The challenge of detecting such threats is compounded by the inherent limitations in kernel-level visibility on macOS, making it difficult for traditional security measures to spot and mitigate these sophisticated attacks.
I know Microsoft Finding Flaw In Apple MacOS is definetly something wild. Well let’s deep dive into the CVE-2024-44243 that was detected by Microsoft.
A Brief Summary
Microsoft Threat Intelligence had discovered a now-patched security weakness affecting Apple macOS. An attacker working as “root” could have bypassed the operating system’s System Integrity Protection (SIP) and installed malicious kernel drivers by loading third-party kernel extensions.
System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorized code. The system automatically authorizes apps that the user downloads from the App Store. The system also authorizes apps that a developer notarizes and distributes directly to users. The system prevents the launching of all other apps by default.
Apple Co.
Through Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD), the Microsoft team communicated these findings to Apple. On December 11, 2024, Apple provided security updates that contained a fix for this vulnerability, which is currently known as CVE-2024-44243. Mickey Jin responsibly reported the vulnerability to Apple, and Microsoft also found out about it at the same time.
SIP is a macOS mechanism that prevents the root user from accessing some operating system features, such as changing non-volatile random-access memory (NVARM) variables,Obtain task ports for processes that are signed by Apple. Allow kernel debugging, load arbitrary kernel drivers, and alter operating system-related sensitive files. Although in a development environment the feature can be turned off.
Therefore, a user’s ability to alter the environment is expanded after they bypass the SIP capability. These adjustments may include altering NVRAM variables to get around SIP, kernel code execution, For example, by changing the list of permitted kernel extensions and then loading that kernel extension, one can get around SIP when making changes to sensitive files on the file system.
The Microsoft team determined that it was crucial to monitor unusual behaviour by those specifically entitled processes. I have included only the most crucial and relevant points here so you do not have to read the rest.
Entitlement
Description
com.apple.rootless.install
Allows bypassing SIP file system checks. Examples:
– Symbolic Link Misuse: fsck_cs writing to arbitrary paths (Stefan Esser, SyScan360).
After CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine), Microsoft’s most recent SIP bypass in macOS, CVE-2024-44243, takes advantage of the Storage Kit daemon’s (storagekitd) “com.apple.rootless.install.heritable” permission to bypass SIP protections.
This is specifically accomplished by using “storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges” to override the Disc Utility’s binaries, which may then be triggered during specific operations like disc repair, and deliver a new file system bundle to /Library/Filesystems, a child process of storagekitd.
It’s Crazy the heading mentioned on the original poc contains how this flaw can be easily detected with the use of defender. Ignoring SIP affects the security of the entire operating system and can have serious consequences, highlighting the need for all-encompassing security.
Microsoft Defender Vulnerability Management quickly identifies and resolves CVE-2024-44243 and similar vulnerabilities while Microsoft Defender for Endpoint offers robust monitoring capabilities designed to detect and alert on anomalous behavior associated with specially entitled processes on macOS.
