ClearanceKit Endpoint Security System Extension Policy Bypass Vulnerability

A vulnerability exists in the ClearanceKit opfilter Endpoint Security system extension on macOS, specifically in versions prior to 4.2. This vulnerability allows local processes to bypass file access policies enforced by the application. The issue arises because the extension only intercepted 'AUTH_OPEN' events, leaving seven other file operation event types unmonitored. As a result, processes could manipulate protected files without triggering any denials, effectively circumventing the intended access controls.

Impact

Exploitation of this vulnerability allows local processes to exfiltrate data protected by active File Access Authorization (FAA) rules, such as Safari cookies and credentials, Signal message databases, and Discord local states. Additionally, it enables the destruction of protected files through unlinking or truncating, and the enumeration of protected directories, leaking metadata while blocking file contents. Both managed and user-defined rules are affected, and the global allowlist and process ancestry checks are not applied to the exploited event types.

Reproduction

The vulnerability can be reproduced by creating a local process that interacts with the file system in a way that exploits the unmonitored event types. This can be done by hard-linking or copying protected files to an unprotected location, then accessing them, which bypasses the FAA policies. Alternatively, the vulnerability can be demonstrated by unlinking or truncating protected files, or by enumerating protected directories using the 'readdir' operation, all of which can be done without triggering any denials due to the lack of interception for these event types.

Remediation

Users should upgrade to ClearanceKit version 4.2 or later, which includes the necessary patches. After upgrading, the opfilter system extension should be reactivated via the ClearanceKit Setup Update option.