Microsoft Talks about Now-Patched SIP bypass Bug in macOS

Apple’s System Integrity Protocol (SIP) has been something of a mix bag when it comes to security. It is a great feature from a raw and basic security viewpoint, but the same feature also has created challenges for the installation of third-party anti-malware and other security tools since its launch. All that aside, Microsoft, of all people, has shared details on a vulnerability that can be used by attackers to completely bypass the protections that SIP is supposed to offer.

Tracked as CVE-2023-32369 (which oddly shows as reserved as of this writing). The flaw exists in macOS BigSur and is in libxpc. The official Apple explanation says that the flaw is “An app may be able to modify protected parts of the file system”. The patch for this, which was released on May 18th includes improved state management to counter a logic issue. The same process also has a listed bug which would allow an app to gain root privileges due to a logic flaw there as well (tracked as CVE-2023-32405). Theses and many others were rolled into the Big Sur 11.7.7, Monterey 12.6.6, and Ventura 13.4 updates that were pushed out by Apple on May 18th along with the fix for the SIP bypass.

The SIP bypass, from an attacker perspective allows for the creation of protected files that could remain persistent in the OS. Normal methods of removal would not be effective to get any malicious files out of SIP’s protection. Since the bypass allows for not only writing new files, but manipulation of existing files the threat goes even further. Exploitation of this flaw involves the migration assistant which has some interesting permissions. One of these is the permission to grant rootless install permissions (com.apple.rootless.install.heritable) to child objects of the systemmigrationd deamon. All of this is just bad, but there is a bit of good news. Execution of this pivot requires the attacker to use elevated permissions (run the initial script as root). While it is not out of the realm of possibility for an attacker to gain that level (by abusing other flaws like CVE2023-32405) at least it is something.

As Apple devices come into greater focus for threat actors, we expect to see even more of these flaws identified. SIP is a great idea and concept, but flaws that allow an attacker to create protected malware or other persistent tool sets that exist on the device which can potentially run in Kernel Mode is just a bad thing. Apple should be looking to work with security researchers to identify a pattern in how SIP works as part of an effort to fix fundamental flaws in the framework before too many systems are impacted. Even though there is a patch out there, many companies delay deployment due to potential conflicts with existing software and security tools. That means that these unpatched devices may be vulnerable for much longer than needed.

No comments

Leave your comment

In reply to Some User