A security vulnerability, dubbed ‘Shrootless’, currently exists in several MacBook and Mac PCs running Apple macOS. The loophole can potentially allow an attacker to hijack installations of packages with Root access and perform malicious actions with Admin-level access.
Microsoft 365 Defender Research Team recently discovered and reported Shrootless, a concerning security flaw inside macOS. It allows attackers to bypass System Integrity Protection (SIP). With Root access, attackers can perform arbitrary operations, and install rootkits on vulnerable devices.
Apple Inc. macOS has SIP which the new security flaw can potentially bypass:
Apple Inc. is aware of a concerning security flaw within macOS. Tracked as CVE-2021-30892, and dubbed Shrootless, the security loophole can allow attackers to bypass System Integrity Protection (SIP).
SIP is a macOS security technology that blocks potentially malicious software. The security layer prevents unauthorized or unsigned software from modifying protected folders and files.
Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26. Get details: https://t.co/FDZc5pOQX1
— Microsoft Security Intelligence (@MsftSecIntel) October 28, 2021
SIP essentially blocks access to Root User Account. This automatically limits the actions that software can perform on protected areas. Simply put, even if malicious software finds its way onto a PC running macOS, it won’t be able to do much damage.
SIP only allows processes signed by Apple or those with special privileges to access and modify protected parts of macOS. Some of the software includes Apple software updates and Apple installers. The Shrootless security loophole can potentially bypass this SIP layer.
Microsoft 365 Defender Research Team alerted Apple Inc. about ‘Shrootless’
Security experts had recently discovered a security loophole inside Windows OS. The Razer add-on software and many similar installers could offer SYSTEM privileges.
The Shrootless loophole essentially works in a similar manner. The system_installd daemon had the com.apple.rootless.install.inheritable entitlement. This allowed the secondary or child process to fully bypass SIP, explained Jonathan Bar Or, a principal security researcher at Microsoft:
“After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.”
Microsoft: Shrootless bug lets hackers install macOS rootkits – @sergheihttps://t.co/RMEv0S0mXr
— BleepingComputer (@BleepinComputer) October 28, 2021
Apple Inc. has issued a security advisory and released security updates to address the flaw. “A malicious application may be able to modify protected parts of the file system,” noted Apple Inc. Interestingly, macOS now has additional restrictions that go beyond addressing the inherited permissions issue.
Needless to mention, PCs running macOS, which includes MacBook, MacBook Pro, and MacBook Air, must regularly check for updates, and apply them.