Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

SentinelOne Releases Open Source Tool to Help Enterprises Protect from the Latest macOS Code-Signing Vulnerability

By Matan Mates -

What Happened?

It was published on June 12th that security firm Okta unveiled a code signing vulnerability in macOS that revolves around validation of universal/FAT binaries. An attack exploiting this vulnerability may give an attacker the ability to make an improperly or weakly signed binary look like a signed binary with a valid certificate chain whose root is an Apple root certificate. These consequences are implied by the title that was given to the research: “I can be Apple, and so can you”.

Is SentinelOne Vulnerable?

SentinelOne confirms we are not vulnerable to this evasion. We have closely examined the details of this vulnerability. We have extensively verified that trust validations performed by the agent are not affected or fooled in any manner by this vulnerability. This takeaway is applicable for all supported agent versions. 

We would also like to thank Okta for providing us in advance the details of the vulnerability and disclosing their findings responsibly.

Are other vendors vulnerable?

Yes, it’s believed that multiple other vendors are affected including other security firms such as Carbon Black (CVE-2018-10407), F-Secure (CVE-2018-10403) VirusTotal (CVE-2018-10408), Little Snitch (CVE-2018-10470), Facebook’s OSQuery forensic tool (CVE-2018-6336) and Google Santa and molcodesignchecker tools (CVE-2018-6336). For a full, comprehensive and up to date list please visit Okta’s blog post. Updates have already been released by multiple vendors before the disclosure by Okta.

How can I check if a binary uses this evasion technique?

SentinelOne has released an open-source tool called are-you-really-signed which allows you to detect if a signed binary uses this evasion technique.

You can also easily integrate this tool with existing distribution solutions in your organization such as JAMF. The tool reports consistent and well-documented return values. Please refer to the documentation for more information.

Stay safe!

What's New

eBook

90 Days: A CISO’s Journey to Impact

We have partnered with some of the most successful CISOs to create a blueprint for success

Report

SentinelOne H1 2018 Enterprise Risk Index

Our research team closely monitors all SentinelOne endpoints for insights

Live Demo

Endpoint Protection Platform Free Demo

Interested in seeing us in action? Request a free demo and we will follow up soon