Cybersecurity researchers at Microsoft have helped Apple patch a vulnerability that could allow attackers to bypass the System Integrity Protection (SIP) in macOS and perform arbitrary operations.
The Microsoft 365 Defender research team also discovered that a similar technique could allow attackers to elevate their privileges to root an affected device.
“SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. We discovered the vulnerability while assessing processes entitled to bypass SIP protections,” notes Jonathan Bar Or, Senior security researcher at Microsoft.
The vulnerability, named shrootless and tracked as CVE-2021-30892 was reported to Apple who pushed a patch for it in the security updates released earlier this week, on October 26, 2021.
Go shrootless
Explaining the vulnerability, Bar Or says that SIP, also known as rootless, was first introduced in macOS Yosemite as a mechanism to lock down the system from root by leveraging the Apple sandbox to protect the entire platform.
In other words, SIP essentially restricts a root user from performing operations that could compromise a system’s integrity.
However, the researchers found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. Bar Or notes that the vulnerability could be exploited to create a specially crafted file that hijacks the installation process, in order to bypass SIP’s restrictions.
Once that’s done, the attacker could then overwrite system files, or install rootkits and malware. Bar Or said the researchers demonstrated the vulnerability by developing a fully functional proof-of-concept (PoC) exploit.
“Security technology like SIP in macOS devices serves both as the device’s built-in baseline protection and the last line of defense against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons….Our research on the CVE-2021-30892 vulnerability exemplifies this,” Bar Or concludes, building a case for businesses to switch to solutions like Microsoft Defender for Endpoint.
