Apple fixes actively exploited FORCEDENTRY zero-day flaws

Apple released security patches to fix two zero-day vulnerabilities in iOS and macOS that are actively exploited in attacks in the wild.

Apple rolled out security patches to fix a couple of zero-day flaws in iOS and macOS (CVE-2021-30860, CVE-2021-30858), the IT giant also warns its customers that these issues are actively exploited in attacks in the wild, come of which were reported by researchers from Citizen Lab.

In August, researchers from Citizen Lab spotted a zero-click iMessage exploit that was used to deploy NSO Group’s Pegasus spyware on Bahraini activists’ devices.

The iPhones of nine activists, including members of the Bahrain Center for Human Rights, Waad, Al Wefaq, were infected with Pegasus spyware as part of a surveillance operation likely orchestrated by a threat actor tracked as LULU and attributed with high confidence to the government of Bahrain.

“We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.” reads the analysis published by citizen Lab.

“Phone logs indicated that the “responsible process” for the spyware was amfid, the Apple mobile file integrity daemon. We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day.With the consent of targets, we shared these crash logs and some additional phone logs relating o KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.”

Threat actors leveraged two zero-click iMessage exploits to infect the iPhones with spyware, respectively known as 2020 KISMET exploit and a new exploit dubbed FORCEDENTRY.

Citizen Lab researchers discovered that the FORCEDENTRY exploit is able to bypass the “BlastDoor” sandbox introduced eight months ago in iOS to block iMessage zero-click exploits.

The first issue, tracked as CVE-2021-30860, is an integer overflow that was reported by Citizen Lab, The flaw was addressed by improving input validation.

“CoreGraphics: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple. “An integer overflow was addressed with improved input validation.“

The second flaw, tracked as CVE-2021-30858, is an use after free issue that was reported by an anonymous researcher.

“WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” continues the advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]