search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple devices vulnerable to arbitrary code execution in SecureROM

Vulnerability Note VU#941987

Original Release Date: 2019-12-19 | Last Revised: 2020-10-08

Overview

Some Apple devices are vulnerable to arbitrary code execution at the Boot ROM level (called "SecureROM" by Apple) by exploiting a use-after-free vulnerability. Successful exploitation results in the ability to execute arbitrary code on the device. checkm8 is a public exploit for this vulnerability.

Description

A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. SecureROM, which is located within the processor, contains the first code executed by the processor upon booting the device. Because SecureROM is read-only, it cannot be patched with a firmware update.

Apple devices that implement processing chips A5 through A11 are vulnerable. This corresponds to iPhone models 4S through X; additionally, certain models of iPad, Apple Watch, iPod Touch, and Apple TV are vulnerable. See the Malwarebytes blog entry for a full list of affected devices. Further details about the vulnerability are available in Ars Technica's interview with the vulnerability's discoverer.

Impact

This vulnerability allows arbitrary code to be executed on the device. Exploiting the vulnerability requires physical access to the device: the device must be plugged in to a computer upon booting, and it must be put into Device Firmware Update (DFU) mode. The exploit is not persistent; rebooting the device overrides any changes to the device's software that were made during an exploited session on the device. Additionally, unless an attacker has access to the device's unlock PIN or fingerprint, an attacker cannot gain access to information protected by Apple's Secure Enclave or Touch ID features.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Because the vulnerability exists in the read-only Boot ROM level, replacing the device with one that does not contain a vulnerable processing chip is the only solution that guarantees immunity to the vulnerability.

Generally speaking, physical access to a computer system can be used to bypass software-based access control mechanisms.

Acknowledgements

axi0mX developed the checkm8 exploit for this vulnerability.

This document was written by Eric Hatleback, Will Dormann, and Art Manion.

Vendor Information

941987
 

Apple Affected

Notified:  2019-10-14 Updated: 2019-12-19

CVE-2019-8900 Affected

Vendor Statement

We have not received a statement from the vendor.


CVSS Metrics

Group Score Vector
Base 5.6 AV:L/AC:L/Au:N/C:P/I:C/A:N
Temporal 5.3 E:F/RL:U/RC:C
Environmental 6.8 CDP:ND/TD:H/CR:ND/IR:H/AR:ND

Other Information

CVE IDs: CVE-2019-8900
Date Public: 2019-09-27
Date First Published: 2019-12-19
Date Last Updated: 2020-10-08 15:30 UTC
Document Revision: 45

Sponsored by CISA.