1

Get in touch with us

Address

2733 Lancaster Rd, Suite 220
Ottawa, Ontario,
K1B 0A9

Office hours

Workdays at
9:00am – 6:00pm
Call us
+1 866 657 7620
+1 613 526 4945

Let’s get connected

Get in Touch

News

Multiple Zero-Day Vulnerabilities in iOS Mail App Exploited in the Wild

Patches for a pair of critical iOS vulnerabilities are currently in beta, as users are strongly encouraged to disable accounts in their Mail app until the fixes are generally available.

Update 4/24/2020: The Background section has been updated to include follow-ups from Apple and ZecOps.

Background

On April 20, researchers at ZecOps published a blog post about their discovery of multiple zero-day vulnerabilities in the iOS Mail app. According to the researchers, the vulnerabilities were discovered during a digital forensics and incident response (DFIR) investigation. The DFIR led the researchers to discover the flaws had been exploited in the wild against a variety of targets, including employees at a Fortune 500 company in North America, a Japanese carrier executive, a VIP from Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist.

The vulnerabilities have reportedly existed within iOS going as far back as iOS 6, which was released in September 2012. However, the researchers say they identified these vulnerabilities being exploited in the wild as early as January 2018 against iOS 11.2.2.

Apple has followed up ZecOps disclosures stating “based on the information provided, [we] have concluded these issues do not pose an immediate risk to our users.” Apple also noted that these vulnerabilities alone “are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

ZecOps has in turn responded to Apple’s statements saying that “there were triggers in-the-wild for this vulnerability on a few organizations” and they plan to “release more information and POCs [proofs of concept] once a patch is available.”

Analysis

The researchers at ZecOps identified two specific vulnerabilities being exploited in the wild, both of which did not have a CVE identifier assigned to them at the time of publication. We expect the CVE identifiers to be available once Apple releases iOS 13.4.5 to the general public.

The first vulnerability is an out-of-bounds write flaw, while the second vulnerability is a heap overflow flaw. Both flaws originate from the implementation of the MFMutableData interface in the Multipurpose Internet Mail Extensions (MIME) framework in iOS. These vulnerabilities exist because MFMutableData does not handle errors from the ftruncate()system call.

Additionally, researchers believe the attackers unintentionally discovered the first vulnerability while trying to exploit the second one.

For the full set of technical analyses, please read the ZecOps blog.

An attacker could exploit these vulnerabilities by sending a specially crafted email to their victim. Most notable about these vulnerabilities is that on iOS 13, the heap overflow vulnerability can be triggered without interaction (zero-click), while on iOS 12, the vulnerability requires the victim to click the email. However, if the attacker has control of the mail server the user is connected to, they could achieve zero-click exploitation on iOS 12 devices. The out-of-bounds write requires the implementation of an additional vulnerability that allows the calling of an arbitrary selector in order to trigger remotely.

Successful exploitation of these vulnerabilities would only grant an attacker the capability to perform actions in the context of the Mail app, such as leaking, modifying or deleting emails. To gain full control over the device, researchers say that an attacker would need to incorporate a kernel vulnerability into the exploit chain. ZecOps suspects attackers had a kernel vulnerability in these attacks, but they’ve not yet identified one during their investigation.

Proof of concept

While a proof-of-concept (PoC) for this vulnerability was not publicly available on GitHub or Exploit-DB, the ZecOps blog provides enough information that can be used to craft a PoC.

Solution

Apple has released fixes for these vulnerabilities as part of iOS 13.4.5 beta 2, which was released on April 15. We anticipate Apple will release iOS 13.4.5 into general availability in the coming weeks. Until then, users seeking to patch these flaws immediately can participate in the Apple Beta Software Program. However, for production devices, utilizing beta software is not recommended, as it can lead to the loss of data integrity and create device instability.

As an interim solution for these vulnerabilities, users can disable their accounts connected to Apple’s iOS Mail app and switch to an alternative application, such as Microsoft Outlook for iOS and iPadOS or Google’s Gmail for iOS and iPadOS.

Identifying affected systems

Tenable products offer integration with mobile device management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.

Source: Tenable