Dear colleagues,<\/p>\n
Nosebeard Labs is pleased to share its latest advisory, detailing a
bypass of Apple’s system wide web content filter. The HTML version of
this advisory is also available at:
https:\/\/nosebeard.co\/advisories\/nbl-001.html<\/p>\n
Warmest regards,
Nosebeard Labs<\/p>\n
## Summary
Nosebeard Labs Security Advisory NBL-001
Title: Apple web content filter bypass allows unrestricted access to
blocked content (macOS\/iOS\/iPadOS\/visionOS\/watchOS)
Advisory ID: NBL-001
Date: 2024-11-15
Severity: Critical (CVSS 9.1)
Affected Product: Safari on any Apple device with Screen Time enabled
CVE ID: CVE-2024-44206<\/p>\n
## Overview
Nosebeard Labs has identified a critical vulnerability in Apple\u2019s system
wide web content filter that allows a full bypass of content
restrictions. This vulnerability, which occurs specifically when Screen
Time\u2019s content filtering settings are enabled, permits users or
attackers to access restricted websites in Safari without detection. By
exploiting a misalignment between Screen Time\u2019s Access Control List
(ACL) and WebKit\u2019s URI validation, a specially crafted URI can
circumvent both layers of protection.
Apple has assigned CVE-2024-44206 to this issue and issued a fix for
macOS Sonoma 14.x, iOS\/iPadOS 17.x, watchOS 10.x, visionOS 1.x, Safari
17.x and up.
However, a fix is still pending for the backport channels.<\/p>\n
## Description
This vulnerability arises when the WebKit Cocoa layer in Safari ingests
a URI without performing comprehensive validation, combined with a
failure by the Screen Time ACL filter to recognize and block the
malformed URI. The flaw allows a crafted URI to bypass all Screen Time
content filtering settings, including deny\/allow lists and parental
content filters, providing unrestricted access to blocked content.<\/p>\n
## