Source: cve-assign@fb.com
An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7
Osquery, a popular endpoint visibility tool, is vulnerable to a code-signing bypass. A malicious Universal/fat binary can be crafted to trick osquery into executing unsigned code, potentially allowing attackers to gain unauthorized access and control of affected systems. This vulnerability impacts systems running osquery versions prior to 3.2.7.
Step 1: Payload Creation: The attacker crafts a Universal/fat binary. This binary contains at least two architectures: one that is legitimately signed (e.g., by Apple) and one that contains malicious, unsigned code.
Step 2: Binary Delivery: The attacker delivers the crafted Universal/fat binary to the target system. This could be achieved through various means, such as social engineering, exploiting other vulnerabilities, or supply-chain attacks.
Step 3: Osquery Execution: The victim's system executes the crafted binary, likely through osquery's normal operation or a related process.
Step 4: Code-Signing Bypass: Osquery's code-signing verification process is triggered. Due to the vulnerability, the verification process incorrectly reports the entire binary as signed, even though the malicious code is unsigned.
Step 5: Malicious Code Execution: The unsigned malicious code within the Universal/fat binary is executed, granting the attacker control over the system.
The vulnerability stems from an incomplete inspection of Universal/fat binaries. Osquery's code-signing verification logic fails to fully validate all architectures within the binary. Attackers can embed malicious, unsigned code within a Universal/fat binary alongside a legitimate, signed architecture. The verification process, due to a flaw in its parsing or validation, may incorrectly report the entire binary as signed, allowing the unsigned code to execute. The root cause is likely a logic error in how osquery handles the different architectures within a fat binary, potentially skipping or misinterpreting the signature checks for certain architectures. This could involve a flaw in the parsing of the binary's header or an inadequate check of the signature's validity across all contained architectures. The vulnerability allows for the execution of arbitrary code, leading to a complete compromise of the affected system.
While no specific APTs are definitively linked to this CVE, the nature of the vulnerability makes it attractive to various threat actors. Any actor seeking to maintain persistence or escalate privileges on macOS systems could leverage this. The vulnerability is not listed on the CISA KEV.
Monitor for unusual processes or network connections originating from osquery or related processes.
Analyze osquery logs for suspicious activity, such as unexpected code execution or errors related to code signing.
Examine file system activity for the creation or modification of Universal/fat binaries, especially those originating from untrusted sources.
Implement file integrity monitoring to detect changes to critical osquery binaries.
Use endpoint detection and response (EDR) tools to identify and block malicious code execution attempts.
Review system logs for code-signing errors or warnings related to osquery.
Upgrade osquery to version 3.2.7 or later.
Implement a robust code-signing verification process that thoroughly validates all architectures within Universal/fat binaries.
Regularly update osquery and other software to patch known vulnerabilities.
Enforce strict access controls to prevent unauthorized modification of osquery binaries.
Implement a defense-in-depth strategy that includes multiple layers of security, such as intrusion detection systems (IDS) and endpoint protection platforms (EPP).
Use a security information and event management (SIEM) system to collect and analyze security logs for suspicious activity.