Today, Apple announced a series of critical remote code execution vulnerabilities in Apple’s XNU operating system kernel. XNU is the kernel of macOS, iOS, and other Apple operating systems, which run on more than 1.3 billion devices globally. The vulnerabilities are in XNU’s networking code and its client-side NFS implementation. They were discovered by Kevin Backhouse from the Security Research Team here at Semmle, using our variant-analysis engine to search for vulnerability patterns in source code.

The vulnerabilities may allow malicious attackers on the same network to take control of any vulnerable Apple device. A remote attacker could run arbitrary code, extract data, crash the devices, or reset them to factory settings. Apple fixed the vulnerabilities in macOS Sierra, High Sierra and Mojave and iOS 12. Organizations and individual users of Apple devices are urgently advised to upgrade their operating systems to the latest available version.

Severity and mitigation

Kevin discovered two types of vulnerabilities in the XNU kernel.

CMP packet-handling vulnerability

The first is a heap buffer-overflow vulnerability in the ICMP packet-handling module of the XNU kernel’s networking code (CVE-2018-4407).

This vulnerability may let an attacker execute arbitrary code or extract data from a device by sending a malicious IP packet across the network. An attacker could also overwrite the heap with garbage, crashing the device and forcing a reboot.

The vulnerable ICMP code is shared across many Apple devices; so far we have established that MacBooks, iPhones, and iPads are vulnerable. The following video demonstrates an exploit for the vulnerability:

Because the vulnerability can be easily exploited, and is remotely triggerable without any user interaction, the vulnerability could be automated as a denial-of-service attack, continually crashing all vulnerable devices on a network, which could effectively shut down an organization.

The ICMP vulnerability is a heap buffer overflow in the kernel, and it is remotely triggerable without any user interaction. An attacker can target any Apple device on the same network; no need for special permissions or specialist hardware. That’s about as bad as it gets for kernel vulnerabilities. Apart from upgrading, there’s very little users can do to protect themselves. Kevin Backhouse Semmle Security Researcher

The vulnerability affects any device running iOS 11 or macOS Sierra or High Sierra. It was fixed in iOS 12, which Apple released on September 17, 2018, and in macOS Mojave, released on September 24, 2018, as well as macOS Sierra and High Sierra as of today. As of October 29, 2018, Apple indicates that only 60% of all iOS devices were running the patched iOS 12, and we therefore strongly advise users to upgrade.

NFS client vulnerabilities

The second type of vulnerability is in the client-side Network File System (NFS) implementation of the XNU kernel. Kevin found five independent, potentially exploitable vulnerabilities (CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, and CVE-2018-4291). After he discovered one vulnerability he performed variant analysis using Semmle QL to find the other attack vectors in the NFS code.

The NFS protocol allows users to access files on a network as if it was local storage. NFS is widely used by enterprises and in network-attached storage (NAS) devices for home use. The vulnerabilities allow an attacker to mount a maliciously-crafted NFS volume to gain kernel-level privileges. This privilege level is higher than a normal administrator user account. Among other things, it allows an attacker to read, write, and delete arbitrary files on disk and in memory, install new applications, or wipe and reset the device to factory settings. No special permissions are required in macOS to mount an NFS share, so the vulnerabilities can be exploited by any user, including the built-in guest account, which does not require a password.

The vulnerabilities affect Macs running macOS version 10.13.5 and earlier. The vulnerability was fixed in macOS 10.13.6, released on July 9, 2018. We strongly advise users to upgrade.

XNU: The kernel at the core of every Apple device

All modern Apple operating systems share the same kernel, which runs at the core of macOS, iOS, tvOS, audioOS and watchOS. For this reason low level features such as networking, memory and file system features are shared across Macbooks, iPhones and Apple Watches. This means that a single vulnerability may impact hundreds of millions of devices, and impact millions of consumers.

