The Microsoft 365 Defender Research Team recently reported a new macOS vulnerability to Apple. The vulnerability received CERT CVE-2021-30892 and also goes by “Shrootless.” The vulnerability could allow root access due to the fact that the system_installd daemon had the com.apple.rootless.install.inheritable entitlement. If an attacker were able to get around the System Integrity Protection (SIP) security blockades, it would allow them to install a rootkit, modify system files, and place malware on the device. A proof of concept (POC) that overrode the kernel extension exclusion list was used to prove the executability of the flaw. Microsoft principal security researcher Jonathan Bar Or stated, “We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process.” On October 26th, Apple would address the flaw by releasing a security update.
Apple has addressed the issue in macOS Monterey 12.0.1, macOS Big Sur 11.6.1, and Security Update 2021-007 for macOS Catalina. Any devices running these operating systems should be updated immediately to remediate this vulnerability.