High-Severity Bypass Vulnerability in macOS XNU Kernel Still Unpatched
NEWS

High-Severity Bypass Vulnerability in macOS XNU Kernel Still Unpatched

macOS has been found to contain a high-severity security vulnerability which was recently disclosed to the public. Apparently, Apple failed to address the issue within the 90-day deadline, and Jann Horn, researcher at Google Project Zero, released the information to the public along with proof-of-concept code.



The vulnerability which resides in macOS XNU kernel is described as a “copy-on-write behavior bypass via mount of user-owned filesystem image”.

High-Severity Bypass Vulnerability in macOS

According to the official advisory, “XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process”.

The copy-on-write behavior works with both anonymous memory and file mappings, meaning that memory pressure can cause the pages holding the transferred memory to be evicted from the page cache after the destination process has started.

Later, when the evicted pages are needed again, they can be reloaded from the backing Filesystem, the advisory says. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

In other words, the vulnerability could allow an attacker or a malicious program to bypass the copy-on-write functionality to cause unexpected changes in the memory shared between processes, which eventually leads to memory corruption attacks.

Related:
Security researcher Patrick Wardle revealed a serious privacy feature bypass in Apple's macOS Mojave in a video shared on Twitter.
macOS Mojave Privacy Feature Bypass Bug Revealed

Furthermore, a malicious program or user can make changes to evicted pages stored on the disk without informing the virtual management subsystem. This would trick the destination processes to load malicious content into the memory.

That is why it is crucial that the copied memory is protected against later modification by the source process. In case of no protection, the source process might be able to exploit double-reads in the destination process, the Project Zero researcher explained.

This bypass is not the only vulnerability discovered by Jann Horn. The researcher also unearthed a similar copy-on-write behavior bypass which is assigned the CVE-2019-6208 number. This vulnerability exploits another macOS function.
Horn got in touch with Apple to notify the company about the discovered issues in November last year.

Apple acknowledged the findings privately. It should be noted that Apple patched CVE-2019-6208 in an update released in January. However, the first severe bypass remains unpatched, thus the researcher made it public after the 90-day deadline.

Apple is currently working on a patch together with Google Project Zero.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...