Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-9818, CVE-2020-9819: Multiple Zero-Day Vulnerabilities in iOS Mail App Exploited in the Wild

Patches for a pair of critical iOS vulnerabilities that were reportedly exploited in the wild are now generally available. Users are strongly encouraged to upgrade to the latest version of iOS and iPadOS.

Update 5/26/2020: The Title, Analysis and Solution sections have been updated to reflect the availability of CVE identifiers for both vulnerabilities as well as the versions of iOS/iPad OS that address these flaws.

Background

On April 20, researchers at ZecOps published a blog post about their discovery of multiple zero-day vulnerabilities in the iOS Mail app. According to the researchers, the vulnerabilities were discovered during a digital forensics and incident response (DFIR) investigation. The DFIR led the researchers to discover the flaws had been exploited in the wild against a variety of targets, including employees at a Fortune 500 company in North America, a Japanese carrier executive, a VIP from Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist.

The vulnerabilities have reportedly existed within iOS going as far back as iOS 6, which was released in September 2012. However, the researchers say they identified these vulnerabilities being exploited in the wild as early as January 2018 against iOS 11.2.2.

Apple has followed up ZecOps disclosures stating "based on the information provided, [we] have concluded these issues do not pose an immediate risk to our users." Apple also noted that these vulnerabilities alone "are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers."

ZecOps has in turn responded to Apple's statements saying that "there were triggers in-the-wild for this vulnerability on a few organizations" and they plan to "release more information and POCs [proofs of concept] once a patch is available."

Analysis

The researchers at ZecOps identified two specific vulnerabilities being exploited in the wild.

CVE-2020-9818 is an out-of-bounds write flaw, while CVE-2020-9819 is a heap overflow flaw. Both flaws originate from the implementation of the MFMutableData interface in the Multipurpose Internet Mail Extensions (MIME) framework in iOS. These vulnerabilities exist because MFMutableData does not handle errors from the ftruncate() system call.

Additionally, researchers believe the attackers unintentionally discovered the first vulnerability while trying to exploit the second one.

For the full set of technical analyses, please read the ZecOps blog.

An attacker could exploit these vulnerabilities by sending a specially crafted email to their victim. Most notable about these vulnerabilities is that on iOS 13, the heap overflow vulnerability can be triggered without interaction (zero-click), while on iOS 12, the vulnerability requires the victim to click the email. However, if the attacker has control of the mail server the user is connected to, they could achieve zero-click exploitation on iOS 12 devices. The out-of-bounds write requires the implementation of an additional vulnerability that allows the calling of an arbitrary selector in order to trigger remotely.

Successful exploitation of these vulnerabilities would only grant an attacker the capability to perform actions in the context of the Mail app, such as leaking, modifying or deleting emails. To gain full control over the device, researchers say that an attacker would need to incorporate a kernel vulnerability into the exploit chain. ZecOps suspects attackers had a kernel vulnerability in these attacks, but they’ve not yet identified one during their investigation.

Proof of concept

While a proof-of-concept (PoC) for this vulnerability was not publicly available on GitHub or Exploit-DB, the ZecOps blog provides enough information that can be used to craft a PoC.

Solution

On May 20, Apple released fixes for these vulnerabilities as part of iOS 13.5 and iPadOS 13.5 and iOS 12.4.7 for older Apple devices. This blog previously noted that Apple added fixes for these vulnerabilities in iOS 13.4.5 beta 2, which was released on April 15. Users seeking to patch these flaws should upgrade to the latest version of iOS/iPad OS.

Identifying affected systems

Tenable products offer integration with mobile device management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Get FREE Advanced Support

with purchase of Nessus Professional

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.