CVE-2024-44243 macOS flaw allows persistent malware installation

Microsoft disclosed details of a vulnerability in Apple macOS that could have allowed an attacker to bypass the OS’s System Integrity Protection (SIP).

Microsoft disclosed details of a now-patched macOS flaw, tracked as CVE-2024-44243 (CVSS score: 5.5), that allows attackers with “root” access to bypass System Integrity Protection (SIP).

SIP in macOS safeguards the system by blocking the execution of unauthorized code. It allows App Store apps and notarized apps while blocking others by default.

Bypassing SIP enables attackers to install rootkits, create persistent malware, bypass TCC protections, and expand the system’s vulnerability to further exploits.

“An app may be able to modify protected parts of the file system.” reads the advisory published by the IT giant. “Description: “A configuration issue was addressed with additional restrictions.”

Apple addressed the issue in December with the release of macOS Sequoia 15.2.

The vulnerability was reported by Mickey Jin (@patch1t) and Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft.

“Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.” reads the advisory published by Microsoft.

Microsoft experts pointed out that SIP bypasses often target processes with special entitlements, which grant unique capabilities and are part of a process’s digital signature, making them hard to forge. Private entitlements, often prefixed with “com.apple.private,” are reserved for system-critical functions and are mostly undocumented by Apple. Monitoring anomalous behavior in these processes is essential, as such entitlements can potentially bypass security mechanisms.

“Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms.” continues Microsoft.

Microsoft cited the following entitlements specific to SIP:

• com.apple.rootless.install, which can bypass SIP file system checks for a process with this entitlement
• com.apple.rootless.install.heritable, A SIP bypass occurs when a process and its child processes inherit the com.apple.rootless.install entitlement, overriding SIP’s file system restrictions.

The storagekitd daemon, responsible for disk state management via the Storage Kit private framework, is entitled with the com.apple.rootless.install.heritable entitlement.

storagekitd has many SIP bypassing capabilities, including the com.apple.rootless.install.heritable.

The researchers highlighted the storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges.

An attackers with root access can to add a custom file system bundle to /Library/Filesystems. This can override binaries like Disk Utility and enable SIP-protected actions, such as disk erasure, to execute malicious code.

“As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn.” concludes Microsoft. “However, we noticed certain operations (such as “disk repair”) are directly invoked under storagekitd. Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.”

In October 2024, Microsoft discovered another vulnerability, tracked as CVE-2024-44133 and code-named ‘HM Surf’, in Apple’s Transparency, Consent, and Control (TCC) framework in macOS.

Apple’s Transparency, Consent, and Control framework in macOS is designed to protect user privacy by managing how apps access sensitive data and system resources. It requires applications to request explicit user permission before they can access certain types of information or system features

Successful exploitation of the flaw could allow attackers to bypass privacy settings and access user data.

The “HM Surf” vulnerability removes TCC protection from Safari, allowing access to user data, including browsing history, camera, microphone, and location without consent.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, System Integrity Protection)