
A recently patched security vulnerability in Apple macOS (CVE-2024-44243) could have allowed attackers with root access to bypass System Integrity Protection (SIP) and install malicious kernel drivers. The medium-severity bug, which received a CVSS score of 5.5, was addressed in macOS Sequoia 15.2.
The vulnerability, discovered by Microsoft’s Threat Intelligence team, exploited the Storage Kit daemon’s (storagekitd) entitlements to circumvent SIP protections. SIP, also known as rootless, is a crucial security framework that prevents unauthorized modification of protected system areas including /System, /usr, /bin, /sbin, /var, and pre-installed applications.
Technical Impact:
– Potential installation of rootkits
– Creation of persistent malware
– Bypass of Transparency, Consent and Control (TCC)
– Expanded attack surface
The exploit worked by leveraging two key SIP entitlements:
1. com.apple.rootless.install
2. com.apple.rootless.install.heritable
The vulnerability allowed attackers to:
– Deliver malicious file system bundles to /Library/Filesystems
– Override Disk Utility binaries
– Trigger unauthorized operations through storagekitd
This marks Microsoft’s third discovery of SIP bypasses in macOS, following CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine). Security experts emphasize that SIP breaches can compromise the entire operating system’s reliability and hamper security monitoring capabilities. Users are advised to implement system updates promptly to protect against such vulnerabilities.