CoreTrust Root Certificate Validation Vulnerability

CVE-2022-26766, discovered by Linus Henze, allows arbitrary entitlements to be granted to an application.

It is mentioned in the iOS 15.5 security content:


 * Security
 * Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
 * Impact: A malicious app may be able to bypass signature validation
 * Description: A certificate parsing issue was addressed with improved checks.
 * CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

Specifically, CoreTrust was found to improperly validate that the root certificate of the Mach-O's certificate chain matches the expected Apple root. Therefore, an app signed using a self-signed root certificate could not just be successfully sideloaded and executed, but also gain further privileges by using sensitive entitlements whose use would otherwise be restricted.

It was fixed in iOS 15.5, but re-introduced in the iOS 15.6 betas and fixed again in the RC. It is a regression, so iOS 12 and 13 are not vulnerable. All versions previous to iOS 12 did not have CoreTrust anyway.

This vulnerability is used by TrollStore.