Apple Web Content Filter Bypass

Dear colleagues,

Nosebeard Labs is pleased to share its latest advisory, detailing a
bypass of Apple’s system wide web content filter. The HTML version of
this advisory is also available at:
https://nosebeard.co/advisories/nbl-001.html

Warmest regards,
Nosebeard Labs

## Summary
Nosebeard Labs Security Advisory NBL-001
Title: Apple web content filter bypass allows unrestricted access to
blocked content (macOS/iOS/iPadOS/visionOS/watchOS)
Advisory ID: NBL-001
Date: 2024-11-15
Severity: Critical (CVSS 9.1)
Affected Product: Safari on any Apple device with Screen Time enabled
CVE ID: CVE-2024-44206

## Overview
Nosebeard Labs has identified a critical vulnerability in Apple’s system
wide web content filter that allows a full bypass of content
restrictions. This vulnerability, which occurs specifically when Screen
Time’s content filtering settings are enabled, permits users or
attackers to access restricted websites in Safari without detection. By
exploiting a misalignment between Screen Time’s Access Control List
(ACL) and WebKit’s URI validation, a specially crafted URI can
circumvent both layers of protection.
Apple has assigned CVE-2024-44206 to this issue and issued a fix for
macOS Sonoma 14.x, iOS/iPadOS 17.x, watchOS 10.x, visionOS 1.x, Safari
17.x and up.
However, a fix is still pending for the backport channels.

## Description
This vulnerability arises when the WebKit Cocoa layer in Safari ingests
a URI without performing comprehensive validation, combined with a
failure by the Screen Time ACL filter to recognize and block the
malformed URI. The flaw allows a crafted URI to bypass all Screen Time
content filtering settings, including deny/allow lists and parental
content filters, providing unrestricted access to blocked content.

## Affected Systems
This vulnerability affects all devices on macOS, iOS, iPadOS, watchOS
and visionOS platforms with Safari and Screen Time enabled, impacting an
estimated 250 million devices globally.

## Attack Scenarios
The vulnerability can be exploited both locally and remotely:
1. Local Exploitation: Users can manipulate the address bar to manually
enter a crafted URI, bypassing Screen Time restrictions.
2. Network-Based Exploitation: Attackers can load restricted content
remotely by embedding a crafted URI within an iframe, bypassing
restrictions without requiring user interaction.

## Impact
1. Confidentiality: Unrestricted access to restricted websites
compromises the confidentiality of content filtering controls,
potentially exposing sensitive or inappropriate material.
2. Scope and Integrity: This vulnerability spans across two separate
security mechanisms (Screen Time and WebKit), representing a critical
architecture-level issue. Additionally, accessing unsecured or unlogged
resources poses potential integrity risks.

## CVSS Score
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Score: 9.1 (Critical)

## Mitigations
Upgrade to the latest iOS/iPadOS 17.x or 18.x / macOS Sonoma 14.x /
visionOS 1.x / watchOS 10.x / Safari 17.6 respectively. Users who are
unable to apply a fix can contact us for more info.

## Vendor Response
Apple has issued CVE-2024-44206 and supplied a fix within WebKit;
however, a fix remains pending for iOS/iPadOS version 16.x. We recommend
that Apple undertake further review to address the issue comprehensively.

