SIP is a security feature in macOS that restricts a root user access to perform operations that could compromise system integrity. But the vulnerability dubbed "Shrootless" and tracked as CVE-2021-30892, could allow threat actors to create a malicious file and install in infected system that would hijack the installation process.
The attacker could also install a rootkit, with which to overwrite system files, or install more persistent, undetectable malware.
How 'Shrootless' Bug Could allow Attackers Install Rootkit on macOS Systems?
SIP was introduced in macOS Yosemite, also known as "rootless" — that essentially locks down macOS system from root by leveraging the Apple sandbox technology to protect the entire platform.
Now the only legitimate means to disable SIP is simply booting into recovery mode and turning SIP off. And the Turning of SIP on or off is done via the built-in csrutil tool, which also can display the SIP status: Therefore, the researchers looked at macOS processes entitled to bypass SIP protections, which led to the discovery of a software daemon called "system_installd" that enables any of its child processes to circumvent SIP filesystem restrictions.
The successful exploitation of bug could enable a malicious actor to modify protected parts of the file system, including the ability to install malicious kernel drivers, also known as rootkits.
How to Mitigate against the New 'Shrootless' Bug?
Microsoft promptly shared the findings with Apple via Coordinated Vulnerability Disclosure (CVD) through Microsoft Security Vulnerability Research (MSVR). And a fix for the vulnerability was included in the security updates released by Apple on October 26, 2021.
Apple, therefore, recommends that macOS users should update their systems to safeguard from the security problem, as the new OS is beefed up with additional restrictions.
No comments