{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2023-061.pdf" }, "title": "Zero-Click Vulnerabilities in Apple Operating Systems", "serial_number": "2023-061", "publish_date": "08-09-2023 10:08:31", "description": "In an article published on September 7 2023, Citizen Lab uncovered an actively exploited zero-click vulnerability used to deliver NSO Group's Pegasus spyware on an employee of a Washington DC based civil society organisation. This exploit, named \"BLASTPASS\" could compromise iPhones running the latest iOS version without user interaction. The exploit involved \"PassKit\" attachments containing malicious images sent from an attacker iMessage account to the victim.
\n_Citizen Lab promptly reported their findings to Apple, who issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061). These vulnerabilities have now been patched in iOS, iPadOS, watchOS and macOS.
\n", "url_title": "2023-061", "content_markdown": "---\ntitle: 'Zero-Click Vulnerabilities in\u00a0Apple\u00a0Operating\u00a0Systems' \nversion: '1.0'\nnumber: '2023-061'\noriginal_date: 'September 7, 2023'\ndate: 'September 8, 2023'\n---\n\n_History:_\n\n* _08/09/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nIn an article published on September 7 2023, _Citizen Lab_ uncovered an actively exploited zero-click vulnerability used to deliver NSO Group's **Pegasus** spyware on an employee of a Washington DC based civil society organisation [1]. This exploit, named `BLASTPASS` could compromise iPhones running the latest iOS version without user interaction. The exploit involved `PassKit` attachments containing malicious images sent from an attacker iMessage account to the victim.\n\n_Citizen Lab_ promptly reported their findings to Apple, who issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061). These vulnerabilities have now been patched in iOS, iPadOS, watchOS and macOS.\n\n# Technical Details\n\n## CVE-2023-41064 \n\nA buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited [2].\n\n## CVE-2023-41061 \n\nA validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited [3].\n\n# Affected Products\n\nMacOS Ventura, watchOS, iOS and iPadOS devices.\n\n# Recommendations\n\nCERT-EU strongly recommends to update Apple devices.\n\nUsers who may face increased risk because of who they are or what they do could enable `Lockdown Mode` [4].\n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] \n", "content_html": "

History:

  • 08/09/2023 --- v1.0 -- Initial publication

Summary

In an article published on September 7 2023, Citizen Lab uncovered an actively exploited zero-click vulnerability used to deliver NSO Group's Pegasus spyware on an employee of a Washington DC based civil society organisation [1]. This exploit, named BLASTPASS could compromise iPhones running the latest iOS version without user interaction. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.

Citizen Lab promptly reported their findings to Apple, who issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061). These vulnerabilities have now been patched in iOS, iPadOS, watchOS and macOS.

Technical Details

CVE-2023-41064

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited [2].

CVE-2023-41061

A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited [3].

Affected Products

MacOS Ventura, watchOS, iOS and iPadOS devices.

Recommendations

CERT-EU strongly recommends to update Apple devices.

Users who may face increased risk because of who they are or what they do could enable Lockdown Mode [4].

References

[1] https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

[2] https://nvd.nist.gov/vuln/detail/CVE-2023-41064

[3] https://nvd.nist.gov/vuln/detail/CVE-2023-41061

[4] https://support.apple.com/en-ca/HT212650

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }