Other official information and services: www.belgium.be

Warning: Two zero-day RCE vulnerabilities in Apple iOS, iPadOS, WatchOS and macOS

Reference:

Advisory #2023-105

Version:

1.0

Affected software:

Apple iOS, iPadOS, WatchOS and macOS

Type:

RCE

CVE/CVSS:

CVE-2023-41064/NA

CVE-2023-41061/NA

Date:

08/09/2023

Sources

https://support.apple.com/en-us/HT213905

https://support.apple.com/en-us/HT213906

https://support.apple.com/en-us/HT201222

Risks

Apple released a security update for two critical zero-day vulnerabilities in Apple iOS, iPadOS, WatchOS and macOS that are actively exploited in the wild.

Successful exploitation of CVE-2023-41064 and CVE-2023-41061 could allow for unauthorized code execution. This is accomplished by sending a maliciously crafted attachment or image to the users device.

The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.

Important to note is that these vulnerabilities are actively exploited in the wild. One of the observed exploitations weaponized CVE-2023-41064 and CVE-2023-41061 as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus on fully-patched iPhones running iOS 16.6.

Description

CVE-2023-41064 is a buffer overflow vulnerability in the ImageIO package that can be exploited by sending a malicious image allowing arbitrary Remote Code Execution in the context of the user.

CVE-2023-41061 is a validation issue in the Wallet package that can be exploited by sending a malicious crafted attachment allowing arbitrary Remote Code Execution in the context of the user.

These two vulnerabilities have been weaponized as part of an exploit chain called BLASTPASS that has been used to deliver Pegasus spyware. This exploit involves sending PassKit attachments containing malicious images from an attacker iMessage account to the target iMessage account. This exploit does not require any user interaction and is labeled as zeroclick.

Affected products

iOS prior to version 16.6.1 and iPadOS prior to version 16.6.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
macOS prior to version 13.5.2
watchOS prior to version 9.6.2 - Apple Watch Series 4 and later.

Recommended Actions

Update

Update to iOS 16.6.1 and iPadOS 16.6.1
Update to macOS 13.5.2
Update to watchOS 9.6.2

Mitigate/workaround

No specific mitigations or workaround provided by Apple.

Monitor/Detect

The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.

References

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero...

https://thehackernews.com/2023/09/apple-rushes-to-patch-zero-day-flaws.h...