Tracked as CVE-2023-32369 (which oddly shows as reserved as of this writing). The flaw exists in macOS BigSur and is in libxpc. The official Apple explanation says that the flaw is “An app may be able to modify protected parts of the file system”. The patch for this, which was released on May 18th includes improved state management to counter a logic issue. The same process also has a listed bug which would allow an app to gain root privileges due to a logic flaw there as well (tracked as CVE-2023-32405). Theses and many others were rolled into the Big Sur 11.7.7, Monterey 12.6.6, and Ventura 13.4 updates that were pushed out by Apple on May 18th along with the fix for the SIP bypass.
The SIP bypass, from an attacker perspective allows for the creation of protected files that could remain persistent in the OS. Normal methods of removal would not be effective to get any malicious files out of SIP’s protection. Since the bypass allows for not only writing new files, but manipulation of existing files the threat goes even further. Exploitation of this flaw involves the migration assistant which has some interesting permissions. One of these is the permission to grant rootless install permissions (com.apple.rootless.install.heritable) to child objects of the systemmigrationd deamon. All of this is just bad, but there is a bit of good news. Execution of this pivot requires the attacker to use elevated permissions (run the initial script as root). While it is not out of the realm of possibility for an attacker to gain that level (by abusing other flaws like CVE2023-32405) at least it is something.
As Apple devices come into greater focus for threat actors, we expect to see even more of these flaws identified. SIP is a great idea and concept, but flaws that allow an attacker to create protected malware or other persistent tool sets that exist on the device which can potentially run in Kernel Mode is just a bad thing. Apple should be looking to work with security researchers to identify a pattern in how SIP works as part of an effort to fix fundamental flaws in the framework before too many systems are impacted. Even though there is a patch out there, many companies delay deployment due to potential conflicts with existing software and security tools. That means that these unpatched devices may be vulnerable for much longer than needed.