Advisory Overview
Apple has deprecated its support for its Network Kernel Extensions (NKE) which are the services that supported local firewalls on previous Mac systems. This change has allowed macOS Big Sur and roughly 50 other applications in Apple’s app suite to bypass security controls such as firewalls and VPNs and route their traffic straight to the internet, unmonitored.
Technical detail and additional information
What is the threat?
With the release of Apple’s new macOS ‘Big Sur’, there have been concerns about vulnerabilities regarding Apple’s development of about 50 Apple apps in their suite. Specifically, allowing the apps to bypass the firewalls and VPNs that are built-in to the framework thus leaving the applications open to exploitation. This exploit is feasible since the Big Sur OS does not offer a mechanism to filter or monitor network traffic at an application level and allows data to be exfiltrated easily since there is nothing to block unwanted traffic.
Why is this noteworthy?
Apple has created the latest version of MacOS and various applications to bypass any built-in firewall or VPN service as well as third party services that relied on the use of Apple’s support of NKEs. These vulnerabilities are present in roughly 50 Apple developed applications as well as the OS, in which the traffic from these apps is not being monitored by any network traffic monitoring service or VPN and is instead being routed straight to the internet.
What is the exposure or risk?
These vulnerabilities can be exploited to exfiltrate sensitive or personal data that is stored within an affected application or device, gifting threat actors an opportunity to very easily circumvent any firewalls or other security features that are in place. If someone were to exploit this vulnerability, attackers would have an easy way to drop malicious files on a device or exfiltrate data without any restriction.
What are the recommendations?
The current recommended mitigations for these vulnerabilities are:
- Delay upgrading to macOS Big Sur until new versions are released with stricter security controls.
- Ensure that the environment utilizes a strong defense in depth model of security. This does not fix the vulnerabilities; however, it lowers the risk of malicious actors or traffic gaining access to the device in the first place.
- Utilize security services that do not rely on Apple’s NKEs. Instead, utilize a service that is built around the macOS Packet Filter service or configure the Packet Filter service yourself.
- Note: Third-party VPN vendors that utilize the Packet Filter service to secure connections do not secure the device 100% out of the box. Connections that are established before the VPN tunnel is built will continue outside of the tunnel. We recommend using a VPN service that offers a feature that does not allow connections to be built or continue, outside of the tunnel.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2020/11/apple-lets-some-of-its-big-sur-macos.html
- https://threatpost.com/some-apple-apps-on-macos-big-sur-bypass-content-filters-vpns/161295/
- https://arstechnica.com/gadgets/2020/11/apple-lets-some-big-sur-network-traffic-bypass-firewalls/
- https://protonvpn.com/blog/big-sur-exclusion-list/
If you have any questions, please contact our Security Operations Center.
