These findings were disclosed to Apple through a Coordinated Vulnerability Disclosure process, and Apple released a security update to address this issue on December 11, 2024. The research conducted by Microsoft and security researcher Mickey Jin was a collaborative effort that emphasized the importance of responsible disclosure in cybersecurity.
An essential aspect of this vulnerability involves special entitlements that allow certain processes to bypass SIP mechanisms. It is vital to monitor processes with these entitlements for unusual activity. The research indicates that malicious actors could exploit specially entitled processes to load unverified third-party kernel extensions that could install rootkits while remaining undetected by traditional security solutions.
Previous Microsoft research on SIP bypasses has emphasized the need for proactive monitoring of these privileged processes. Tools like Microsoft Defender have been designed to alert users of potentially harmful activities associated with specially entitled processes. The recent discovery of CVE-2024-44243 has strong implications for kernel-level monitoring strategies, as SIP bypasses can render the OS unreliable, allowing threat actors to modify system protections undetected.
SIP (or “rootless”) enforces multiple protections in macOS, which include preventing arbitrary kernel driver loading, modifying critical NVRAM variables, accessing task ports for Apple-signed processes, enabling kernel debugging, and altering sensitive operating system files. It is noteworthy that bypassing just one of these protections can lead to the circumvention of others. For example, modifying NVRAM variables can directly lead to SIP bypasses, illustrating the interconnected nature of these protections.
Historical SIP bypasses have often targeted special binaries with unique entitlements—special capabilities integrated into a process’s digital signature, which malicious individuals cannot easily fabricate. Some entitlements are reserved exclusively for system functions, critical for maintaining security and debugging capabilities. The research emphasizes the critical surveillance of processes endowed with these entitlements, as they can potentially be exploited for bypasses.
One such entitled process, identified as storagekitd (a daemon responsible for keeping disk states), has demonstrated capabilities to bypass SIP protections due to its ability to invoke potentially malicious child processes without appropriate validation or privilege restrictions. By leveraging advanced querying methods, researchers identified various customer filesystems (e.g., NTFS implementations) that could potentially allow SIP bypass when invoked through specific operations.
In summary, the vulnerability CVE-2024-44243 presents a serious threat to macOS security due to its SIP bypass capabilities. The difficulty in detecting such threats is accentuated by the limitations in kernel-level visibility inherent in macOS. Microsoft Defender for Endpoint offers crucial monitoring functionalities, enabling the detection of anomalies linked to specially entitled processes. This vulnerability highlights the necessity for shared knowledge and collaboration in the security community to strengthen defenses against evolving threats.
In conclusion, this discovery emphasizes the importance of ongoing vigilance against potential exploits that could compromise the integrity of macOS systems. By encouraging collective responses through responsible disclosure and effective security practices, organizations can enhance their defenses and be better prepared to counteract emerging cybersecurity threats.
Enlace de la fuente, haz clic para tener más información