Apple Patched System Integrity Protection Bypass FlawMicrosoft Researchers Say Flaw Allowed Hackers to Load Undetectable Malware
A now-patched macOS vulnerability allowed attackers with root access to bypass a kernel-level security feature that prevents malicious software from modifying protected files and folders on a Mac.
Microsoft dubbed the vulnerability Migraine since it involves the macOS data transfer feature Migration Assistant. For the past decade, Apple desktop computers have limited malware damage by restricting root access to the filesystem in a mechanism called System Integrity Protection.
Apple patched the vulnerability, tracked as CVE-2023-32369, in mid-May security updates that also addressed actively exploited zero-day flaws in its browser rendering engine for mobile devices (see: Apple Fixes 3 Zero-Days Exploited in the Wild).
System Integrity Protection limits root access to sensitive parts of the operating system such as the
/bin directory of executable commands and the
/system folder. It must grant some exceptions such as for operating system updates, and that creates opportunities for hackers to circumvent the protection.
"Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits," Microsoft wrote. An attacker could use the exploit to load malware that was shielded by SIP from detection by antivirus. Hackers could also execute arbitrary code that would go undetected by Apple's Endpoint Security kernel monitoring system.
The method Microsoft researchers discovered builds on a property of SIP exceptions - known as entitlements - that Apple builds into the operating system that Redmond disclosed in 2021. Namely, some entitlements allow child processes to inherit a SIP bypass entitlement.
In this case, a daemon assigned to handle data migration from one computer to another, dubbed
systemmigrationd, is able to pass onto child processes a bypass entitlement.
systemmigrationd typically requires using the Migration Assistant utility, researchers wrote, and that entails signing out of the system. To automate the attack, researchers discovered they could trigger migration without signing out through the Setup Assistant program that automatically appears after a new installation of macOS.
In addition to loading undetectable malware, attackers could use the vulnerability to replace the Transparency, Consent, and Control database controlling app permissions, giving them access to private data and peripherals.