In recent findings, researchers from Microsoft have identified a critical vulnerability, labeled CVE-2023-32369 and given the name Migraine. This vulnerability enables attackers with root privileges to bypass System Integrity Protection (SIP), a macOS security feature introduced in OS X El Capitan.

A macOS vulnerability could allow an attacker with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on a device. Learn more about CVE-2023-32369, which we refer to as “Migraine”, and its patch in our latest blog: https://t.co/DAyWI2zsec

— Microsoft Threat Intelligence (@MsftSecIntel) May 30, 2023

Overview

System Integrity Protection, also known as rootless, was introduced by Apple in OS X El Capitan (2015). SIP acts as a security barrier, preventing a root user from executing operations that could compromise the integrity of the macOS system. It achieves this by only allowing processes signed by Apple or possessing special entitlements to modify protected components of macOS.

The Migraine vulnerability exposes a flaw in SIP, enabling attackers to bypass its root restrictions. Once bypassed, attackers can install persistent and “undeletable” malware, providing them with unauthorized access to sensitive data stored on the compromised device. The vulnerability can be exploited through a specially crafted file that hijacks the installation process, manipulating protected parts of the file system.

Implications of Bypassing SIP

Bypassing SIP poses significant risks to the security and integrity of a macOS system. Attackers gaining root access can compromise the device, install malware, and extract sensitive information without detection. This vulnerability could potentially lead to unauthorized access to personal data, financial information, and corporate secrets.

The Migraine vulnerability allows threat actors to create a file designed to exploit the logical issue in SIP. By manipulating the installation process, an app can modify protected components of the file system, bypassing SIP’s security checks. This flaw was responsibly reported to Apple by Jonathan Bar Or, Anurag Bohra, and Michael Pearse from Microsoft.

With the Migraine vulnerability and the automation of the exploit, attackers can execute malicious code on a macOS system without facing SIP filesystem restrictions. This unrestricted access provides them with the ability to compromise the system’s integrity and gain unauthorized control over sensitive data.

Apple’s Response and Security Updates

Upon receiving the report, Apple promptly addressed the Migraine vulnerability by releasing security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7. These updates fix the vulnerability and strengthen the security of macOS systems, preventing unauthorized bypassing of SIP.

It is important to note that SIP cannot be disabled on a live system. The only way to turn off SIP is by restarting the device using the recovery OS, which requires physical access to the machine. This restriction ensures the continuous protection and integrity of the macOS system.

Below is a video PoC that shows the exploitation of the flaw:

https://www.microsoft.com/en-us/videoplayer/embed/RW14MaR

Source

• https://securityaffairs.com/146853/security/macos-sip-root-restrictions-bypass.html
• https://www.bleepingcomputer.com/news/security/microsoft-finds-macos-bug-that-lets-hackers-bypass-sip-root-restrictions/
• https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Recently

Google launches bug bounty program