CVE-2024-40815 - Bypassing Pointer Authentication in macOS, iOS, iPadOS, watchOS, and tvOS with Arbitrary Read and Write Capability

A race condition vulnerability, CVE-2024-40815, was recently discovered in macOS Ventura 13.6.8, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, and macOS Sonoma 14.6, affecting the way these systems handle pointer authentication. The vulnerability allows a malicious attacker with arbitrary read and write capabilities to bypass Pointer Authentication, which could lead to further exploitation of the affected systems.

This post will go in-depth on CVE-2024-40815, covering its root cause, potential impact, and the fix provided by Apple. We will also provide code snippets and links to original references to help you understand and mitigate the issue.

Root Cause of CVE-2024-40815

The vulnerability, CVE-2024-40815, exists in the affected operating systems due to a race condition that arises when the system does not perform sufficient validation checks on pointer authentication. This lack of validation causes a small window of opportunity for an attacker to exploit the system and bypass pointer authentication, which could allow for further exploitation.

Exploit Details

An attacker who has already gained arbitrary read and write capabilities on a target system could potentially exploit this vulnerability to bypass the Pointer Authentication feature, which is meant to prevent attackers from exploiting memory corruption vulnerabilities.

Here's a simplified code snippet illustrating how an attacker might exploit the vulnerability

void vulnerable_function() {
  uintptr_t pointer; // An authenticated pointer to an important function
 
  // The race condition window starts here
  uintptr_t attacker_pointer = manipulate_pointer(pointer); // Arbitrary read and write
  pointer = attacker_pointer; // Overwriting the authenticated pointer
  // The race condition window ends here

  important_function(pointer); // Calling the function using the overwritten pointer
}

This code snippet demonstrates the window of opportunity for an attacker to manipulate the pointer with arbitrary read and write capabilities, allowing the attacker to overwrite the authenticated pointer with their malicious one.

References

The issue was first reported by Apple in their official security update publications for each respective operating system:

- macOS Ventura 13.6.8
- iOS 17.6 and iPadOS 17.6
- watchOS 10.6
- tvOS 17.6
- macOS Sonoma 14.6

An overview of the vulnerability can also be found on the CVE website.

Fix for CVE-2024-40815

To address the race condition vulnerability, Apple released updates for each affected operating system. The fix involves implementing additional validation checks for pointer authentication, effectively closing the window of opportunity for attackers to exploit.

macOS Sonoma 14.6

To update your system, follow the steps detailed on Apple's website.

Conclusion

CVE-2024-40815 is a serious vulnerability that could lead to further system exploitation by attackers with arbitrary read and write capabilities. The vulnerability arises due to insufficient validation of pointer authentication, but has been fixed by Apple by adding additional validation checks. Make sure your systems are updated to the latest versions to avoid falling victim to this race condition vulnerability.

Timeline

Published on: 07/29/2024 23:15:13 UTC
Last modified on: 08/15/2024 16:14:17 UTC