{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/941987#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nSome Apple devices are vulnerable to arbitrary code execution at the Boot ROM level (called \"SecureROM\" by Apple) by exploiting a use-after-free vulnerability. Successful exploitation results in the ability to execute arbitrary code on the device. <a href=\"https://github.com/axi0mX/ipwndfu/blob/master/checkm8.py\">checkm8</a> is a public exploit for this vulnerability.\r\n\r\n### Description\r\n<a href=\"https://github.com/axi0mX/ipwndfu\">A vulnerability in the SecureROM</a> of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. SecureROM, which is located within the processor, contains the first code executed by the processor upon booting the device.  Because SecureROM is read-only, it cannot be patched with a firmware update.\r\n\r\nApple devices that implement processing chips A5 through A11 are vulnerable.  This corresponds to iPhone models 4S through X; additionally, certain models of iPad, Apple Watch, iPod Touch, and Apple TV are vulnerable. See the <a href=\"https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/\">Malwarebytes blog entry</a> for a full list of affected devices.  Further details about the vulnerability are available in <a href=\"https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/\">Ars Technica's interview with the vulnerability's discoverer</a>.\r\n\r\n### Impact\r\nThis vulnerability allows arbitrary code to be executed on the device.  Exploiting the vulnerability requires physical access to the device: the device must be plugged in to a computer upon booting, and it must be put into Device Firmware Update (DFU) mode.  The exploit is not persistent; rebooting the device overrides any changes to the device's software that were made during an exploited session on the device. Additionally, unless an attacker has access to the device's unlock PIN or fingerprint, an attacker cannot gain access to information protected by Apple's Secure Enclave or Touch ID features.\r\n\r\n### Solution ###\r\nThe CERT/CC is currently unaware of a practical solution to this problem.  Because the vulnerability exists in the read-only Boot ROM level, replacing the device with one that does not contain a vulnerable processing chip is the only solution that guarantees immunity to the vulnerability.\r\n\r\nGenerally speaking, [physical access](https://www.kb.cert.org/vuls/id/789985) to a computer system can be used to bypass software-based access control mechanisms.\r\n\r\n### Acknowledgements\r\naxi0mX developed the checkm8 exploit for this vulnerability.\r\n\r\nThis document was written by Eric Hatleback, Will Dormann, and Art Manion.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/941987"},{"url":"https://github.com/axi0mX/ipwndfu","summary":"https://github.com/axi0mX/ipwndfu"},{"url":"https://github.com/axi0mX/ipwndfu/blob/master/checkm8.py","summary":"https://github.com/axi0mX/ipwndfu/blob/master/checkm8.py"},{"url":"https://twitter.com/i/web/status/1177542201670168576","summary":"https://twitter.com/i/web/status/1177542201670168576"},{"url":"https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/","summary":"https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/"},{"url":"https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf","summary":"https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf"},{"url":"https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/","summary":"https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones/"},{"url":"https://www.kb.cert.org/vuls/id/789985","summary":"https://www.kb.cert.org/vuls/id/789985"}],"title":"Apple devices vulnerable to arbitrary code execution in SecureROM","tracking":{"current_release_date":"2020-10-08T15:30:01+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#941987","initial_release_date":"2019-09-27 00:00:00+00:00","revision_history":[{"date":"2020-10-08T15:30:01+00:00","number":"1.20201008153001.45","summary":"Released on 2020-10-08T15:30:01+00:00"}],"status":"final","version":"1.20201008153001.45"}},"vulnerabilities":[{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}]},{"title":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.","notes":[{"category":"summary","text":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."}],"cve":"CVE-2019-8900","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#941987"}],"product_status":{"known_affected":["CSAFPID-dda72726-39e7-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-dda72726-39e7-11f1-8422-122e2785dc9f"}}]}}