Vulnerability in XNU | |
---|---|
Vulnerable in |
|
Disclosed | 28 December 2023 |
Discovered by | Kaspersky |
CVE | CVE-2023-38606 |
Apple KB |
dmaFail is a vulnerability fixed in iOS 16.6. It was discovered and disclosed by Kaspersky, following a cyber-attack on their own employees. Through this, they managed to capture an entire chain of 0-day vulnerabilities, the majority of which were detailed in their talk at 37c3.
Through the use of undocumented cache debug registers, an attacker could issue memory writes to anywhere in memory, including PPL-protected memory. However, the writes are written to cache, not to the backing memory (at first). The vulnerability also allows for writing to KTRR-protected memory, but when the actual write-back occurs, the AMCC will reject the write as it is within the read-only kernel code region.
dmaFail was properly fixed in iOS 16.6. However, due to an extra register needed on A15 and A16 being made unusable in iOS 16.5.1, the vulnerability is rendered unexploitable on iOS 16.5.1 for such devices.