## Timeline

Milestone:
2020-11-24 Vulnerability discovered internally at NBL

Milestone:
2021-03-08 Initial disclosure to Apple Product Security

2021-03-09 Apple Product Security recommends to open a bug report on
Feedback Assistant
2021-03-10 We opened a bug report on Feedback Assistant as advised by
Apple Product Security
2021-03-15 We follow-up by adding additional info to the open bug report
on F.A.
2021-08-16 We follow-up again referring Apple Product Security to open
ticket, stressing that the issue can be also demonstrated in their EU
Apple Stores
2021-08-24 We follow-up again to Apple Product Security, referring to
the previous follow-up
2021-08-25 Rejected by Apple Security – “We do not see any actual
security implications. We recommended reporting this issue via Feedback
Assistant”
2024-03-18 NBL submits a second report 3 years later to appeal via Apple
Security Bounty Program, urging to re-evaluate, also providing PoC code
2024-03-19 Apple Security Research closes report – “We’re unable to
identify a security issue in your report” – “Screen Time is not intended
to protect a device against manipulation” – “We recommend reporting this
via Feedback Assistant”
2024-04-02 Status of Bug Report on F.A. from 2021-03-10 “Open, Similar
Reports None”
2024-04-03 We follow-up again asking Apple Security for a final
reassessment, providing a temporary workaround
2024-04-03 Apple Security recommends opening a bug report – “ST is not
intended to protect a device against manipulation” – “MDM profiles
provide configuration management but do not establish additional
security boundaries beyond what iOS and iPadOS have to offer.”
2024-05-05 Initial contact with Joanna Stern of WSJ
2024-05-06 Referring PSIRT ticket # directly to an Apple PSIRT contact
via undisclosed SOC – no response
2024-05-28 Joanna Stern/WSJ runs Apple through this
2024-05-29 Apple commits patches to Safari branch

Milestone:
2024-06-05 Wall Street Journal addresses our finding in their article “A
Bug Allowed Kids to Visit X-Rated Sites. Apple Took Three Years to Fix
It.” by Joanna Stern

2024-06-18 We follow-up again with Urgent request for re-evaluation to
Apple Product Security (“Addendum”)
2024-06-27 We follow-up on our follow-up Update Request Screen Time
Security Vulnerability Report (“Follow-Up”)
2024-07-23 Apple releases fix in iOS 17.6RC et al.
2024-07-26 Letter to Apple welcoming first fix, reiterating our
dedication to Responsible Disclosure, intended to coordinate further
disclosure process and close the affair asking them to give credit and
align to their SBP

Milestone:
2024-07-29 Apple releases fixes for macOS Sonoma 14.6, iOS/iPadOS 17.6,
watchOS 10.6, visionOS 1.3 and Safari 17.6, leaving iOS/iPadOS 16.x
still affected.

2024-07-31 Apple responds “ST is not intended to protect a device from
malicious manipulation, and bug reports on features like this are
therefore typically ineligible for credit or Apple Security Bounty
award. However, we’d like to make an exception and award you USD (…)*
as a thank you for your report. Also, we’d like to credit you on our
security advisory under the ‘Additional recognition’ section of the
page.” *We were offered the minimum possible amount.
2024-08-01 We inquire about the bounty amount asking Apple to “comment
on our proposed evaluation under the CVSS metrics, sharing with us their
transparent assessment of the vulnerability under the terms and broad
criteria of the bounty program.”
2024-08-01 Apple “appreciates our suggestions, but CVSS scores are not
something that they publish to their security advisory.”
2024-08-03 Patches merged with public WebKit branch
2024-08-19 We are reaching out to Apple again “Ringing the escalation
bell for the SBP team”
2024-08-23 Apple Product Security advises a call
2024-09-10 Apple Security rejects adjustment of the bounty as “out of
scope/edge case policy” in the call, offering a $20,000 charity donation
instead We request Apple to assign a CVE.

Milestone:
2024-10-17 Apple follows-up with CVE-2024-44206 and an update to the
advisories
https://support.apple.com/en-us/120909
https://support.apple.com/en-us/120911
https://support.apple.com/en-us/120913
https://support.apple.com/en-us/120915
https://support.apple.com/en-us/120916

2024-10-23 We follow-up one more time to request a further review of the
severity and reward
2024-11-02 NBL-001 advisory draft shared with Apple
2024-11-14 Apple requests naming their charity offer among bounty payout
details, leaving out further comments on the contents of the advisory
itself.
2024-11-15 NBL-001 published

## Contact
For more information, please contact Andreas Jaegersberger or Ro
Achterberg from Nosebeard Labs at [email protected].

## Special Thanks
Much love goes out to Joanna Stern for her incredible support in making
this happen.
We also want to thank Aaron Kaplan for the tailwind throughout the
journey and Arnoud Engelfriet for the rapid legal advice.
Buongiorno to the cap’n <3

نوشته های مشابه