Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS)
Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.
| iOS 18.2 and iPadOS 18.2 | iPadOS 17.7.3 | macOS Sequoia 15.2 | macOS Sonoma 14.7.2 | macOS Ventura 13.7.2 | watchOS 11.2 | tvOS 18.2 | visionOS 2.2 |
|---|---|---|---|---|---|---|---|
| CVE-2023-32395: An app may be able to modify protected parts of the file system. Affects Perl |
|||||||
| x | |||||||
| CVE-2024-44201: Processing a malicious crafted file may lead to a denial-of-service. Affects libarchive |
|||||||
| x | x | x | |||||
| CVE-2024-44220: Parsing a maliciously crafted video file may lead to unexpected system termination. Affects AppleGraphicsControl |
|||||||
| x | x | ||||||
| CVE-2024-44224: A malicious app may be able to gain root privileges. Affects StorageKit |
|||||||
| x | x | x | |||||
| CVE-2024-44225: An app may be able to gain elevated privileges. Affects libxpc |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2024-44243: An app may be able to modify protected parts of the file system. Affects StorageKit |
|||||||
| x | |||||||
| CVE-2024-44245: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects Kernel |
|||||||
| x | x | x | x | x | |||
| CVE-2024-44246: On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website. Affects Safari |
|||||||
| x | x | x | |||||
| CVE-2024-44248: A user with screen sharing access may be able to view another user's screen. Affects Screen Sharing Server |
|||||||
| x | x | ||||||
| CVE-2024-44291: A malicious app may be able to gain root privileges. Affects Foundation |
|||||||
| x | x | x | |||||
| CVE-2024-44300: An app may be able to access protected user data. Affects Crash Reporter |
|||||||
| x | x | x | |||||
| CVE-2024-54465: An app may be able to elevate privileges. Affects LaunchServices |
|||||||
| x | |||||||
| CVE-2024-54466: An encrypted volume may be accessed by a different user without prompting for the password. Affects DiskArbitration |
|||||||
| x | x | x | |||||
| CVE-2024-54476: An app may be able to access user-sensitive data. Affects PackageKit |
|||||||
| x | x | x | |||||
| CVE-2024-54477: An app may be able to access user-sensitive data. Affects Apple Software Restore |
|||||||
| x | x | x | |||||
| CVE-2024-54479: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | |||||||
| CVE-2024-54484: An app may be able to access user-sensitive data. Affects MediaRemote |
|||||||
| x | |||||||
| CVE-2024-54485: An attacker with physical access to an iOS device may be able to view notification content from the lock screen. Affects VoiceOver |
|||||||
| x | x | ||||||
| CVE-2024-54486: Processing a maliciously crafted font may result in the disclosure of process memory. Affects FontParser |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2024-54489: Running a mount command may unexpectedly execute arbitrary code. Affects Disk Utility |
|||||||
| x | x | x | |||||
| CVE-2024-54490: A local attacker may gain access to user's Keychain items. Affects AppleMobileFileIntegrity |
|||||||
| x | |||||||
| CVE-2024-54491: A malicious application may be able to determine a user's current location. Affects Logging |
|||||||
| x | |||||||
| CVE-2024-54492: An attacker in a privileged network position may be able to alter network traffic. Affects Passwords |
|||||||
| x | x | x | x | ||||
| CVE-2024-54493: Privacy indicators for microphone access may be attributed incorrectly. Affects Shortcuts |
|||||||
| x | |||||||
| CVE-2024-54494: An attacker may be able to create a read-only memory mapping that can be written to. Affects Kernel |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2024-54495: An app may be able to modify protected parts of the file system. Affects Swift |
|||||||
| x | x | ||||||
| CVE-2024-54498: An app may be able to break out of its sandbox. Affects SharedFileList |
|||||||
| x | x | x | |||||
| CVE-2024-54500: Processing a maliciously crafted image may result in disclosure of process memory. Affects ImageIO |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2024-54501: Processing a maliciously crafted file may lead to a denial of service. Affects SceneKit |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2024-54503: Muting a call while ringing may not result in mute being enabled. Affects Audio |
|||||||
| x | |||||||
| CVE-2024-54504: An app may be able to access user-sensitive data. Affects Notification Center |
|||||||
| x | |||||||
| CVE-2024-54505: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2024-54506: An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware. Affects IOMobileFrameBuffer |
|||||||
| x | |||||||
| CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | x | x | |||
| CVE-2024-54510: An app may be able to leak sensitive kernel state. Affects Kernel |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2024-54513: An app may be able to access sensitive user data. Affects Crash Reporter |
|||||||
| x | x | x | x | x | |||
| CVE-2024-54514: An app may be able to break out of its sandbox. Affects libxpc |
|||||||
| x | x | x | x | x | x | ||
| CVE-2024-54515: A malicious app may be able to gain root privileges. Affects SharedFileList |
|||||||
| x | |||||||
| CVE-2024-54524: A malicious app may be able to access arbitrary files. Affects SharedFileList |
|||||||
| x | |||||||
| CVE-2024-54526: A malicious app may be able to access private information. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | x | x | x | ||
| CVE-2024-54527: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | x | x | x | ||
| CVE-2024-54528: An app may be able to overwrite arbitrary files. Affects SharedFileList |
|||||||
| x | x | x | |||||
| CVE-2024-54529: An app may be able to execute arbitrary code with kernel privileges. Affects Audio |
|||||||
| x | x | x | |||||
| CVE-2024-54531: An app may be able to bypass kASLR. Affects Kernel |
|||||||
| x | |||||||
| CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit |
|||||||
| x | x | x | x | x | |||
Vulnerability Symbiosis: vSphere?s CVE-2024-38812 and CVE-2024-38813 [Guest Diary]
[This is a Guest Diary by Jean-Luc Hurier, an ISC intern as part of the SANS.edu BACS program]
Background
In April 2020, at the height of the global pandemic, virtualization was in high demand. During that time, vSphere 7.0 was released. With that release, had two unknown vulnerabilities – a match made in heaven for threat actors. It wasn’t until June 2024 that China’s TZL security researchers revealed CVE-2024-38812 and CVE-2024-38813 at China’s 2024 Matrix Cup – a hacking contest. Since then, both vulnerabilities were published and patched in September, however one of those patches required a hotfix just a month later (CVE-2024-38812).
