A severe security vulnerability, identified as CVE-2024-27822, has been detected in macOS, potentially allowing attackers to gain unauthorized root access. This vulnerability has sparked serious concerns within the cybersecurity community, especially with the recent release of a Proof-of-Concept (PoC) exploit code. Mykola Grymalyuk, a security researcher, uncovered the flaw, which affects Apple’s Installer.app and PackageKit.framework. Exploitation of this vulnerability could lead to devastating consequences, including data theft, system manipulation, and the installation of malicious software.
The root cause of CVE-2024-27822 lies in a flaw within the macOS kernel, which fails to properly validate certain user inputs. Specifically, the flaw stems from how installation scripts embedded in PKGs (package files) execute as root within the user’s environment, particularly those with the #!/bin/zsh shebang. Attackers could exploit this flaw by injecting a malicious payload into the .zshenv file, leading to the execution of arbitrary commands with root privileges. The widespread impact of this vulnerability poses a significant threat to macOS users, emphasizing the urgency of addressing and patching the issue.
Given the severity of the vulnerability, immediate action is imperative. Security experts recommend updating to the latest macOS versions, such as macOS 14.5 Beta 2 and newer, macOS 13.6.7 and newer, and macOS 12.7.5 and newer, which have resolved the issue. Additionally, users should restrict user privileges, monitor systems for unusual activity, and regularly back up important data. Apple has acknowledged the vulnerability and is actively working on a patch. Users are urged to remain vigilant, stay informed about updates, and apply the patch as soon as it becomes available to mitigate the risk of exploitation.
Reference:
