Apple Wireless Direct Link (AWDL) Denial of Service vulnerability(CVE-2020-3843)

Posted by Author Dhiren Vaghela on Posted on

Overview

Apple Wireless Direct Link (AWDL), the wireless protocol that ensures uninterrupted communications among various Apple devices globally, was recently infected by, a trivial bug resulting into buffer overflow via kernel memory corruption in wi-fi driver of AWDL.

Ian Beer, a google project zero researcher detailed out this vulnerability was exploitable on various iPhones and other iOS devices until May 2020.

Description

The vulnerability seems to be zero exploit as no input was needed from the victim’s end. It allows attackers to take full control of vulnerable devices as well as access to emails, pictures and maybe even watching through iPhone’s camera.

Beer declares, “today’s iPhones, iPads, Macs and Watches use a protocol called Apple Wireless Direct Link (AWDL) to create mesh networks for features like AirDrop (so one can easily beam photos and files to other iOS devices) and Sidecar (to quickly turn an iPad into a secondary screen).”

Taking advantage of this loophole in AWDL, he used a setup that included Raspberry Pi, iPhone and two different Wi-Fi adaptors to achieve arbitrary kernel memory read and write remotely, leveraging it to inject shellcode payloads into the kernel memory via a victim process.

After six months of research into building a POC, Beer has come up with a video presentation for CVE-2020-3843.

In defense, Apple suggests that an attacker would have needed to be within Wi-Fi range for it to work.

Affected Versions:

  • macOS Mojave prior to 10.14.6
  • macOS High Sierra prior to 10.13.6
  • macOS Catalina prior to 10.15.2
  • iPhone 6s and prior
  • iPad Air 2 and prior
  • iPad mini 4 and prior
  • iPod touch prior to 7th generation
  • watchOS prior to 5.3.7

Mitigation:

Apple has released a patch for this vulnerability, and an appropriate version can be downloaded from one of the following links:

Qualys Detection:

Qualys customers can detect vulnerable instances/assets with QID(s) 372361, 610262 and 610071. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities. 

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1982

https://support.apple.com/en-us/HT210919

https://support.apple.com/en-us/HT211176

https://support.apple.com/en-us/HT210918

https://owlink.org/wiki/

https://www.theverge.com/2020/12/1/21877603/apple-iphone-remote-hack-awdl-google-project-zero

https://thehackernews.com/2020/12/google-hacker-details-zero-click.html

Leave a Reply

Your email address will not be published. Required fields are marked *