On April 20nd, 2020, ZecOps announced the discovery of two zero-day vulnerabilities affecting iOS devices including iPhone and iPad . Both vulnerabilities have existed since September 2012 and have been exploited in the wild since at least January of 2018. If exploited, the pair of vulnerabilities allow remote threat actors to leak, modify, or delete emails in the Apple Mail App. Apple has released a beta version for iOS that fixes the issues, but this is currently only available for members of the Apple Developer Program.
Until a security update is widely released, organizations are recommended to disable the use of Apple mail on corporate devices.
What we’re doing about it
- eSentire security teams are monitoring the situation for new information.
What you should do about it
- If you are a member of Apple's Apple Developer Program, after performing a business impact review, update to iOS 13.4.5 beta.
- Consider disabling the Apple Mail application .
- Apply Apple iOS updates once they become available.
The discovered vulnerabilities are classified as an out-of-bounds write vulnerability and a heap-overflow vulnerability allowing for remote code execution (RCE) in the context of the Apple Mail app.
It should be noted that all iOS versions from iOS6 - iOS 13.4.1 are confirmed vulnerable. Versions prior to 6 may be vulnerable but have not been tested at this time.
In an attack scenario, a threat actor would send specially crafted email to a victim’s mailbox. The email appears to be blank to the victim. If the user is running iOS 13, no user interaction is required for compromise. If the user is running iOS 12 or earlier, the user would have to open the email for compromise to occur. From the user perspective, their device may run slower than expected, but no other notable disruptions occur.