Secure Kernel Extension Loading SKEL Bypass

A new security feature added in MacOS High Sierra (10.13) named "Secure Kernel Extension Loading" (SKEL) can be bypassed to allow the loading of malicious kernel extensions.

Threat ID:: CC-1640
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 14 September 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new security feature added in MacOS High Sierra (10.13) named "Secure Kernel Extension Loading" (SKEL) can be bypassed to allow the loading of malicious kernel extensions.

Affected platforms

The following platforms are known to be affected:

macOS High Sierra

Apple's MacOS - High Sierra (10.13)

Threat details

Documented in Apple’s Technical Note TN2459, Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.”

A single implementation flaw in SKEL may allow it to be fully bypassed.

Exploiting the implementation vulnerability in SKEL allows the loading of a new unapproved KEXT (Kernal Extention File), fully programmatically, without any user interaction.

Full technical details of the exploit have yet to be published.

Remediation steps

Type	Step
	Monitor for updates from Apple, and apply patches as necessary.

Last edited: 17 February 2020 11:38 am