Apple Pushes MacOS Feature That Sanctions Applications to Bypass Firewall Security

Apple removes a controversial update from this MacOS that permits the users to overlaps the VPNs, content filters, and third-party firewalls named as ContentFilterExclusionList that includes the list of about 50 Apple applications includes Maps, FaceTime, Homekit, iCloud, Music, App Store, and from its software updates services.

Network Extension Framework

These services are routed through the Network Extension Framework that was responsible for managing the firewall protections.

This all started in October by releasing macOS Big Sur, which shows the concerns from security researchers who simply said that this feature was modified and misused by the attackers.

The attackers exfiltrate the crucial data by modifying it over the trusted application and then overlaps the security firewalls accordingly. After lots of feedback and bug reports from the developers, it looks that the security is being compromised.

After this news was leaked the apple block all the network traffic that includes their applications. The update comes as Apple Support for the Network Kernel Extension in 2019 to resolve the issue.

Through this update, Apple simply tells about the system extensions and which type of network filter used to know about in detail read the upcoming section.

Apple Network Kernel Extension Update

Apple Pushes MacOS Feature That Sanctions Applications to Bypass Firewall Security

Extension for operating system Cataline(10.15) permits the software to work as network extensions and also as security endpoint solutions to extend the working of macOS without kernel-level access.

In the update, Apple announced the list of networks and improve the security, reliability and they enabled user-friendly distribution methods. Apple also says that if the software uses deprecated KPIs, then you need to know out about the component used in stand-alone system extensions.

Apple also shares the list of deprecated KPIs for macOS 10.15 and 10.15.4.

KAUTH

Apple recommends the users to use EndpointSecurity instead of using the deprecated KPIs;

  • kauth_unlisten_scope
  • kauth_listen_scope

Network Filter

User should use NetworkExtesnsion as alternatives of the following KPIs;

  • ipf_inject_input
  • ipf_addv4
  • ipf_addv6
  • ipf_inject_output
  • ipf_remove
  • sflt_attach
  • sflt_detach
  • sflt_register
  • sflt_unregister
  • sock_accept
  • sock_bind
  • sock_close
  • sock_connect
  • sock_getpeername
  • sock_getsockname
  • sock_getsockopt
  • sock_gettype
  • sock_inject_data_in
  • sock_inject_data_out
  • sock_ioctl
  • sock_isconnected
  • sock_isnonblocking
  • sock_listen
  • sock_receive
  • sock_receivembuf
  • sock_send
  • sock_sendmbuf
  • sock_setpriv
  • sock_setsockopt
  • sock_shutdown
  • sock_socket
  • sockopt_copyin
  • sockopt_copyout
  • sockopt_direction
  • sockopt_level
  • sockopt_name
  • sockopt_valsize

IOHID and IOUSB Family

IOUSBFamily KPI’s are deprecated and their headers are removed from SDK after macOS EI is released. Therefore all the clients have to move on IOUSBHostFamily or use USBDriverkit in place of it. Whereas all the IOHIDFamily KPI’s are deprecated therefore users should use HIDDriverKit.

USB Networking, USB Serial, and USB Vendor Specific IPC

Users have to use USBDriverKit or NetworkingDriverKit instead of IONetworkingFamily KPIs. Clients should use USBSerialDriverKit or SerialDriver Kit in place of IOSerialFamily because these KPI are deprecated.

At the End

Security researchers also said that the Apple applications were excluded from NEFilterDataProvider, that includes a network content filter that makes permits to installed application such as LuLu and Little Snitch helps to monitor and manage data traffic using VPN and Firewall. He also demonstrates that how these malicious applications easily evade the firewall and overlap the transmitted data to a hacker and controlled server with the help of basic Python code that was attacked the traffic into Apple exempted application.

Leave a Reply