A researcher from Semmle discovered multiple security flaws in the XNU kernel of Apple operating systems. Since all Apple operating systems running across different devices share the same kernel, the vulnerabilities had a serious impact. In fact, the researcher Kevin Backhouse has demonstrated one such vulnerability to impact MacOS and iOS in the same way. Fortunately, Apple has already patched these XNU kernel vulnerabilities in the iOS 12 and MacOS updates.
Critical Bug Crashing Numerous Apple Devices
Reportedly, Kevin Backhouse discovered a critical bug that could crash multiple Apple devices upon exploit. According to Backhouse, he discovered a heap buffer overflow vulnerability (CVE-2018-4407) in the XNU OS kernel that affected MacOS and iOS. Hence, the bug could allegedly affect Macbooks, iPhones, and iPads alike.
As explained by Backhouse along with the POC for this bug residing in the ICMP packet-handling module,
“To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required. The attacker only needs to be connected to the same network as the target device.”
He has shared the below video demonstrating the exploit.
After triggering the bug, an attacker could crash the device or force reboot. Besides, according to the researcher, an attacker could even remotely elicit this vulnerability. Hence, it may lead to the remote execution of arbitrary codes as well.
More XNU Kernel Vulnerabilities
Apart from the CVE-2018-4407 discussed above, Backhouse also discovered five other buffer overflow vulnerabilities in the XNU kernel. However, these vulnerabilities existed in the client-side Network File System (NFS) implementation. These vulnerabilities include CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, and CVE-2018-4291. As described in the Semmle advisory,
“The vulnerabilities allow an attacker to mount a maliciously-crafted NFS volume to gain kernel-level privileges. This privilege level is higher than a normal administrator user account. Among other things, it allows an attacker to read, write, and delete arbitrary files on disk and in memory, install new applications, or wipe and reset the device to factory settings. No special permissions are required in macOS to mount an NFS share, so the vulnerabilities can be exploited by any user, including the built-in guest account, which does not require a password.”
The researcher has also given a POC for these vulnerabilities alongside demonstrating the exploit in this video.
Apple Has Patched The Flaws
The ICMP packet-handling flaw (CVE-2018-4407) allegedly affected the devices running on iOS 11 and earlier versions, Apple macOS High Sierra versions up to 10.13.6, and Apple macOS Sierra versions up to 10.12.6. Apple has patched the flaw in the September updates of iOS 12, macOS Mojave 10.14.
Whereas, for the other NFS vulnerabilities, the affected operating system includes macOS versions 10.13.5 and earlier. Apple patched the flaws with the macOS version 10.13.6 update in July. However, Apple preferred not to disclose the vulnerabilities until November.
Make sure you upgrade to the latest versions to protect your Apple devices from these XNU kernel vulnerabilities.
Let us know your thoughts in the comments section.