The recent bug named CVE-2021-30800 is no more DoS. Now it is proved to be a real Remote code execution.
I know that many users don't like applying and installing updates. I should say it is a really bad practice, especially in a business environment. But even there, a lot of iOS users postpone accepting new versions of an operating system together with the newest patches for vulnerabilities.
Now we have a great example of why it is critical.
📑 Table of Contents
What is RCE for CVE-2021-30800, and where it comes from?
Older devices: e.g., iPhone 5s are still on iOS 12.X, which is not vulnerable to the 0-click vulnerability.
If you with one of the older versions of an iOS-based device, then you are much likely not affected by the bug.
For everybody else, original research on the ZecOps blog mentioned that discovered bug (should has name CVE-2021-30800) is leading to Remote Code Execution and thus is a highly critical vulnerability for all users.
Upon connecting to a specially crafted wireless access point, the malicious code can be injected and executed with the highest privileges on that device, performing anything malicious actors wants.
Even though the malicious SSID will most likely have a very suspicious name on it is own, it couldn't be excluded that even “trustfully” named access points couldn’t be masqueraded.
This case was assigned to CVE-2021-30800. But it seems to be still under investigation, because there is no data on it in CVE database and it is only has status reserved.
Original vulnerability is much harmless.
The initial bug was discovered by security researcher Carl Schou, who experienced issues when connecting to his personal WiFi hotspot named with SSID named “%p%s%s%s%s%n”.
Based on this finding, another researcher Chi Chou was replicating the issue, but his conclusion was not so critical.
For the exploitability, it doesn't echo, and the rest of the parameters don't seem to be controllable. Thus I don't think this case is exploitable.
It took about a month to escalate the issue and prove the case is much more than just render the device non-responsive with a need for settings reset.
How to proceed and protect yourself?
There are basically only a few recommendations everybody should adhere to, which are allowing drastically reduce threat landscape:
- Apply and install updates and patches from the vendor as soon as possible. While it is difficult to prove those for supply chain attack, it is a rather low probability of that happened, compared to the risk of malicious actions from other actors.
- Check and secure your WiFi network periodically. If you can notice any suspicious signs of duplicated SSID names of your network or frequent drops from your WLAN network, it is better to investigate those cases better.
- Disable auto connection to open WAP permanently. It is very easy to establish a new open WAP with the purpose of catching opportunistic victims and sniffing on their traffic while they are using malicious access points to get the Internet.
- Use mobile network with preference to 4G or 5G to access the Internet. It doesn't mean that mobile networks are 100% safe, but it is much more difficult to break in modern mobile stacks if it is not 2G or 3G.
- Use a reliable VPN whenever connected to the Internet. It is a fundamental recommendation not only for public places and networks but generally for accessing the global net.
Stay tuned and watch around!
