‘Migraine’ Flaw Let Hackers Bypass macOS Security Integrity

A recently discovered vulnerability called “Migraine” is linked to macOS migration and poses a serious threat. 

It enables attackers with root privileges to circumvent System Integrity Protection (SIP) on macOS, granting them unrestricted control over the compromised device.

The security flaw, named “Migraine,” was identified by security researchers at Microsoft Threat Intelligence, who promptly alerted Apple. The vulnerability has since been assigned the tracking identifier CVE-2023-32369.

Apple addressed the identified vulnerability on May 18, 2023, by incorporating a solution into the security updates Apple had already released. 

So, the users can protect their systems by promptly installing these updates to mitigate potential risks.

System Integrity Protection Bypass

System Integrity Protection (SIP) serves as a vital security measure in macOS, effectively limiting the capabilities of a root user to prevent any actions that could risk the system’s overall integrity.

The following serious consequences could take place when SIP is bypassed:-

• Install rootkits
• Create persistent malware
• Expand the attack surface

The fundamental principle of System Integrity Protection (SIP) is to allow modifications to macOS-protected components exclusively by processes signed by Apple or possessing specific entitlements, such as Apple software updates and installers. 

This approach ensures that only trusted entities with proper authorization can make changes to critical system elements. 

By strictly controlling access to macOS components, SIP maintains the integrity of the operating system and minimizes the risk of unauthorized modifications or tampering by unverified sources.

Microsoft researchers discovered that attackers who possess root permissions have the ability to circumvent SIP security measures by exploiting the macOS Migration Assistant utility. 

This utility relies on the “systemmigrationd daemon” and possesses the com.apple.rootless.install.heritable entitlement grants the ability to bypass SIP.

While disabling SIP is not possible without restarting the system and accessing macOS Recovery, which necessitates physical access to a device that is compromised.

When SIP protection is bypassed, it not only circumvents the security measures of System Integrity Protection but also grants unrestricted access to the victim’s private data by overriding Transparency, Consent, and Control (TCC) policies. 

Threat actors can exploit this vulnerability to replace TCC databases, completely evading the control mechanisms and gaining unauthorized access to sensitive information.

Microsoft researchers have uncovered yet another vulnerability in macOS, following their previous discovery of a SIP bypass called Shrootless in 2021.

Using this vulnerability, threat actors can access the compromised Macs and elevate privileges to root, potentially installing rootkits and several other illicit activities.

Implications

Arbitrary bypasses of SIP pose significant implications due to the extensive opportunities they provide for malware authors. 

The ability to circumvent SIP opens the door to potential malware with severe consequences like:-

• Create undeletable malware
• Expand the attack surface for userland and kernel attacker techniques
• Tamper with the integrity of the system, effectively enabling rootkits
• Full TCC bypass.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

• TAGS
• cyber security
• macOS

https://www.facebook.com/plugins/like.php?href=https://cybersecuritynews.com/migraine-macos/&layout=button_count&show_faces=false&width=105&action=like&colorscheme=light&height=21

Guru

Home

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

 

Unified Endpoint Management

Complete Free Website Security Check

New Wi-Fi MITM Attack That Can Evade WPA3 Security…

Guru – May 30, 2023

MOVEit Transfer Critical Vulnerability Let Attackers Escalate Privileges

June 3, 2023

Beware of New Cryptomining Malware Delivered Using TeamViewer Accounts

June 1, 2023

Google Drive Security Flaw Let Hackers Exfiltrate Data Without Any Trace

June 3, 2023

Lazarus Hacking Group Attack IIS Web Servers to Install Web Shell

May 31, 2023

ABOUT USCyber Security News Is a Dedicated News Channel For Hackers And Security Professionals. Get Latest Hacker News & Cyber Security Newsletters update Daily.

FOLLOW US

• Home
• About Us
• Contact US
• Privacy Policy

© Copyright 2023 – Cyber Security News

This utility relies on the “systemmigrationd daemon” and possesses the com.apple.rootless.install.heritable entitlement grants the ability to bypass SIP.

While disabling SIP is not possible without restarting the system and accessing macOS Recovery, which necessitates physical access to a device that is compromised.

When SIP protection is bypassed, it not only circumvents the security measures of System Integrity Protection but also grants unrestricted access to the victim’s private data by overriding Transparency, Consent, and Control (TCC) policies. 

Threat actors can exploit this vulnerability to replace TCC databases, completely evading the control mechanisms and gaining unauthorized access to sensitive information.

Microsoft researchers have uncovered yet another vulnerability in macOS, following their previous discovery of a SIP bypass called Shrootless in 2021.

Using this vulnerability, threat actors can access the compromised Macs and elevate privileges to root, potentially installing rootkits and several other illicit activities.

Implications

Arbitrary bypasses of SIP pose significant implications due to the extensive opportunities they provide for malware authors. 

The ability to circumvent SIP opens the door to potential malware with severe consequences like:-

• Create undeletable malware
• Expand the attack surface for userland and kernel attacker techniques
• Tamper with the integrity of the system, effectively enabling rootkits
• Full TCC bypass.

Source: https://cybersecuritynews.com/migraine-macos/