ClearanceKit Endpoint Security System Extension Suspension Vulnerability on macOS

A vulnerability exists in ClearanceKit versions prior to 5.0.6, specifically within the 'opfilter' Endpoint Security system extension. This extension can be suspended or terminated by any process with root privileges, effectively disabling ClearanceKit's file-access policy enforcement. During the suspension, all AUTH Endpoint Security events are allowed by default, creating a window where unauthorized file-access operations can occur. This vulnerability could be exploited to bypass ClearanceKit's protections, allowing access to files that would normally be restricted or enabling the execution of blocked binaries.

Impact

Exploitation of this vulnerability allows a root process to suspend the 'opfilter' system extension, causing ClearanceKit to temporarily ignore file-access policies. This could lead to unauthorized file access or execution of restricted binaries. Additionally, this vulnerability could be used in conjunction with other local privilege escalation techniques that require a brief period without policy enforcement.

Remediation

Users can update to ClearanceKit version 5.0.6 or later, where this vulnerability has been fixed. Instructions for updating can be found in the ClearanceKit repository on GitHub.