A XNU kernel vulnerability leaves older versions of macOS and iOS users open to remote code execution attacks.
The details: Researchers at code security company LGTM found a heap buffer overflow vulnerability in Apple’s XNU operating system kernel which allows for remote code execution of certain Mac and iOS devices when on the same Wi-Fi network.
XNU is the operating system kernel at the basis of both iOS and macOS, which makes iPhones, iPad and Macs all vulnerable, except for where the vulnerability has been patched by recent Apple updates (see below). XNU was first developed by Steve Job’s NeXT and became the kernel for Mac computers when Apple bought the company in the mid-90s when Jobs came back to the company.
The vulnerability is triggered when a malicious IP packet is sent to the IP address of the target device. The interesting aspect of the vulnerability is that no user interaction is required, rather all that needs to happen is for the target device be on the same Wi-Fi network as the attacker.
LGTM notes the below operating system versions are vulnerable to the attack:
- All devices on iOS 11 and earlier
- Apple OS X El Capitan devices and earlier
The vulnerability has been patched for macOS High Sierra (in Apple security update 2018-002) and macOS Sierra (in security update 2018-005).
The most current versions of Apple’s operating systems are iOS 12 and macOS Mojave (10.14).
Why it matters: For many years Apple claimed that Macs were more secure than Windows computers by default. This was a bit of a smokescreen by Apple in that there were so few Mac computers in the world compared to Windows that many attackers focused all of their attention on Microsoft’s operating system, leaving little malware in the wild to effect Mac processes.
As Apple has grown to mammoth proportions in recent years, Macs and iOS devices have become more of a target and zero-day exploits such as the one discovered by LGTM have become more valuable. Apple has done well to quickly patch the vulnerability in its latest patch updates, but anybody using an older Mac or version of iOS is still potentially vulnerable.
The vulnerability also reiterates two very important facts: don’t use public Wi-Fi networks and keep your devices up to date.
The hacker perspective:
Randori director of offensive security Evan “Syn” Anderson says,
"Everything should start with an assumption of breach. While designing secure systems, everything needs to start with the assumption that an attacker is on your network and knows about something you don’t. This is not the first time a buffer overflow has been found in a kernel and frankly will not be the last. If your organization defines secure as 'all the vulnerabilities are patched' there is a huge hole in your security posture and you might want to assume the bad guys most likely know how to take advantage of it."