Findings
The reason that this is a topic of conversation is because I noticed an intermittent pattern of reconnaissance of possible vSphere related web traffic over the course of the last 3.5 months.
On the surface, this is part of any other automated scan. They cover a lot of ground, probing for openings, vulnerabilities, etc. The URI /sdk stands out because it is a known endpoint for vSphere SOAP APIs. This could be a coincidence, but what I did notice is a slight uptick in scanning for that endpoint starting 9/18/2024. This is notably interesting due to the fact of CVE-2024-33812 and CVE-2024-33813 being public on 9/17/2024.
This activity spanned across 22 not-so-reputable IPs from providers based in USA, Germany, and Spain – most of which are associated to DigitalOcean. For /sdk: since the POST request content-length was short and included text/plain content, then the assumption is that the activity is merely looking for the existence of vSphere. The same can be said for /webui, which can be tied to vSphere’s legacy web client, which indicates an interest in older endpoints (and older vulnerabilities). The rare case of /ui/authentication GET requests also indicates probing instead of actual attempts of an exploit. The IPs didn’t solely scan for vSphere endpoints – they also targeted other exposed management interfaces, web portals, configuration files, and source-code repositories. Analysis of other vSphere endpoints did not yield any other indicators.
An interesting artifact of note is the use of User-Agent string related to Odin – an “AI” powered scanner to catalog internet assets.
While there is no public proof of concept, this activity piqued my interest – especially as it relates to a very recent post (11/18/2024) by Broadcom stating, “Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813” [2].
Theory
My theory is that the vulnerabilities hedge on the existence of Platform Services Controller (PSC) introduced in v7.0 of the vCenter server appliance [8]. With the introduction of the PSC as an integrated service, backend processes such as authentication, token management, and inter-component communication began relying heavily on the DCERPC protocol. In a hypothetical break-in using CVE-2024-38812/13, an attacker could target either /ui/authentication (authentication workflows) or /sdk (SOAP API requests) to exploit these vulnerabilities. By sending a specially crafted request to either endpoint, CVE-2024-38812 (Heap Overflow) could be triggered in DCERPC, granting unauthorized RCE within the PSC environment. Once initial access is achieved, the attacker could exploit CVE-2024-38813 (Memory Corruption) through escalated API calls to /sdk, allowing privilege escalation and persistence. This chain would enable complete compromise of the vSphere environment, leveraging PSC’s central role in v7.0+ systems. A game of hypotheticals.
Even though there is technically not a public POC, the concept of heap overflow for this activity is well documented by SonicWall’s Capture Labs Threat Research Team [3]. There have been some POCs for sale on GitHub since October. While mere reconnaissance isn’t enough to single out vulnerability specific probing, it does give us some insight into the threat landscape.
Simply put, CVE-2024-38812 provides initial access via heap-overflow vulnerability in VMware vCenter Server that enables unauthenticated remote code execution. CVE-2024-38813, a privilege escalation flaw, allows attackers to expand their control and maintain persistence. Together, these vulnerabilities create a "vulnerability symbiosis”.
Conclusion
Interestingly, the source IPs were organizationally tied to the likes of DigitalOcean, OVH SAS, and NextGenWebs; DigitalOcean being a popular choice in the near past regarding Volt Typhoon [6]. I cannot say for certain that this is coincidence since it is somewhat popular for TAs. What is apparent is that attacker interest in mapping publicly accessible vSphere endpoints is steadily on the rise. While this is a relatively “new” disclosure, research into these vulnerabilities has also led me down the path of what-ifs. After all, the vulnerable versions were vCenter Server 7.0 (released April 2020), and vCenter Server 8.0 (released October 2022) ...only a 4.5-year-old vulnerability. In addition to that, as stated earlier, this unknown vulnerability duo was originally disclosed from Chinese security researchers in June 2024. In the game of nation states, then you know what that means [6].
What now? Patch vCenter to the latest possible versions, await a working POC to document artifacts, hunt for suspicious behavior, and create new detections to match. Just like Log4J, attackers will continue to find new ways to outmaneuver patching and detections. Continue to monitor and defend. Happy hunting.
References
[1] https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
[2] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
[3] https://www.sonicwall.com/blog/vmware-vcenter-server-cve-2024-38812-dcerpc-vulnerability
[4] https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-critical-vcenter-server-rce-flaw/
[5] https://www.securityweek.com/vmware-struggles-to-fix-flaw-exploited-at-chinese-hacking-contest/
[6] https://www.scworld.com/analysis/stats-say-chinese-researchers-are-not-deterred-by-chinas-vulnerability-law
[7] https://www.wired.com/story/china-vulnerability-disclosure-law/
[8] https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-135F2607-DA51-47A5-BB7A-56AD141113D4.html
[9] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments