Cyber Security Threat Summary:
Researchers at Microsoft, Jonathan Bar Or, Michael Pearse, and Anurag Bohra, recently disclosed details of a now-patched flaw in Apple macOS that could be exploited by threat actors with root access to bypass security enforcements and perform arbitrary actions on unpatched devices. Tracked as CVE-2023-32369 (aka ‘Migraine’), the flaw could permit actors to bypass a security feature dubbed System Integrity Protection (SIP) which is designed to limit the actions a root user can perform on protected files and folders. By abusing this flaw, “an attacker can create files that are protected by SIP and therefore undeletable by ordinary means.”

“The bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via an AppleScript that's designed to ultimately launch an arbitrary payload. This, in turn, stems from the fact that systemmigrationd – the daemon used to handle device transfer – comes with the com.apple.rootless.install.heritable entitlement, allowing all its child processes, including bash and perl, to bypass SIP checks. As a result, a threat actor already with code execution capabilities as root could trigger systemmigrationd to run perl, which could then be used to run a malicious shell script as the migration process is underway” (The Hacker News, 2023).

Security Officer Comments:
According to researchers, “the implications of arbitrary SIP bypasses are serious, as the potential for malware authors is significant.” For instance, leveraging such a bypass could enable threat actors to successfully deploy and install rootkits, create undeletable malware, replace databases that control Transparency, Consent, and Control (TCC) policies, and further expand the attack surface for “userland and kernel attacker techniques.”

Suggested Correction(s):
CVE-2023-32369 was addressed by Apple as part of updates (macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7) shipped on May 18, 2023. Users should ensure their devices are running the latest versions to prevent potential exploitation attempts.

Source: https://thehackernews.com/2023/05/microsoft-details-critical-apple-macos.html
https://www.microsoft.com/