BlastPass - iOS 16.6 and 15.7.8

Lookout Coverage and Recommendation for Admins

Lookout offers multiple levels of protection against Blastpass. With the vulnerabilities fixed in iOS and IPad 16.6.1, Lookout strongly recommends all users to install the latest security patch. In addition, Lookout also recommends using the Out of Date OS policy to be set at a minimum of 16.6.1 for both iPhones and for iPads. 

Further, exploited devices are detected by Lookout’s device compromise detection. We recommend reviewing the default surveillanceware and device policies (like Root/Jailbreak, unencrypted device) to remove all access in case a compromise is detected. Furthermore, phishing and content protection protects against the C2 servers likely utilised to complete the attack.

CISA guidelines mandate government organizations to update to the patched versions by Oct 02, 2023.

Overview

Apple released two security updates, 16.6.1 and 15.7.9 for iOS and iPadOS. 16.6.1 contains two important security fixes, which address the vulnerabilities exploited by the BlastPass exploitation chain. The fix is critical for all iPhone and iPad users as the exploit chain can be launched and executed remotely without any user interaction. Older devices can be updated to 15.7.9 to implement these fixes. The two vulnerabilities are tracked as CVE-2023-41064 and CVE-2023-41061. Researchers have reported that they found devices with active exploitations in the wild where “the exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim”.

‍

Lookout Analysis

The two vulnerabilities enable attackers to send attachments and images in a message with malicious intent for arbitrary code execution. As mentioned earlier, user interaction is not needed for initial access as the file can be downloaded without the user needing to open the message. The attack has been linked to NSO group’s Pegasus, which was initially discovered by Lookout and the Citizen Lab in 2017. Since its discovery, this spyware has continued to evolve, both in terms of delivery and execution. The zero click payload makes it highly sophisticated.

The two vulnerabilities being used for the attack are:

• CVE-2023-41061 - Validation issue in Wallet; a maliciously crafted attachment can be used for arbitrary code execution (Fixed in 16.6.1)
• CVE-2023-41064 - Buffer overflow issue in the Image I/O component; a maliciously crafted image processing could result in arbitrary code execution (Fixed in both 15.7.9 and 16.6.1)