Privilege escalation flaws discovered in the IntelHD5000 kernel extension of Apple OSX 10.13

• The bugs are tracked as CVE-2018-4456 and CVE-2018-4421 and exist in the kernel extension.
• The flaws could allow attackers to gain escalated privileges on targeted devices.

Researchers from Cisco Talos have discovered critical vulnerabilities in the IntelHD5000 kernel extension of Apple OSX 10.13. The flaws could allow attackers to gain escalated privileges on targeted devices.

The bugs are tracked as CVE-2018-4456 and CVE-2018-4421 and exist in the kernel extension when dealing with the graphics resources inside of macOS High Sierra.

Commenting on the specification of the flaws, Tyler Bohan of Cisco Talso said, “A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.”

The two vulnerabilities are slightly different from each other - depending on the values that can be replaced and the values they can be replaced with.

“The issue itself arises in the IntelAccelerator user client type 6, IGAccelSharedUserClient. The kernel extension is responsible for resource delegation in regards to graphics processing. The data stored and returned here gets passed through into the GPU for rendering and processing. There are multiple methods for allocating and deleting resources as well as creating shared memory with userspace,” said Bohan.

Exploitation of vulnerabilities would require for a library to be inserted into the VLC media application. This would cause an out-of-bounds access inside of the KEXT (Kernel Extension).

“Apple kernel extension shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit,” Bohan added.

Apart from these two vulnerabilities, the researchers also claim to have discovered a third issue but no CVE number has been assigned yet.

The issues in question are found affecting Apple OSX 10.13.4 running on MacBookPro11.4. Given the potential risks associated with the vulnerabilities, Bohan advises the users to patch their systems with a security update that was released in early December 2018.