Seems Macs with Apple M1’s are not Immune to vulnerabilities after all

by

New PACMAN hardware attack targets Macs with Apple M1 CPUs

A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems.

Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise.

Discovered by researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem.

To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses.

“PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer,” the researchers explained.

“PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”

While Apple can’t patch the hardware to block attacks using this exploitation technique, the good news is that end-users don’t need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN.

“PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” the researchers added.

While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs.

Read Full Article Here: New PACMAN hardware attack targets Macs with Apple M1 CPUs

Source: BleepingComputers