Overview
On November 5th, 2020, three iOS zero-day vulnerabilities were patched by Apple, which were exploited in the wild affecting Apple devices such as iPhone, iPad, and iPod.
Ben Hawkes from Google Project Zero discovered these flaws that were affecting variants of Apple devices.
CVE-2020-27930 (RCE) – An RCE in FontParser library that was triggered by a memory corruption while accessing a maliciously crafted font.
CVE-2020-27950 (memory leak) – Allows malicious application to execute arbitrary code with kernel privileges due to memory initialization issue.
CVE-2020-27932 (kernel privilege escalation) – Allows malicious application to execute arbitrary code with kernel privileges due to type-confusion issue.
Affected Apple devices
- iPhone 6s and later
- iPod Touch 7th generation
- iPad Air 2 and later
- iPad Mini 4 and later.
- Macs running macOS Catalina versions prior to macOS Catalina 10.15.7
- iPads running iPadOS versions prior to iOS 14.2
- Apple Watches running watchOS versions prior to watchOS 7.1, watchOS 6.2.9, watchOS 5.3.9
- Apple TVs running tvOS versions prior to tvOS 14.2
Mitigation
Apple has released the latest version 14.2 for iOS and iPadOS as the fix for these zero-day vulnerabilities. The same security bugs have been fixed in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and have also been backported for older generation iPhones via iOS 12.4.9.
Qualys Detection
Qualys customers can scan their network with QIDs 610295 and 610296 to detect vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.
References
https://support.apple.com/en-us/HT201222
https://support.apple.com/en-in/HT211929
https://thehackernews.com/2020/11/update-your-ios-devices-now-3-actively.html