Part of the code for Apple’s kernel is released as open source, allowing developers to better understand the kernel architecture and create applications that are optimized for the underlying technology of Apple devices. The open nature of the kernel code also allows the security research community to help strengthen Apple’s software.

Serious vulnerabilities in widely-used software, like Apple's XNU kernel, affect each and every one of us. It's crucial for the security community to collaborate and share their research to protect us all. Pavel Avgustinov VP of Platform Engineering at Semmle

About the discovery

The vulnerabilities were discovered by Kevin Backhouse. As part of his work for the Semmle Security Research Team, Kevin uses Semmle QL to write queries that search for vulnerability patterns in source code. Once those vulnerabilities have been verified as genuine, Semmle’s variant-analysis engine can then find other occurrences of the same vulnerability across a codebase or an entire software portfolio. In the case of the NFS vulnerabilities, once Kevin had found one vulnerability, QL variant analysis allowed him to quickly find others.

For an in-depth explanation of how Kevin discovered the vulnerabilities in XNU using Semmle QL, see his blog posts about the ICMP packet handling vulnerability and the NFS client vulnerabilities.

Disclosure timelines

The vulnerabilities were discovered and reported in two groups. Below are the respective timelines:

ICMP packet handling vulnerability

August 9, 2018: Privately disclosed to Apple. Proof-of-concept exploit included.

Privately disclosed to Apple. Proof-of-concept exploit included. August 9: Report acknowledged by Apple’s product security team.

Report acknowledged by Apple’s product security team. August 22: Apple confirms that the issue is fixed in the betas of macOS Mojave and iOS 12.

Apple confirms that the issue is fixed in the betas of macOS Mojave and iOS 12. September 17: Apple releases iOS 12. Semmle confirmed the vulnerability was patched.

Apple releases iOS 12. Semmle confirmed the vulnerability was patched. September 24: Apple releases macOS Mojave. Semmle confirmed the vulnerability was patched.

Apple releases macOS Mojave. Semmle confirmed the vulnerability was patched. October 30: Apple releases security updates and discloses the vulnerability.

NFS client vulnerabilities

May 21, 2018: Privately disclosed to Apple. Proof-of-concept exploit included.

Privately disclosed to Apple. Proof-of-concept exploit included. May 22: Report acknowledged by Apple’s product security team

Report acknowledged by Apple’s product security team July 9: Apple releases macOS version 10.13.6. Semmle confirmed the vulnerabilities were patched.

Apple releases macOS version 10.13.6. Semmle confirmed the vulnerabilities were patched. October 30: Apple releases security updates and discloses the vulnerabilies.

Coordinated disclosure

Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Security Research Team has collaborated with Apple to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.

How Semmle keeps your code safe

At Semmle we believe security knowledge should be a shared resource, and the only way to prevent attacks is by bringing together the community of security researchers across the world to share our collective expertise. Semmle’s Security Research Team collaborates with open source teams and enterprises to continually discover and disclose vulnerabilities in popular open source components.

Semmle’s flagship product, LGTM detects security vulnerabilities and other critical bugs in codebases and software portfolios. LGTM is powered by Semmle’s QL technology, a variant analysis engine that allows developers to write queries for deep semantic code search. Both LGTM and QL are free to use for open source projects at LGTM.com.

At the time of this disclosure, LGTM.com is continuously analyzing every commit of more than 100,000 open source projects. Project teams from organizations including NASA and Google rely on LGTM.com, while closed source codebases within these organizations are analyzed by Semmle’s enterprise product range.

About Semmle

Semmle secures the software that runs the world, with analytics that developers love and CIOs trust. Software engineering and security teams at Credit Suisse, Dell, Google, Microsoft, NASA and Nasdaq depend on the Semmle analytics platform to create more reliable and trustworthy code without slowing down. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Copenhagen, New York City, Oxford, Seattle and Valencia.

Contact information

If you would like to speak to us about this vulnerability, please contact us at security@semmle.com, or reach out on Twitter: @Semmle