Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.

CoreTrust Multiple Signer Validation Vulnerability

From The Apple Wiki
CoreTrust Multiple Signer Validation Vulnerability
Vulnerability in CoreTrust
SoftwareiOS
Vulnerable in14.0 - 16.6.1, 17.0
Fixed in16.7, 17.0.1
Disclosed21 September 2023 (2023-09-21)
Discovered byCitizen Lab and Google TAG
CVECVE-2023-41991
Apple KB106369

CVE-2023-41991, discovered by Citizen Lab and Google Threat Analysis Group (TAG) as part of an in-the-wild, 0-day exploit chain, bypasses code-signing and allows for an attacker to use arbitrary entitlements and gain root privileges.

It is mentioned in the iOS 17.0.1 and iOS 16.7 security contents:

Security
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
Description: A certificate parsing issue was addressed.
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Specifically, CoreTrust was found to improperly validate CMS blobs that had multiple signers. By including a CMS signature from an App Store binary, CoreTrust returns the CodeDirectory hashes to AMFI from the fake signer, but use the App Store signer to decide whether or not the binary is an App Store binary.

While an in-depth analysis of the entire exploit chain was promised by Google TAG, it never materialised. The only public exploit for this bug is the one used in TrollStore 2.0 and above, written by Alfie.

It is unknown whether iOS 12 and 13 are vulnerable to this bug. However, since CoreTrust works differently on these versions, it wouldn't be exploitable.

External Links