How can we help?
“SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity.”
This vulnerability is “increasing attack vectors” – “a path or method” that can be misused and exploited.
This means an attacker can obtain access to a computer much more easily.
Containment, Mitigations & Remediations
SIP locks down the system from root by leveraging the Apple sandbox to protect the entire platform. Internally, it is controlled by NVRAM variables.
These variables cannot be modified in “non-recovery mode.”
So, the only legal way “to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in csrutil tool, which can also display the SIP status”.
“This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.”
Apple announced that they resolved the problem with further restraints – part of security updates implemented on October 26, 2021.
Indicators of Compromise
“An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may be able to modify protected parts of the file system.”
T1014 – Rootkit