macOS has been found to contain a high-severity security vulnerability which was recently disclosed to the public. Apparently, Apple failed to address the issue within the 90-day deadline, and Jann Horn, researcher at Google Project Zero, released the information to the public along with proof-of-concept code.
The vulnerability which resides in macOS XNU kernel is described as a “copy-on-write behavior bypass via mount of user-owned filesystem image”.
High-Severity Bypass Vulnerability in macOS
According to the official advisory, “XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process”.
The copy-on-write behavior works with both anonymous memory and file mappings, meaning that memory pressure can cause the pages holding the transferred memory to be evicted from the page cache after the destination process has started.
Later, when the evicted pages are needed again, they can be reloaded from the backing Filesystem, the advisory says. This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.
In other words, the vulnerability could allow an attacker or a malicious program to bypass the copy-on-write functionality to cause unexpected changes in the memory shared between processes, which eventually leads to memory corruption attacks.
Furthermore, a malicious program or user can make changes to evicted pages stored on the disk without informing the virtual management subsystem. This would trick the destination processes to load malicious content into the memory.
That is why it is crucial that the copied memory is protected against later modification by the source process. In case of no protection, the source process might be able to exploit double-reads in the destination process, the Project Zero researcher explained.
This bypass is not the only vulnerability discovered by Jann Horn. The researcher also unearthed a similar copy-on-write behavior bypass which is assigned the CVE-2019-6208 number. This vulnerability exploits another macOS function.
Horn got in touch with Apple to notify the company about the discovered issues in November last year.
Apple acknowledged the findings privately. It should be noted that Apple patched CVE-2019-6208 in an update released in January. However, the first severe bypass remains unpatched, thus the researcher made it public after the 90-day deadline.
Apple is currently working on a patch together with Google Project Zero.