CVE-2020-9818, CVE-2020-9819: Multiple Zero-Day Vulnerabilities in iOS Mail App Exploited in the Wild

Patches for a pair of critical iOS vulnerabilities that were reportedly exploited in the wild are now generally available. Users are strongly encouraged to upgrade to the latest version of iOS and iPadOS.

Update 5/26/2020: The Title, Analysis and Solution sections have been updated to reflect the availability of CVE identifiers for both vulnerabilities as well as the versions of iOS/iPad OS that address these flaws.

Background

On April 20, researchers at ZecOps published a blog post about their discovery of multiple zero-day vulnerabilities in the iOS Mail app. According to the researchers, the vulnerabilities were discovered during a digital forensics and incident response (DFIR) investigation. The DFIR led the researchers to discover the flaws had been exploited in the wild against a variety of targets, including employees at a Fortune 500 company in North America, a Japanese carrier executive, a VIP from Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist.

The vulnerabilities have reportedly existed within iOS going as far back as iOS 6, which was released in September 2012. However, the researchers say they identified these vulnerabilities being exploited in the wild as early as January 2018 against iOS 11.2.2.

Apple has followed up ZecOps disclosures stating "based on the information provided, [we] have concluded these issues do not pose an immediate risk to our users." Apple also noted that these vulnerabilities alone "are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers."

ZecOps has in turn responded to Apple's statements saying that "there were triggers in-the-wild for this vulnerability on a few organizations" and they plan to "release more information and POCs [proofs of concept] once a patch is available."

Analysis

The researchers at ZecOps identified two specific vulnerabilities being exploited in the wild.

CVE-2020-9818 is an out-of-bounds write flaw, while CVE-2020-9819 is a heap overflow flaw. Both flaws originate from the implementation of the MFMutableData interface in the Multipurpose Internet Mail Extensions (MIME) framework in iOS. These vulnerabilities exist because MFMutableData does not handle errors from the ftruncate() system call.

Additionally, researchers believe the attackers unintentionally discovered the first vulnerability while trying to exploit the second one.

For the full set of technical analyses, please read the ZecOps blog.

An attacker could exploit these vulnerabilities by sending a specially crafted email to their victim. Most notable about these vulnerabilities is that on iOS 13, the heap overflow vulnerability can be triggered without interaction (zero-click), while on iOS 12, the vulnerability requires the victim to click the email. However, if the attacker has control of the mail server the user is connected to, they could achieve zero-click exploitation on iOS 12 devices. The out-of-bounds write requires the implementation of an additional vulnerability that allows the calling of an arbitrary selector in order to trigger remotely.

Successful exploitation of these vulnerabilities would only grant an attacker the capability to perform actions in the context of the Mail app, such as leaking, modifying or deleting emails. To gain full control over the device, researchers say that an attacker would need to incorporate a kernel vulnerability into the exploit chain. ZecOps suspects attackers had a kernel vulnerability in these attacks, but they’ve not yet identified one during their investigation.

Proof of concept

While a proof-of-concept (PoC) for this vulnerability was not publicly available on GitHub or Exploit-DB, the ZecOps blog provides enough information that can be used to craft a PoC.

Solution

On May 20, Apple released fixes for these vulnerabilities as part of iOS 13.5 and iPadOS 13.5 and iOS 12.4.7 for older Apple devices. This blog previously noted that Apple added fixes for these vulnerabilities in iOS 13.4.5 beta 2, which was released on April 15. Users seeking to patch these flaws should upgrade to the latest version of iOS/iPad OS.

Identifying affected systems

Tenable products offer integration with mobile device management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.

Get more information

• ZecOps Blog Post on Two iOS Zero-Day Vulnerabilities Exploited in the Wild
• Apple iOS 13.5 and iPadOS 13.5 Security Content

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.