Darwin Nuke Vulnerability Details in OS X, iOS Disclosed

2015-04-13T10:03:42
ID THREATPOST:8C079BD660C932FC39CF6CBDCA529E33
Type threatpost
Reporter Michael Mimoso
Modified 2015-04-13T14:03:42

Description

Since Apple released a monster batch of patches for OS X and iOS last week, details on a number of the vulnerabilities that were addressed have been made public.

The latest concerns a kernel vulnerability in the Darwin operating system, an open-source OS developed and used by Apple in its desktop and mobile platforms.

The so-called Darwin Nuke bug, CVE-2015-1102, allows attackers to remotely crash Apple devices. Researchers at Kaspersky Lab who reported the flaw to Apple said numerous conditions must be in place in order to exploit the vulnerability, but cautioned that it’s not completely out of the reach of today’s hackers.

“At first glance it is not obvious how this bug could be exploited effectively. However, a true professional can easily use it to break down a user’s device or even interrupt the work of a corporate network,” wrote researchers Anton Ivanov, Andrey Khudayakov, Maxim Zhuravlev and Andrey Rubin.

According to Apple and Kaspersky Lab, both OS X 10.10 and iOS 8 improperly process IP packets of a certain size and invalid IP options. One malformed packet, the researchers said, can cause a system or device to crash.

“Usually this kind of incorrect packet would be dropped by routers or firewalls but we discovered several combinations of incorrect IP options that can pass through the Internet routers,” says the Kaspersky Lab report, which also singled out certain 64-bit processors and iOS 8 devices as affected, including iPhone 5s and later, iPad Air and later, and iPad mini 2 and later.

Under certain conditions—which the Kaspersky Lab researchers identified in their report as a 60-byte IP header, an IP payload of at least 65 bytes and errors in the IP options such as size of option or class—Darwin engages its panic function and the affected system shuts down in emergency mode. A kernel panic in OS X or iOS is described as an unrecoverable system error detected by the kernel in Apple documentation.

“This happens because the internal kernel structures have been changed and the new buffer size is insufficient to store a newly-generated ICMP packet,” the researchers wrote.

Apple last Wednesday patched the vulnerability in the release of OS X Yosemite 10.10.3 and iOS 8.3. In all, Apple patched 80 vulnerabilities in Yosemite, including remote code execution bugs in a dozen different OS X components. Apple’s iOS patches addressed three dozen code execution and privilege escalation vulnerabilities.

Almost immediately, disclosure details on several of the vulnerabilities began, including one from Yahoo on a remote code execution flaw in the nVidia graphics driver that ships natively in OS X, and another from Sandstorm.io that described another kernel vulnerability in OS X that could allow an attacker to crash the OS via a number of apps including Google Chrome and Node.js.