CVE-2024-44243 macOS Vulnerability
Microsoft has revealed a security vulnerability in Apple macOS that, if exploited, could have allowed a hacker with root access to bypass System Integrity Protection (SIP). This flaw would have enabled unauthorized installation of corrupted kernel drivers through third-party kernel extensions, significantly compromising system security.
Table of Contents
The Details of CVE-2024-44243
The vulnerability, identified as CVE-2024-44243, carried a CVSS severity score of 5.5 and was categorized as a medium-risk issue. Apple addressed this flaw in the macOS Sequoia 15.2 update last month. The company described it as a 'configuration issue' that could permit an unsafe application to modify protected areas of the file system, effectively weakening core security protections.
The Risks of Bypassing SIP
System Integrity Protection, also known as 'rootless,' is a fundamental macOS security mechanism designed to prevent unauthorized modifications to critical system components. By bypassing SIP, attackers could install persistent threats such as rootkits, evade Apple's Transparency, Consent, and Control (TCC) framework and open the door for further exploitation.
How SIP Protects macOS
SIP works by enforcing strict access controls over essential directories, including /System, /usr, /bin, /sbin, and /var. It limits modifications to these areas to only Apple-signed processes with specific entitlements, such as software updates and system installers. This safeguard prevents both users and attackers from tampering with macOS's core functionality.
SIP Entitlements: A Double-Edged Sword
Apple provides two key SIP entitlements that regulate modifications:
- com.apple.rootless.install: Grants permission to bypass SIP's file system restrictions for a specific process.
- com.apple.rootless.install.heritable: Extends the bypass permission to the process and all its child processes.
Exploiting these entitlements could enable attackers to override SIP protections, making it a critical security concern.
The Exploit: How Attackers could Bypass SIP
The newly discovered SIP bypass, similar to past exploits like CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine), leverages the 'com.apple.rootless.install.heritable' entitlement within macOS's Storage Kit daemon (storagekitd).
By abusing storagekitd's ability to launch arbitrary processes without validation, attackers could introduce a threatening file system bundle into /Library/Filesystems. This would allow them to override binaries linked to macOS's Disk Utility, triggering an attack during operations like disk repair. Additionally, a root user could exploit this flaw to execute unauthorized code, circumventing SIP protections entirely.
Microsoft’s Continued Security Findings
This discovery follows Microsoft's earlier report on another macOS vulnerability in the Transparency, Consent, and Control (TCC) framework (CVE-2024-44133, aka HM Surf). That flaw, with the same CVSS score of 5.5, could have been exploited to access sensitive user data. The repeated targeting of macOS security measures highlights the need for continuous vigilance and patching.
The Bigger Picture: Why SIP Matters
By restricting third-party kernel extensions, Apple enhances macOS stability and security. However, bypassing SIP compromises these protections, making the system vulnerable to advanced threats. If SIP is disabled, security solutions may also lose visibility, allowing attackers to manipulate or disable security tools unnoticed.
A Prime Target for Attackers
SIP remains a high-value target for security researchers and threat actors alike. Many of Apple's security defenses assume SIP cannot be bypassed, making any exploit a significant breakthrough. Successful attacks could allow hackers to place malicious files in protected directories, hide activity from security tools and bypass macOS security prompts entirely.
Staying Protected: Why Updates are Essential
Attackers are known to use social engineering tactics to manipulate users into granting unnecessary permissions. However, an exploit of SIP could eliminate the need for user interaction altogether. Given SIP's fundamental role in macOS security, the best defense against such vulnerabilities is to ensure macOS is always up to date. Installing Apple's security patches as soon as they are released is the most effective way to prevent attackers from exploiting these flaws.