[CDP-development] TLP:GREEN (Zero-Day Alert Notification) MS-ISAC 2024-051 Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue May 14 07:46:40 PDT 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: MS-ISAC 2024-051 Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On May 13, 2024, Apple released updates to patch their iOS, iPadOS, and macOS operating systems addressing one vulnerability of note, which is an arbitrary code execution via memory corruption bug which allows attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. The vulnerability impacts RealtimeKit (RTKit), the operating system component that's responsible for executing and managing processes with elevated timing requirements. Apple's advisory also mentioned a fix for a bug that impacts the Foundation framework, which provides protocols and functions for developing software. CVE-2024-23296 was established as a CVE on March 5, 2024, and last modified on March 18, 2024, assigning a CVSSv3 rating of 7.8 (High).

The following products are affected:

  *   Versions of iOS prior to 17.5 (iPhone XS and later)
  *   Versions prior to iOS 16.7.8 (iPhone 8, iPhone 8 Plus, iPhone X)
  *   Versions of iPadOS prior to 17.5 (iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
  *   Versions of iPadOS prior to 16.7.8 (iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)

  *   Versions prior to macOS Sonoma 14.5
  *   Versions prior to macOS Ventura 13.6.7
  *   Versions prior to macOS Monterey 12.7.5

Patches are available from Apple to fix the vulnerabilities.  The fixed versions are:

  *   iOS 17.5
  *   iOS 16.7.6
  *   iPadOS 17.5
  *   iPadOS 16.7.6
  *   macOS Sonoma 14.5
  *   macOS Ventura 13.6.7
  *   macOS Monterey 12.7.5

Further information is available from Apple as published in their Security Release Articles:

  *   Security Release Content of iOS 17.5 and iPadOS 17.5 - https://support.apple.com/en-us/HT214101
  *   Security Release Content of iOS 16.7.8 and iPadOS 16.7.8 - https://support.apple.com/en-us/HT214100
  *   Security Release Content of macOS Sonoma 14.5 - https://support.apple.com/en-us/HT214106
  *   Security Release Content of macOS Ventura 13.6.7 - https://support.apple.com/en-us/HT214107
  *   Security Release Content of macOS Monterey - https://support.apple.com/en-us/HT214105




Intelligence: As of May 13, 2024, Apple is aware that CVE 2024-23296 have been exploited in the wild.  It is very likely that each exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  There is no public information about how the vulnerabilities are exploited at this time.

Post-Exploit: Apple has not released much detail about the exploits at this time, but has acknowledged that an attacker with arbitrary kernel read/write capability may be able to bypass kernel memory protections.

No known indicators of compromise have been publicly shared at this time.

As of May 13, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
191557<https://www.tenable.com/plugins/nessus/191557>
Apple iOS < 16.7.6 Vulnerability (HT214082)
High
191558<https://www.tenable.com/plugins/nessus/191558>
Apple iOS < 17.4 Multiple Vulnerabilities (HT214081)
High
196911<https://www.tenable.com/plugins/nessus/196911>
Apple iOS < 16.7.8 Vulnerability (HT214100)
High
196931<https://www.tenable.com/plugins/nessus/196931>
macOS 13.x < 13.6.7 Multiple Vulnerabilities (HT214107)
High

Additional Resources: The InTune team has provide the attached documents, which can be tailored to your needs. They provide answers to frequently asked questions about iOS updates from the perspective of both technicians and users, as well as the update process.

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Ensure mobile devices are charged to at least 50% and are plugged into a charger before applying the updates.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  *   Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DAA5D2.01F416E0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240514/634eb512/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240514/634eb512/attachment-0001.png>

More information about the CDP-development mailing list