Researchers find new bug ‘class’ in Apple devices

Researchers at Trellix have uncovered what they claim to be an entirely new class of privilege escalation vulnerability in Apple devices stemming from the infamous ForcedEntry exploit used by disgraced Israeli spyware manufacturer NSO Group to let its government customers target activists, journalists and political opponents.

The existence of ForcedEntry – CVE-2021-30860 – was disclosed in September 2021 by The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada, which was the first to expose NSO’s malfeasance earlier that summer.

But now, Trellix says its Advanced Research Centre vulnerability team has discovered a group of bugs in iOS and macOS that bypass the strengthened code-signing mitigations put in place by Apple to stop the exploitation of ForcedEntry.

Left unaddressed, these vulnerabilities – which range from medium to high severity carrying CVSS scores from 5.1 to 7.1, could allow a threat actor to access sensitive information on a target device, including but not limited to the victim’s messages, location data, call history and photos.

In Trellix’s disclosure notice, senior vulnerability researcher Austin Emmitt said the new bugs involve the NSPredicate tool used by developers to filter code, around which Apple tightened restrictions in the wake of the ForcedEntry fracas by introducing a protocol called NSPredicateVisitor.

“These mitigations used [a] large deny list to prevent the use of certain classes and methods that could clearly jeopardise security,” explained Emmitt.

“However, we discovered that these new mitigations could be bypassed. By using methods that had not been restricted, it was possible to empty these lists, enabling all the same methods that had been available before. This bypass was assigned CVE-2023-23530 by Apple.

“Even more significantly, we discovered that nearly every implementation of NSPredicateVisitor could be bypassed. This bypass was assigned CVE-2023-23531. These two techniques opened a huge range of potential vulnerabilities that we are still exploring.”

So far, the team has found multiple vulnerabilities within the new class of bugs, the first and most significant of which exists in a process designed to catalogue data about behaviour on Apple devices. If an attacker has achieved code execution capability in a process with the right entitlements, they could then use NSPredicate to execute code with the process’s full privilege, gaining access to the victim’s data.

Emmitt and his team also found other issues that could enable attackers with appropriate privileges to install arbitrary applications on a victim’s device, access and read sensitive information, and even wipe a victim’s device. Ultimately, all of the new bugs carry a similar level of impact to ForcedEntry.

Emmitt said the vulnerabilities constituted a “significant breach” of the macOS and iOS security models, which rely on individual applications having fine-grain access to the subset of resources needed, and querying services with more privileges to get anything else.

“Services that accept NSPredicate arguments and check them with insufficient NSPredicateVisitors allow malicious applications and exploit code to defeat process isolation and directly access far more resources than should be allowed. These issues were addressed with macOS 13.2 and iOS 16.3. We would like to thank Apple for working quickly with Trellix to fix these issues,” he wrote.