Full Report
Microsoft has shed light on a now-patched security flaw impacting Apple macOS that, if successfully exploited, could have allowed an attacker running as "root" to bypass the operating system's System Integrity Protection (SIP) and install malicious kernel drivers by loading third-party kernel extensions. The vulnerability in question is CVE-2024-44243 (CVSS score: 5.5), a medium-severity bug
Analysis Summary
# Vulnerability: macOS System Integrity Protection (SIP) Bypass via Kernel Extensions Loading
## CVE Details
- CVE ID: CVE-2024-44243
- CVSS Score: 5.5 (Medium)
- CWE: Not explicitly mentioned, but relates to improper privilege management/configuration errors.
## Affected Systems
- Products: Apple macOS
- Versions: All affected versions prior to the patch release (macOS Sequoia 15.2).
- Configurations: Systems where an attacker has existing root access allows for successful exploitation.
## Vulnerability Description
This vulnerability is a configuration issue within macOS that allows a local attacker who already has `root` privileges to bypass System Integrity Protection (SIP). The flaw is specifically rooted in the **`storagekitd`** daemon, which possesses the `com.apple.rootless.install.heritable` entitlement. By leveraging this entitlement, an attacker can cause `storagekitd` to invoke arbitrary processes without proper validation or dropping privileges. This misuse allows the attacker to install a malicious file system bundle into `/Library/Filesystems`. Once this is achieved, the attacker can trigger `storagekitd` (e.g., via disk erase operations on the new file system) to execute custom binaries, effectively loading unauthorized kernel extensions and installing rootkits, thereby undermining SIP protections.
## Exploitation
- Status: No information suggesting exploitation in the wild, but a significant bypass mechanism is detailed.
- Complexity: Assumes attacker already has root access; the bypass mechanism itself requires exploiting a specific daemon interaction. Likely **Medium** complexity to achieve the final goal (kernel driver loading).
- Attack Vector: **Local** (Requires existing root privileges).
## Impact
- Confidentiality: High (Bypassing SIP allows installation of highly persistent malware like rootkits, potentially leading to full data compromise).
- Integrity: High (Modification of core system files and drivers).
- Availability: Medium to High (Potential for denial of service or system instability if malicious drivers are loaded).
## Remediation
### Patches
- **macOS Sequoia 15.2** (and later versions) released by Apple addresses this configuration issue.
### Workarounds
- No specific workarounds are detailed, as the vulnerability requires an attacker to already possess root access. Standard best practices against unauthorized root access should be enforced.
## Detection
- **Indicators of Compromise:** Monitoring for unauthorized processes running with kernel privileges or the presence of unexpected third-party kernel extensions. Look for activity related to child processes spawned by `storagekitd`.
- **Detection Methods and Tools:** Security solutions (EDR) should monitor integrity checks on system directories protected by SIP, especially `/Library/Filesystems`. Enhanced auditing of `storagekitd` activity is recommended if detection visibility is normally inhibited by SIP.
## References
- Vendor Advisory: Apple macOS Sequoia 15.2 release notes (link provided in context covers the update).
- Technical Analysis: Microsoft Threat Intelligence blog detailing CVE-2024-44243.
- Related CVEs: CVE-2021-30892 (Shrootless), CVE-2023-32369 (Migraine), CVE-2024-44133 (HM Surf).