Microsoft Details Apple macOS Vulnerability Critical Allowing Bypass SIP Protection

May 31, 2023Ravie LakshmananEndpoint Security/Vulnerabilities

Microsoft has shared details about a now-patched vulnerability in Apple macOS that could be abused by threat actors with root access to bypass security enforcement and perform arbitrary actions on affected devices.

In particular, his handicap – dubbed Migraine and tracked as CVE-2023-32369 – can be abused to get around a major security measure called System Integrity Protection (SIP), or “no root”, which limits the actions the root user can perform on protected files and folders.

“The direct implication of SIP bypass is that (…) attackers can create files that are protected by SIP and therefore cannot be deleted in normal ways,” Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.

Even worse, it can be exploited to gain arbitrary execution of kernel code and even access sensitive data by overriding the database that manages Transparency, Consent, and Control (TCC) policies.

Bypass is possible by making use of a built-in macOS tool called Migration Assistant to enable the migration process via AppleScript designed to eventually launch arbitrary payloads.

This, in turn, stems from the fact that systemmigrationd – the daemon used to handle device transfers – comes with the rights com.apple.rootless.install.heritable, allowing all its descendant processes, including bash and perl, to bypass SIP checks.

As a result, a threat actor who already has code execution capabilities as root can trigger systemmigrationd to run perl, which can then be used to run malicious shell scripts while the migration is in progress.

After responsible disclosure, the vulnerability has been addressed by Apple as part of an update (macOS Ventura 13.4, macOS Monterey 12.6.6And macOS Big Sur 11.7.7) shipped on May 18, 2023.

iPhone makers describe CVE-2023-32369 as a logic issue that allows a malicious application to modify protected parts of the file system.

Migraine is the latest addition to the list of macOS security bypasses that have been documented under the names Shrootless (CVE-2021-30892, CVSS score: 5.5), powerdir (CVE-2021-30970, CVSS score: 5.5), and Achilles (CVE-2022-42821 , CVSS score: 5.5).

“The implications of arbitrary SIP bypass are serious, because the potential for malware authors is significant,” the researchers said.

“Bypassing SIP can have serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits.”

The findings appear as Jamf Threat Labs disclosed details a type confusion flaw in the macOS kernel that can be weaponized by malicious applications installed on a device to execute arbitrary code with kernel privileges.

Labeled ColdInvite (aka CVE-2023-27930), the flaw “can be exploited to leverage a co-processor to gain read/write privileges to the kernel, enabling malicious actors to more closely realize their end goal of completely compromising a device.”