Researchers from Microsoft have discovered a new vulnerability in macOS that allows attackers with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on affected devices.
Dubbed as Migraine, the flaw was disclosed to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
SIP is a security technology implemented in macOS that prevents a root user from compromising system integrity. It was introduced by Apple in macOS Yosemite as a security measure. It restricts root user access to sensitive system files and directories.
SIP cannot be disabled on a live system and instead requires physical access to the device through the recovery OS. A SIP bypass allows an attacker to override SIP-protected directories and files. Bypassing SIP could therefore lead to the installation of rootkits, the creation of persistent malware and an expanded attack surface for further exploits.
This technique used to exploit the vulnerability is like the one found in the Shrootless vulnerability tracked CVE-2021-30892 published in 2021.
By focusing on system processes that are signed by Apple and have com.apple.rootless.install.heritable entitlement, researchers found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.
Apple has released security updates on May 18, 2023, addressing the issue identified as CVE-2023-32369.
For More information on the vulnerability navigate to the link