Researchers revealed two zero-day security vulnerabilities affecting Apple’s stock Mail app on iOS devices.
Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon.
Both vulnerabilities are believed to have been actively exploited by an “advanced threat operator” since 2018.
Both bugs are remotely exploitable by attackers who simply send an email to victims’ default iOS Mail application on their iPhone or iPad
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.
“Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet,” wrote Satnam Narang, principal research engineer with Tenable in a statement.
The first vulnerability is out-of-bounds (OOB) write vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function “[MFMutableData appendBytes:length:]”
“The implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” researchers said.
The second flaw, a heap-overflow, can also be triggered remotely.
“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” researchers wrote. “The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”
Researchers said both bugs have been exploited in the wild, however researchers believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”
In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device’s Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.
“The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods,” researchers wrote.
The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device, researchers said.
“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail,” Narang wrote.
Researchers said they first identified suspicious behavior associated with the vulnerabilities in Feb. 19, 2020. After working closely with an impacted customer of theirs, on March 23 the identified the first out-of-bounds (OOB) write vulnerability. On March 31, researchers identified the second bug, a remote heap overflow vulnerability. The same day it shared its research with Apple. Over April 15 and 16, Apple began making a patch available to mitigate the security flaws in its publicly available beta software. On April 22, researchers publicly disclosed their findings.