Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
Jailbreak of iOS 13.5 and risks for companies
Published on
Update 03/06/2020: Apple has released version 13.5.1 of iOScorrecting the kernel vulnerability cited in this blog post and referenced as CVE-2020-9859 https://support.apple.com/en-us/HT211214.
Apple has released version 13.5 of its iOS operating system: https://support.apple.com/en-us/HT210393
This new version, sometimes referred to as a "COVID-19 special", incorporates the Exposure Notification API allowing applications to track people who have been close to you.
All the details are not yet published, but it mainly includes:
-The patch for a security flaw that allowed an app to break out of the iOS sandbox and thus access data other than authorized https://siguza.github.io/psychicpaper/ ;
The patch for the famous vulnerabilities in the Mail application, which allowed to compromise an iPhone or iPad by sending a simple email (see "Security Critical vulnerabilities in the Apple iOS Mail application" (note that iOS 12.4.7 recently released, also fixes these vulnerabilities)
For still supported devices, I strongly recommend installing this 13.5 update.
For older devices, Apple has "generously" released a patch on its 12 branch with iOS 12.4.7. So I also recommend you to install this version for iPhone 5s, 6, 6 Plus, iPad Air, mini 2, mini 3 and iPod touch of 6th generation: https://support.apple.com/fr-fr/HT209084#1247
Jailbreak
The unc0ver group had announced to wait for the release of iOS 13.5 to publish the new version of its jailbreak tool.
Apple has released iOS 13.5, unc0ver has released version 5.0.0 of its jailbreak tool, followed quickly by a stable version 5.0.1, fixing some problems: https://github.com/pwn20wndstuff/Undecimus/releases and https://www.unc0ver.dev/
This tool allows you to jailbreak (unlock) all Apple devices running on iOS versions 11 to 13.5 ie:
- iPhone 11, 11 Pro, 11 Pro Max, XR, XS, XS Max, 8, 8 Plus, 7, 7 Plus, 6S, 6S Plus, SE, 6, 6 plus
- iPad Pro 2018, 1st generation, 2nd generation, 10.5 inch
- iPad 7th, 6th and 5th generation
- iPad Mini 4, Air 2, Air 3 This jailbreak relies on the checkm8 vulnerability already mentioned earlier but also on a kernel vulnerability discovered by pwn20wnd (https://twitter.com/pwn20wnd) allowing to specifically unlock iOS 13.5.
As the jailbreak tool has been released, it didn't take long for others to analyze it and extract the core vulnerability. This is the case of the Russian company ElcomSoft, which has already communicated on the integration of the vulnerability in its tools:
The jailbreak tool requires physical access to the terminal and to have the code to unlock it, but this still presents a risk with respect to Apple equipment in business and for individuals, let's not forget them 😉. There is also a way to jailbreak iOS 13.5 without going through a computer and therefore without physical access in the sense of "plugging a cable", using the kinds of alternative application stores, allowing to add internal application stores, mainly for businesses (enterprise store).
It is necessary to install in the trusted profiles of its iPhone or iPad as :
- zJailbreak
- Xabsi
- Cokernutx https://www.cokernutx.com/ All the details are here: https://yalujailbreak.net/jailbreak-ios-135-without-computer/
This technique requires an unlocked iPhone or iPad (or with the code) and with access to the Internet (or a WiFi relaying an Internet access) but it is not "zero click" as could be the chain of vulnerabilities Mail and a core.
Note that the jailbreak method using Cydia Impactor does not really work since fall 2019 because Apple has changed the operation of the signatures of applications, no longer allowing to have a free account and therefore requiring a paid developer account: https://twitter.com/saurik/status/1196888477830221824
Risks for companies
It is important to specify that we will only talk here about known vulnerabilities and whose exploitation codes are public or almost. Unknown vulnerabilities, there are lots of them, so much so that some vulnerability buying and reselling programs have temporarily stopped the purchase of iOS vulnerabilities (to be taken with hindsight as it is also an announcement effect):
iPhones and iPads that are not up to date (of security patches) are vulnerable mainly to two known vulnerabilities: the one on Mail and this new kernel vulnerability. The risks are numerous and the main one is the remote compromise of the device, or with a physical access, leading to the leakage of sensitive data (passing, incidentally, by a takeover of the device, the injection of a backdoor...).
Can't wait for the iOS 13.5.1 release 😉.
Ambiance at Apple right now:
