for the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7.
How Does CVE-2023-32369 Evade System Integrity Protection (SIP)
System Integrity Protection (SIP) blocks potentially malicious software when attempting to compromise certain folders and files. SIP is also known as ”rootless” and it is a macOS security mechanism. It is responsible for enforcing restrictions on the root user account and its capabilities within protected areas of the OS.
It works under the principle that only processes signed by Apple or those possessing special entitlements – Apple software updates and installers – are authorized to alter macOS-protected components. You cannot disable SIP without rebooting the system and booting off of macOS Recovery. This means you will need physical access to an already compromised machine.
According to Microsoft’s researchers, threat actors that obtained root permissions could bypass SIP security enforcement. In order to achieve that, they abuse the macOS Migration Assistant utility, which is a built-in macOS app. As the researchers proved, hackers can automate the migration process with AppleScript and launch a malicious payload they previously add to SIP’s exclusions list. They managed to do that without restarting the system and booting from macOS Recovery.
By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks
What Are the Risks
Arbitrary SIP bypasses are dangerous tools in the hands of threat actors. One of the effects is SIP-protected malware that security teams cannot delete using the usual deletion methods.
In addition, it increases the attack surface and enables malicious actors to launch arbitrary kernel code execution. Installing rootkits to obfuscate malicious processes and files is also possible due to arbitrary SIP bypassing.
Bypassing SIP protection also enables a complete bypass of Transparency, Consent, and Control (TCC) policies, enabling threat actors to replace TCC databases and gaining granting unrestricted access to the victim’s private data.
More on MacOS Vulnerabilities
Researchers reported other macOS vulnerabilities during the past years. You can keep your devices safe from known flaws with Mac patch management solutions.
In 2021, they revealed the Shrootless SIP bypass which enabled hackers to execute arbitrary operations on compromised devices. By exploiting the vulnerability, they succeeded to escalate privileges to root and install rootkits on vulnerable machines.
Another recently discovered flaw, Achilles, let threat actors install malware by using untrusted apps that were able to bypass Gatekeeper execution restrictions.
Powerdir is another macOS vulnerability that attackers use to bypass Transparency, Consent, and Control (TCC) technology and eventually compromise users` data.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Patch & Asset Management
- Create policies that meet your exact needs;
- Full compliance and CVE/CVSS audit trail;
- Gain extensive vulnerability intelligence;
- And much more than we can fit in here...