Microsoft has recently uncovered a significant security flaw in Apple’s macOS that could allow attackers to bypass System Integrity Protection (SIP) and install malicious kernel drivers. The vulnerability, identified as CVE-2024-44243, has been classified as medium severity with a CVSS score of 5.5. Apple has addressed the issue in its macOS Sequoia 15.2 update, describing it as a “configuration issue” that could permit malicious applications to modify protected file system areas.
Jonathan Bar Or from the Microsoft Threat Intelligence team emphasized the potential risks posed by this flaw. Exploiting the vulnerability could lead to severe consequences, such as rootkit installation, persistent malware deployment, and bypassing macOS’s Transparency, Consent, and Control (TCC) framework. This, in turn, could increase the attack surface for further exploits.
System Integrity Protection, commonly referred to as SIP or “rootless,” is a macOS security framework designed to safeguard critical system directories such as /System, /usr, /bin, /sbin, and /var, as well as pre-installed apps. Even with root access, SIP ensures that these parts of the operating system remain secure, allowing modifications only through Apple-signed processes with special entitlements.
The vulnerability exploits a flaw in the Storage Kit daemon (storagekitd) and its entitlement system. Specifically, it leverages the com.apple.rootless.install.heritable entitlement, which enables processes and their child processes to bypass SIP’s file system restrictions. An attacker with root privileges could drop a new file system bundle into the /Library/Filesystems directory and trigger storagekitd to execute custom binaries. By doing so, the attacker could override critical binaries associated with Disk Utility during operations like disk repair.
The risks of bypassing SIP are significant. Once SIP is circumvented, attackers can install rootkits that provide unauthorized access at the kernel level. They can also deploy malware that is highly persistent and tamper with security solutions to evade detection. Furthermore, bypassing SIP undermines the operating system’s overall reliability and increases the potential for unauthorized access to sensitive user data.
This isn’t the first time Microsoft has identified vulnerabilities in macOS. Previous discoveries include CVE-2021-30892 (Shrootless), which allowed attackers to exploit the system’s installer framework to bypass SIP, and CVE-2023-32369 (Migraine), which involved similar entitlement-related flaws. Microsoft also detailed a vulnerability in macOS’s TCC framework (CVE-2024-44133), enabling unauthorized access to sensitive user information.
Apple mitigates these types of vulnerabilities by implementing strict entitlements for SIP. Two key entitlements play a critical role:
com.apple.rootless.install– Allows a process to bypass SIP’s file system restrictions.com.apple.rootless.install.heritable– Extends this bypass permission to all child processes of the entitled process.
CVE-2024-44243 specifically exploited com.apple.rootless.install.heritable, allowing attackers to trigger unauthorized file system modifications via storagekitd. By invoking arbitrary processes without proper validation, attackers could bypass SIP protections and compromise critical system components.
The discovery of this vulnerability underscores the evolving challenges in securing macOS against advanced attack techniques. While Apple’s SIP provides a robust framework for system protection, the tradeoff of restricting third-party code in the kernel can limit the monitoring capabilities of security solutions. As Jonathan Bar Or noted, “If SIP is bypassed, the entire operating system can no longer be considered reliable.”
Although Apple has patched this vulnerability, the incident highlights the importance of staying vigilant in cybersecurity practices. Users should ensure their macOS systems are updated to the latest version to mitigate potential risks. For organizations relying on macOS devices, implementing advanced monitoring solutions capable of detecting SIP bypass attempts is crucial for maintaining a secure environment.
CVE-2024-44243 represents another reminder that even sophisticated operating systems like macOS are not immune to vulnerabilities. Continued collaboration between security researchers and technology companies is essential to identify and address such flaws, ensuring robust protections against ever-evolving cyber threats.
