Apple has released an emergency update for iOS to repair a vulnerability in the kernel that allows an attacker to escape the iOS sandbox and run arbitrary code with kernel privileges.
The flaw is not a new one. In fact, this is the second time that Apple has fixed it. Originally patched in iOS 12 in 2018, the vulnerability (CVE-2020-9859) was later reintroduced. The original bug was used in the jailbreak community for some time, and the second iteration of it was as well, having been included in a new version of the unc0ver jailbreak tool. On May 23, unc0ver 5.0 was released, making use of the latest version of the vulnerability, allowing people to jailbreak devices running iOS versions 11.0 through 13.5. Version 13.5.1 of iOS, released Monday, fixes the vulnerability.
Researchers at Synacktiv discovered the original vulnerability, which is a race condition in the kernel that can lead to a use-after-free bug and had been in the Xnu kernel in iOS for many years at that point.
“This vulnerability is located in the lio_listio syscall and is triggerable by a race condition. It can effectively be used to free a kernel object twice, leading to a potential Use After Free. The vulnerability itself has been introduced sometime between xnu-1228 and xnu-1456 so about 9 years ago and should be exploitable on most iOS multi-core devices until iOS 11.4.1 (included), and MacOS until 10.14. Internally we named this vulnerability LightSpeed, in reference to the tricky race condition to win,” Luca Moro of Synacktiv wrote in an explanation of the bug in 2018.
“Because the listio_lio syscall is reachable from any sandbox and given the (potentially) interesting primitives offered by the vulnerability, LightSpeed might be used to jailbreak iOS 11.4.1.”
"the risk for this vulnerability to be used by malicious actors is relatively low."
The newer iteration of the vulnerability is essentially identical to the older one, and the same proof-of-concept code that Synacktiv released in 2018 works against it. Moro said in a post last week that the flaw fixed in iOS 13.5.1 likely was already well known in the research and attacker communities, but is not simple to exploit.
“The good news is that this vulnerability cannot be exploited from the WebKit renderer process since its sandbox has been considerably tightened since iOS 13 with the introduction of syscall whitelist,” Moro said.
“This means that the risk for this vulnerability to be used by malicious actors is relatively low. An attacker would first have to compromise a vulnerable service or application in order to exploit this vulnerability.”