Apple Bug Allows Code Execution on iPhone, iPad, iPod

2020-09-17T20:23:17
ID THREATPOST:C77266C8580E5BF9E670C329E08A3B29
Type threatpost
Reporter Tom Spring
Modified 2020-09-17T20:23:17

Description

Apple has updated its iOS and iPadOS operating systems, which addressed a wide range of flaws in its iPhone, iPad and iPod devices. The most severe of these could allow an adversary to exploit a privilege-escalation vulnerability against any of the devices and ultimately gain arbitrary code-execution.

The bugs were made public Wednesday as part of Apple’s release its iOS 14 and iPadOS 14 security changelogs. In total, Apple addressed 11 bugs in products and components, including AppleAVD, Apple Keyboard, WebKit and Siri. A list of CVEs can be found below.

Apple does not rate its security bugs, but a cursory review of CVE descriptions indicate a wide range of concerning vulnerabilities that were patched. The Siri bug for instance allows a person with physical access to an iPhone to view notification contents from the lockscreen. Another bug was tied to maliciously crafted 3D Pixar files, called Universal Scene Description (USD), which could allow an adversary to execute arbitrary code on specific-model iOS devices.

High-Severity Privilege-Escalation Bug: CVE-2020-9992

According to researchers at IBM’s X-Force, one of the most significant bugs patched by Apple is a privilege-escalation vulnerability impacting Apple iOS and iPadOS (up to 13.7). Tracked as CVE-2020-9992, the vulnerability could be exploited if a target were tricked into opening a specially crafted file.

“An attacker could exploit this vulnerability to execute arbitrary code on a paired device during a debug session over the network,” according a security bulletin outlining the vulnerability.

Apple traced the bug to an unidentified integrated drive electronics (IDE) component, which are the interfaces used to pass data from a device’s motherboard (or circuit board) to the device’s storage component.

“This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14 and watchOS 7,” Apple wrote in its security update page, published Wednesday.

Researchers Dany Lisiansky and Nikias Bassen are credited for discovering the bug. In its security bulletin, Apple also thanked Brandon Azad of Google Project Zero for his assistance. Both Apple and the researchers declined to reveal additional details tied to the bug at this time.

An X-Force vulnerability report rated the bug as high-severity and revealed more specifics tied to CVE-2020-9992. Researchers there suggested that the flaw is tied to Apple’s developer toolset called Xcode. Apple describes Xcode as “a complete developer toolset for creating apps for Mac, iPhone, iPad, Apple Watch and Apple TV.”

“Apple Xcode could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an error in the IDE Device Support component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on a paired device during a debug session over the network.” researchers at X-Force wrote.

They said the bug affects Apple Xcode 11.7. That component, researchers said, is in Apple’s macOS Mojave 10.15.4, 10.15.5 and 10.15.6 (Mojave was introduced September 2018 and was announced Worldwide Developers Conference in June of the same year). Interestingly, X-Force said the attack is not complicated and that an attacker with “low” privileges could easily exploit the bug.

Apple’s Wednesday release of Xcode 12.0 mitigates the vulnerability, according to the company.

Other Patches

Additional information on Apple security fixes released Thursday include:

AppleAVD/CVE-2020-9958

Affecting: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: An application may be able to cause unexpected system termination or write kernel memory. Description: An out-of-bounds write issue was addressed with improved bounds checking.

Cedit: Mohamed Ghannam (@_simo36)

Assets/CVE-2020-9979

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: An attacker may be able to misuse a trusted relationship to download malicious content. Description: A trust issue was addressed by removing a legacy API.

Credit: CodeColorist of Ant-Financial LightYear Labs

Icons/CVE-2020-9773

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: A malicious application may be able to identify what other applications a user has installed. Description: The issue was addressed with improved handling of icon caches.

Credit: Chilik Tamir of Zimperium zLabs

IOSurfaceAccelerator/CVE-2020-9964

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: A local user may be able to read kernel memory. Description: A memory-initialization issue was addressed with improved memory handling.

Credit: Mohamed Ghannam (@_simo36), Tommy Muir (@Muirey03)

Keyboard/CVE-2020-9976

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: A malicious application may be able to leak sensitive user information. Description: A logic issue was addressed with improved state management.

Credit: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

Model I/O/CVE-2020-9973

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.

Credit: Aleksandar Nikolic of Cisco Talos

Phone/CVE-2020-9946

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: The screen lock may not engage after the specified time period. Description: This issue was addressed with improved checks.

Credit: Daniel Larsson of iolight AB

Sandbox/CVE-2020-9968

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: A malicious application may be able to access restricted files. Description: A logic issue was addressed with improved restrictions.

Credit: Adam Chester(@xpn) of TrustedSec

Siri/CVE-2020-9959

Available for: iPhone 6S and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen. Description: A lockscreen issue allowed access to messages on a locked device. This issue was addressed with improved state management.

Credit: Five anonymous researchers, Andrew Goldberg at The University of Texas at Austin, McCombs School of Business, Meli̇h Kerem Güneş of Li̇v College, Sinan Gulguler

WebKit/CVE-2020-9952

Available for: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later. Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack. Description: An input-validation issue was addressed with improved input validation.

Credit: Ryan Pickren (ryanpickren.com)