Key Findings
- Detailed analysis of changes in iOS 16.4.1 indicates that this may not be Apple’s first attempt at resolving exploits in this area of iOS
- Correlating Jamf's findings with research from Citizen Labs and Microsoft suggests that this fix may address zero-click exploits utilized by QuaDreams going back to iOS 14
Research led by Yuan Shen and Nir Avraham.
Background
On April 7, Apple released iOS 16.4.1, which includes a fix for two vulnerabilities that Apple believes may have been actively exploited in the wild. The first vulnerability is related to IOSurfaceAccelerator, identified by CVE-2023-28206. The second vulnerability is related to WebKit, identified by CVE-2023-28205.
According to Apple, the IOSurfaceAccelerator vulnerability is an out-of-bounds write issue that was resolved through improved input validation. Jamf Threat Labs conducted an analysis of the IOSurfaceAccelerator vulnerability. This post includes the technical details from our investigation of CVE-2023-28206.
Our research identified six functions (highlighted in the screenshot below) that we believe have been altered as part of the security fixes in iOS 16.4.1.
Three of these functions have added a size check and the remaining functions have undergone offset changes. We believe this is directly related to CVE-2023-28206.
IosaColorManagerMSR8::getHDRStats_gatedContext
M2ScalerScalingASEControl::getASEStats_gatedContext
M2ScalerScalingASEControlMSR10::getASEStats_gatedContext
As part of our investigation, we have confirmed that ZecOps zero day detections identify the exploit of this vulnerability and we will alert impacted customers should it be triggered. Our team has not observed this exploit in the wild.
Our investigation also revealed connections to QuaDream's one-click browser exploit, which matches the WebKit vulnerability and a kernel vulnerability that was patched with iOS 16.4.1. According to the CitizenLab blog, QuaDream's spyware targeted iOS 14 devices.
Our analysis of iOS 14.4 and iOS 14.5 show that Apple introduced two size checks to IosaColorManagerMSR8::getHDRStats_gatedContext to prevent oob write.
On April 9, two days after the release of iOS 16.4.1, LinusHenze published a PoC for CVE-2023-28206, triggering an oob memmove in IosaColorManagerMSR8::getHDRStats_gatedContext. This exploit running successfully on iOS 16.4 shows that the patches Apple applied in iOS 14.5 did not completely resolve the IosaColorManagerMSR8::getHDRStats_gatedContext vulnerability.
Further investigation of our analysis of iOS 16.4.1 show that Apple reinforced IosaColorManagerMSR8::getHDRStats_gatedContext by incorporating an additional size check. This evidence suggests that Apple has enhanced the initial patch and we can confirm that the PoC code from LinusHenze fails to execute on iOS 16.4.1.
Summary
The release of iOS 16.4.1 is Apple’s latest attempt to patch kernel vulnerabilities that we believe have been exploited since iOS 14.4. As always, it is essential to update to the latest version of Apple's software as soon as possible to ensure that your device is protected against these vulnerabilities.
The threat intelligence gathered by Jamf Threat Labs is powerful.
Protect your Apple fleet against current and novel mobile threats today and tomorrow!
by Category:
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.