As if the Log4Shell hellscape wasn’t already driving everybody starkers, it’s time to update iOS 15.2 and a crop of other Apple iGadgets, lest your iPhone get taken over by a malicious app that executes arbitrary code with kernel privileges.
“If log4j wasn’t enough, iOS 15.2 is out and it is wild,” tweeted Zuk Avraham, CEO at ZecOps, which markets a tool for mobile device log analysis. “Many remote and local vulnerabilities. If you care about your iPhone/iPad security you should update soon.”
iOS 15.2 is out and it is wild. Many remote and local security issues. If you care about your iPhone/iPad security you should update soon.
— Zuk (@ihackbanme) December 14, 2021
Apple’s security updates cover multiple vulnerabilities, including a remote jailbreak exploit chain and a number of critical issues in the kernel and Safari web browser that were first disclosed two months ago at the International Cyber Security Contest Tianfu Cup in China. That’s where the shiniest new iPhone – the iPhone 13 Pro running the most recent and fully patched version of iOS 15.0.2 – was clobbered in record time, twice.
One hack was performed live, on stage, using a remote code execution (RCE) exploit of the mobile Safari web browser. It was unleashed by a team from Kunlun Lab and succeeded in a few eyeblinks: 15 seconds, to be precise.
Tracked as CVE-2021-30955, the issue that was picked apart by Kunlun Lab could have enabled a malicious application to execute arbitrary code with kernel privileges. Apple said it was a race condition that was addressed with “improved state handling.”
“The kernel bug CVE-2021-30955 is the one we tried [to] use to build our remote jailbreak chain but failed to complete on time,” Kunlun Lab’s chief executive, @mj0011sec, said in a tweet. It also affects MacOS, according to @mj0011sec, who’s also the former CTO of Qihoo 360.
Where Kunlun Lab failed, Team Pangu succeeded, managing to remotely jailbreak the iPhone 13 Pro at the Tianfu Cup, marking the first time that the iPhone 13 Pro was publicly jailbroken at a cybersecurity event. The accomplishment netted the team $330,000 in cash rewards.
Here’s the full list of Apple’s security updates from Monday:
- macOS Monterey 12.1
- macOS Big Sur 11.6.2
- Security Update 2021-008 Catalina
- iOS 15.2 and iPadOS 15.2
- tvOS 15.2
- watchOS 8.3
More Fixed Bugs
Besides the remote jailbreak exploit flaw that toppled the iPhone 13 at the Tianfu Cup – CVE-2021-30955, the discovery of which was credited to Zweig of Kunlun Lab – Apple patched a total of five flaws in Kernel and four in IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer, which is a portion of RAM that contains a bitmap that drives a video display.
Here are the relevant updates:
- CVE-2021-30927 and CVE-2021-30980: A use after free issue that could allow a malicious application to run arbitrary code with kernel privileges.
- CVE-2021-30937: A memory corruption vulnerability that could allow a malicious application to run arbitrary code with kernel privileges.
- CVE-2021-30949: A memory corruption issue that could allow a malicious application to run arbitrary code with kernel privileges.
- CVE-2021-30993: A buffer overflow issue that could allow an attacker in a privileged network position to execute arbitrary code.
- CVE-2021-30983: A buffer overflow issue that could allow an application to run arbitrary code with kernel privileges.
- CVE-2021-30985: An out-of-bounds write issue that could allow a malicious application to run arbitrary code with kernel privileges.
- CVE-2021-30991: An out-of-bounds read issue that could allow a malicious application to run arbitrary code with kernel privileges.
- CVE-2021-30996: A race condition that could allow a malicious application to run arbitrary code with kernel privileges.
Nothing Quite Like Aged Cheese, Wine and Software
Miclain Keffeler, application security consultant at application security provider nVisium, told Threatpost on Tuesday that those “wild,” now-patched iOS 15.2 flaws “highlight why the security industry recommends staying on the N-1 or even the N-2 latest version of software patches.”
He noted that security practitioners “often look at new versions of libraries and operating systems as the latest and greatest, but that often comes at the price of unknown and new attack vectors.”
As such, we need to let time – and security testers – dictate the right cadence to run updates, he continued. “The particular CVEs – which have now been patched – affected very core services, meaning that short of taking your iOS or Mac device off of the internet, the only prevention is our weakest security protection: humans.
This string of vulnerabilities “only strengthens the security team’s resolve that security is everyone’s job,” he continued. “Users need to practice good web hygiene as they go about their days by only downloading apps which are trusted, as well as browsing websites that they know are reputable and safe.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.