The new macOS Big Sur changed a lot of things and introduced new mechanisms. One of the biggest changes was deprecating kernel extensions that, among others, allowed a comprehensive way to filter network traffic. Basing on Network Kernel Extensions, firewall developers were able to code their products. On Big Sur, firewalls should be made using the Network Extension Framework. Unfortunately, as it turned out, Apple created an allowlist of their apps that legitimately bypass any filter you set using your firewall. That list can be found in the:
/System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist
I have to say that I usually support Apple’s security enhancements. I like ideas of TCC, Notarization, and even deprecating kernel extensions. However, limiting traffic that can be filtered is something that I totally don’t appreciate.
Patrick Wardle’s bypass
As Patrick showed in the tweet below, this whitelisting mechanism can be abused. It means that a malicious application can bypass any rule you apply in your firewall. That’s sad.
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
— Patrick Wardle (@patrickwardle) November 14, 2020
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
My bypass
I also took a look at the ContentFilterExclusionList and discovered yet another bypass. See the demo below.
I have already reported this issue to Apple. I always encourage people to (if possible) follow the responsible disclosure process. I will release the details once Apple fixes that problem. I hope that after all the ContentFilterExclusionList bypasses, Apple will decide to remove the allowlist and let us filter any traffic we want.