Apple fixes zero-day vulnerabilities used to covertly deliver spyware (CVE-2023-32435)
Apple has released patches for three zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) exploited in the wild.
The first two have been reported by Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin following their discovery of the iOS spyware implant they dubbed TriangleDB, and the third one by an anonymous researcher.
The vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439)
CVE-2023-32439 is a type confusion issue in the WebKit browser engine that could be triggered by the vulnerable device processing maliciously crafted web content, and may lead to arbitrary code execution. “Apple is aware of a report that this issue may have been actively exploited,” the company said, but offered no additional details about the attack.
CVE-2023-32434 is an integer overflow vulnerability affecting the kernel, that allows an app to execute arbitrary code with kernel privileges. CVE-2023-32435 is a memory corruption issue in WebKit that could lead to code execution.
Referencing Kaspersky’s findings, Apple says that those last two vulnerabilities “may have been actively exploited against versions of iOS released before iOS 15.7.”
The spyware implant
At the beginning of June, Kaspersky security researchers revealed that some of their corporate iOS devices have been saddled with previously unknown spyware.
The infection happened via iMessage – the victims receive a message with an attachment containing an exploit, which triggers a vulnerability that allows code execution, and the exploit downloads additional malware from a C2 server. Finally, the initial message and the exploit in the attachment is deleted.
The victim does not need to open the iMessage for the infection to happen.
“The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7,” they added.
On Wednesday, they shared more details about the spyware.
“The implant […] is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability [i.e., CVE-2023-32435]. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.”
The implant is capable of manipulating and exfiltrating files, terminating processes, retrieve keychain entries of the infected device, pinpointing the device’s location, and running additional modules.
“While analyzing TriangleDB, we found that the class CRConfig (used to store the implant’s configuration) has a method named populateWithFieldsMacOSOnly. This method is not called anywhere in the iOS implant; however, its existence means that macOS devices can also be targeted with a similar implant,” they pointed out.
Update your devices!
The latest Apple updates bring:
- iOS and iPadOS to versions 16.5.1 and 15.7.7
- macOS to versions 13.4.1, 12.6.7, and 11.7.8
- Safari to version 16.5.1
- watchOS to versions 9.5.2 and 8.8.1
Users should upgrade their devices as soon as possible.
It is unlikely that TriangleDB has been widely deployed, but if you suspect that you are among those that may have been targeted, you can use the triangle_check tool provided by Kaspersky to test the backup of your mobile device for evidence of compromise.