Discover MacOS and iOS Devices Vulnerable to FORCEDENTRY
Apple recently released a new version for MacOS Big Sur and for all of its other types of products like iOS for iPhones and iPads, and even the Apple watch. The patches address two actively exploited 0-day vulnerabilities, CVE-2021-30858 and CVE-2021-30860. Apple notes that “Apple is aware of a report that this issue may have been actively exploited”.
CVE-2021-30858 (WebKit) can result in arbitrary code execution when processing maliciously crafted web content. According to Apple, the issue was addressed with improved memory management.
CVE-2021-30860 (CoreGraphics) is an integer overflow vulnerability that could lead to arbitrary code execution when processing a maliciously crafted PDF document. Apple noted that this issue has been fixed using improved input validation. This vulnerability was disclosed by the University of Toronto’s Citizen Lab who dubbed it “FORCEDENTRY“. The vulnerability has been weaponized by Israeli surveillance vendor NSO Group and allegedly used by the Bahrain government to install spyware on the phones. What makes this vulnerability unique is that it blows past a new software security feature called BlastDoor that Apple added to iOS 14 to prevent zero-click intrusions. In one confirmed case an iMessage with a GIF image that actually was an Adobe PSD file (Photoshop Document files) was received. This PDF file was designed to crash the iMessage component responsible for rendering the images and installed spyware, showcasing how easy it is for attackers to abuse the vulnerability.
To help you with ensuring all your Apple devices are up to date, the report below shows all your Apple devices along with the details of their version. With the added color-coding, you’ll be able to easily spot and filter which ones have not been updated to iOS 14.8, iPadOS 14.8, or macOS Big Sur 11.6.
Apple FORCEDENTRY 0-day Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
Coalesce(tblMacOSInfo.SystemVersion, tblIntuneDevice.OsVersion,
tblAirWatchDevice.OsVersion) As [OS Version],
Case when tblMacOSInfo.SystemVersion like '%11.6%' Then 'Up to date'
when tblIntuneDevice.OsVersion like '%14.8%'Then 'Up to date'
when tblAirWatchDevice.OsVersion like '%14.8%'Then 'Up to date'
when tblMacOSInfo.SystemVersion is NULL Then ''
when tblIntuneDevice.OsVersion is NULL Then ''
when tblAirWatchDevice.OsVersion is NULL Then ''
else 'Out of date'
end as [Up/Out of date],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case when tblMacOSInfo.SystemVersion like '%11.6%' Then '#d4f4be'
when tblIntuneDevice.OsVersion like '%14.8%'Then '#d4f4be'
when tblAirWatchDevice.OsVersion like '%14.8%'Then '#d4f4be'
else '#ffadad'
end as backgrondcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tblMacOSInfo On tblAssets.AssetID = tblMacOSInfo.AssetID
Left Join tblIntuneDevice On tblAssets.AssetID = tblIntuneDevice.AssetId
Left Join tblAirWatchDevice On tblAssets.AssetID = tblAirWatchDevice.AssetId
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where (tblAssetCustom.Manufacturer Like '%Apple%' Or
tblAirWatchDevice.Platform Like '%Apple%') And tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName