Patches for a pair of critical iOS vulnerabilities are currently in beta, as users are strongly encouraged to disable accounts in their Mail app until the fixes are generally available.
Update 4/24/2020: The Background section has been updated to include follow-ups from Apple and ZecOps.
On April 20, researchers at ZecOps published a blog post about their discovery of multiple zero-day vulnerabilities in the iOS Mail app. According to the researchers, the vulnerabilities were discovered during a digital forensics and incident response (DFIR) investigation. The DFIR led the researchers to discover the flaws had been exploited in the wild against a variety of targets, including employees at a Fortune 500 company in North America, a Japanese carrier executive, a VIP from Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist.
The vulnerabilities have reportedly existed within iOS going as far back as iOS 6, which was released in September 2012. However, the researchers say they identified these vulnerabilities being exploited in the wild as early as January 2018 against iOS 11.2.2.
Apple has followed up ZecOps disclosures stating “based on the information provided, [we] have concluded these issues do not pose an immediate risk to our users.” Apple also noted that these vulnerabilities alone “are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”
ZecOps has in turn responded to Apple’s statements saying that “there were triggers in-the-wild for this vulnerability on a few organizations” and they plan to “release more information and POCs [proofs of concept] once a patch is available.”
The researchers at ZecOps identified two specific vulnerabilities being exploited in the wild, both of which did not have a CVE identifier assigned to them at the time of publication. We expect the CVE identifiers to be available once Apple releases iOS 13.4.5 to the general public.
The first vulnerability is an out-of-bounds write flaw, while the second vulnerability is a heap overflow flaw. Both flaws originate from the implementation of the MFMutableData interface in the Multipurpose Internet Mail Extensions (MIME) framework in iOS. These vulnerabilities exist because MFMutableData does not handle errors from the ftruncate()system call.
Additionally, researchers believe the attackers unintentionally discovered the first vulnerability while trying to exploit the second one.
For the full set of technical analyses, please read the ZecOps blog.
An attacker could exploit these vulnerabilities by sending a specially crafted email to their victim. Most notable about these vulnerabilities is that on iOS 13, the heap overflow vulnerability can be triggered without interaction (zero-click), while on iOS 12, the vulnerability requires the victim to click the email. However, if the attacker has control of the mail server the user is connected to, they could achieve zero-click exploitation on iOS 12 devices. The out-of-bounds write requires the implementation of an additional vulnerability that allows the calling of an arbitrary selector in order to trigger remotely.
Successful exploitation of these vulnerabilities would only grant an attacker the capability to perform actions in the context of the Mail app, such as leaking, modifying or deleting emails. To gain full control over the device, researchers say that an attacker would need to incorporate a kernel vulnerability into the exploit chain. ZecOps suspects attackers had a kernel vulnerability in these attacks, but they’ve not yet identified one during their investigation.
Proof of concept
While a proof-of-concept (PoC) for this vulnerability was not publicly available on GitHub or Exploit-DB, the ZecOps blog provides enough information that can be used to craft a PoC.
Apple has released fixes for these vulnerabilities as part of iOS 13.4.5 beta 2, which was released on April 15. We anticipate Apple will release iOS 13.4.5 into general availability in the coming weeks. Until then, users seeking to patch these flaws immediately can participate in the Apple Beta Software Program. However, for production devices, utilizing beta software is not recommended, as it can lead to the loss of data integrity and create device instability.
As an interim solution for these vulnerabilities, users can disable their accounts connected to Apple’s iOS Mail app and switch to an alternative application, such as Microsoft Outlook for iOS and iPadOS or Google’s Gmail for iOS and iPadOS.
Identifying affected systems
Tenable products offer integration with mobile device management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.