15 votes

Proof of Concept: Bypassing Firewalls on Big Sur via NEXT exceptions

@patrick wardle:
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB

4 comments

  1. tindall
    Link
    I want to point out something slightly buried in this thread: in addition to this being totally obvious as a possibility, Apple was actually warned this would be a security risk. This is no longer...

    I want to point out something slightly buried in this thread: in addition to this being totally obvious as a possibility, Apple was actually warned this would be a security risk. This is no longer about trusting Apple, which you might, or your upstream ISP, which you shouldn't, but also many application authors and other parties. This ain't good.

    5 votes
  2. [2]
    onyxleopard
    Link
    I’m having trouble understanding this tweet. Wardle had to resort to communicating via screenshots because Twitter is a terrible platform for communicating technical information. Rather than...

    I’m having trouble understanding this tweet. Wardle had to resort to communicating via screenshots because Twitter is a terrible platform for communicating technical information. Rather than writing a blog post we have to parse some screen shots and a video that depict what looks to me like a POC that bypasses Little Snitch and LuLu on Big Sur. Little Snitch and Lulu are a couple of 3rd party software firewalls for macOS, the latter of which Wardle develops himself.

    Is Wardle a credible authority on macOS security? Unquestionably.

    Is Wardle an effective communicator? In this instance at least, communicating his message to a general audience (including myself), no. Screenshots and videos attached to Twitter posts is a terrible modality for communication (and I wish Tildes, as a community would avoid posting such links). I really don’t like to attack the messenger instead of the message, but I absolutely loathe this modality for communication.

    Do I have the domain knowledge to understand the full ramifications of Wardle’s POC? No.

    I went looking for a cogent analysis of Wardle’s work on the web (hoping to find something, you know, written in prose, indexed by a search engine, like on Wardle’s blog because Wardle himself did not offer one). This was the best I could find. I still am left not fully understanding what the situation is. (I wish someone would have linked this piece instead of the OP, at least.)

    In the wider context of this whole backlash against Apple’s Big Sur roll-out there have been myriad accusations thrown around. People have decried Gatekeeper and app notarization, for one, security technologies that Apple added to macOS back in 2012 in Mountain Lion, 8 years before Big Sur. And more recently there has been the issue of outbound OCSP checks that were reported about macOS Catalina (Big Sur’s predecessor) back in May 2020 which blew up when Apple’s OCSP responder service fell down right around the time when Big Sur’s general availability release. I can’t help but see the backlash as the same old Apple critics looking for any and every little chink in the armor to stir controversy. Should Apple be open to critical scrutiny? I think so. Should the attitude of Apple critics be adjusted? I think so, too.

    I am grateful for @deimos who has posted several cogent, levelheaded, pieces such as (note that these are primarily textual, not relying on screenshots or videos as their primary modality):

    Apple, in an unprecedented move, as far as I’m aware—I’ve been following Apple for a while, but I may have missed something—has made a direct response to all of this. The end of that response is super important!

    These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
    In addition, over the the next year we will introduce several changes to our security checks:
    A new encrypted protocol for Developer ID certificate revocation checks
    Strong protections against server failure
    A new preference for users to opt out of these security protections

    So, for those who were critical of Apple for logging IPs with OCSP checks, Apple was (but is no longer) doing that. That was really dumb of them to begin with, but at least they’ve stopped. And it’s nice to see Apple is committing to encrypting these checks in the future.

    But, Wardle’s latest revelation is not about any of that stuff above (despite the narrative from alarmists confusing every potential security or privacy concern related to Apple products). No, this issue is about Apple changing the API that 3rd party VPNs or firewalls can interact with in macOS’s networking stack. Again, I’m not an expert on this, but from what I can tell, it seems that the deprecation of Network Kernel Extensions in favor of new NEFilterDataProviders and NEAppProxyProviders mean that they can no longer block Apple’s apps that are bundled with the system (such as Maps and the Mac App Store). How does Wardle’s POC work? What would have to fail in Apple’s security models for Wardle’s POC to be problematic in the real world? None of that is clear to me. If it’s clear to someone else, please comment.

    At the end of all this, I’m left not fully understanding the situation (which, to be fair, it’s a complex situation). While I do think Wardle is an expert, he is not an impartial source on this matter because he authors an app that is directly affected by Apple’s changes; he has skin in the game with Lulu. That doesn’t necessarily taint Wardle on this topic. But, what I’d really love is for a macOS security expert to weigh in on this and unpack Wardle’s findings. If anyone has such a resource, I’d love to read it, and I hope you elevate the discourse on Tildes around this whole topic by posting a link to it here.

    5 votes
    1. onyxleopard
      Link Parent
      Upon further review, I’m now thinking maybe I am grokking what Wardle is putting down. If someone else can refute me, please chime in. What I think Wardle is trying to communicate is that if you...

      Upon further review, I’m now thinking maybe I am grokking what Wardle is putting down. If someone else can refute me, please chime in.

      What I think Wardle is trying to communicate is that if you relied on a 3rd party firewall, such as Little Snitch or Lulu, in Big Sur, you no longer can do so to protect against other 3rd party software (including malware), nor block Apple’s core apps. If you trusted Little Snitch, a proprietary software, to protect you from other proprietary software (that you installed and ran), on Apple’s proprietary platform, then this may be upsetting to you. For someone like myself, who didn’t have this reliance, nothing has changed for me. I already had to deal with AdGaurd’s hiccups over the summer as they adapted to Apple’s new Big Sur APIs during the beta.

      4 votes
  3. seizethegoddamngap
    Link
    I don't have anything else to add to this except you've gotta be fucking kidding me.

    I don't have anything else to add to this except you've gotta be fucking kidding me.

    4 votes