Vulnerability in iOS 12 allows attackers to retrieve files from Apple devices without user interaction

Reference:
Advisory #2019-019

Version:
1.0

Affected software:
iOS 12 (>12.4)

Type:
Remote data exfiltration

CVE/CVSS:
unrated

Sources

• https://bugs.chromium.org/p/project-zero/issues/detail?id=1858&can=1&q=label%3AiMessage&colspec=ID%20Status%20Restrict%20Reported%20Vendor%20Product%20Finder%20Summary

• https://www.bleepingcomputer.com/news/security/apple-imessage-flaw-lets-remote-attackers-read-files-on-iphones/

• https://www.zdnet.com/article/google-researchers-disclose-vulnerabilities-for-interactionless-ios-attacks/

Risks

Remote data exfiltration without user interaction.

Description

The issue is caused by the _NSDataFileBackedFuture class which can be deserialized even if secure encoding is enabled leading to two major problems:

-        Arbitrary access to local files is allowed if the code deserializing the buffer shares memory with it.

-        An NSData object can be created with a length mismatch with the length of its byte array, leading to remote reads (and potentially write operations).

These actions could lead, for example to the SMS database or binary files (like images) to be exfiltrated without user interaction.

Recommended Actions

CERT.be recommends all users of Apple iOS devices to upgrade their devices to the latest version of iOS today.

remark: Only iPhone models 5s and later, iPad Air (and later iPad models), iPod Touch 6th generation and later are able to run iOS 12. This vulnerability only exists in iOS 12. 

References

https://support.apple.com/en-us/HT210346