Patch Now: Apple Zero-Day Exploits Bypass Kernel Security
A pair of critical bugs could open the door to complete system compromise, including access to location information, iPhone camera and mic, and messages. Rootkitted attackers could theoretically perform lateral movement to corporate networks, too.
March 6, 2024
Apple has released emergency security updates to fix two critical iOS zero-day vulnerabilities that cyberattackers are actively using to compromise iPhone users at the kernel level.
According to Apple's security bulletin released March 5, the memory-corruption bugs both allow threat actors with arbitrary kernel read and write capabilities to bypass kernel memory protections:
CVE-2024-23225: Found in the iOS Kernel
CVE-2024-23296: Found in the RTKit component
While Apple, true to form, declined to offer additional details, Krishna Vishnubhotla, vice president of product strategy at mobile security provider Zimperium, explains that flaws like these present exacerbated risk to individuals and organizations.
"The kernel on any platform is crucial because it manages all operating system operations and hardware interactions," he explains. "A vulnerability in it that allows arbitrary access can enable attackers to bypass security mechanisms, potentially leading to a complete system compromise, data breaches, and malware introduction."
And not only that, but kernel memory-protection bypasses are a special plum for Apple-focused cyberattackers.
"Apple has strong protections to prevent apps from accessing data and functionality of other apps or the system," says John Bambenek, president at Bambenek Consulting. "Bypassing kernel protections essentially lets an attacker rootkit the phone so they can access everything such as the GPS, camera and mic, and messages sent and received in cleartext (i.e., Signal)."
Apple Bugs: Not Just for Nation-State Rootkitting
The number of exploited zero-days for Apple so far stands at three: In January, the tech giant patched an actively exploited zero-day bug in the Safari WebKit browser engine (CVE-2024-23222), a type confusion error.
It's unclear who's doing the exploiting in this case, but iOS users have become top targets for spyware in recent months. Last year, Kaspersky researchers uncovered discovered a series of Apple zero-day flaws (CVE-2023-46690, CVE-2023-32434, CVE-2023-32439) connected to Operation Triangulation, a sophisticated, likely state-sponsored cyber-espionage campaign that deployed TriangleDB spying implants on iOS devices at a variety of government and corporate targets. And nation-states are well-known for using zero-days to drop the NSO Group's Pegasus spyware on iOS devices — including in a recent campaign against Jordanian civil society.
However, John Gallagher, vice president of Viakoo Labs at Viakoo, says the nature of the attackers could be more mundane — and more dangerous to everyday organizations.
"iOS zero-day vulnerabilities are not just for state-sponsored spyware attacks, such as Pegasus," he says, adding that being able to bypass kernel memory protections while having read and write privileges is "as serious as it gets." He notes, "Any threat actor aiming for stealth will want to leverage zero-day exploits, especially in highly used devices, such as smartphones, or high-impact systems, such as IoT devices and applications."
Apple users should update to the following versions to patch the vulnerabilities with improved input validation: iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.
About the Author
You May Also Like