Microsoft recently discovered a critical security vulnerability in macOS, which as per Microsoft 365 Defender Research team’s researcher Jonathan Bar-Or, could have been used to install a rootkit on targeted Macbooks.
The vulnerability was identified in System Integrity Protection (SIP) within the macOS ecosystem. Research suggests it could allow attackers to install a hardware interface to overwrite system files or install undetectable, persistent malware.
“While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether,” Bar-Or explained in a blog post.
The vulnerability also affected the packages signing mechanism and installation method of post-install scripts. As per Bar-Or, a threat actor can create a “specially crafted file” to hijack the installation process.
How Attackers Can Bypass SIP
SIP is also called rootless. It locks down the system from the root, using Apple’s sandbox to protect macOS, and contains many memory-based variables. These variables ideally shouldn’t be modified in non-recovery mode.
However, it is possible to turn off SIP after booting it in recovery mode, allowing a threat actor to bypass SIP security protections. Bar-Or noted that Apple had improved restrictions considerably to harden SIP against such attacks over the years, the most notable one being the filesystem restriction.
The vulnerability was linked to system updates, and these require unrestricted access to SIP-protected directories. Apple has introduced a specific set of entitlements to bypass SIP checks by design. Microsoft researcher believes the issue was serious and dubbed it Shrootless.
Apple was notified about the flaw, and it was immediately patched. The vulnerability is another one of the ever-increasing attack vectors to be exploited by threat actors. The vulnerability is tracked as CVE-2021-30892 and was discovered in macOS Monterey 12.0.1 and Big Sur and Catalina updates.