New Year. New Exploits.
While we were all celebrating the 2018 New Year, an extremely well researched MacOS Zero Day Vulnerability was published, starting the clock for both Blackhats looking to leverage this exploit and Apple racing to provide a formal security patch for its users who may be at risk.
Although this vulnerability was published in a seemingly hasty New Years Eve, the vulnerbility was extremely well researched with what had to be weeks of diligent investigative work. The detail in the publishers report not only provides very detailed exploitation for blackhat & Apple Security engineers, but will surely provide a foundation for discovering additional vulnerabilities. In the work of Apple moving to x86 architecture the kernel level vulnerability provides direct access to kernel space. This vulnerability can be exploited over SSH remote session, but needs to be invoked by the logged in user (no need for privileged admin/root access). This means that any user can effectively bypass permissions on the device and escalate to root credentials, owning the machine.
How To Protect Yourself
There is very little we can do until an official patch becomes available. In the meantime, we advise that end-users immediately hard power off their computer if an unexpected logoff occurs. This exploit on High Sierra requires the end-user session to be terminated before the exploit can run... so users should be cautious of an unrequested logoff.
Addigy also highly recommends that macOS Gatekeeper is enabled, providing a level of protection against allowing unsigned software installed/run. We also highly recommend keeping the standard security enforcement of locking down SSH and Remote Desktop Access:
So Now What?
While we certainly did not intend (or expect) to start the year off like this, we wanted to be sure our partner community was aware of this newly published vulnerability. Addigy will continue to be diligent in our monitoring of this exploit and will continue to provide updates as information becomes available from Apple or the community. In the meantime, we encourage you to take preventative measures to protect your macOS users with available options. If we can be of any assistance, or if you have additional information on this issue please contact us through one of our many available channels.
Keep I.T. Real,
The Addigy Team (λ)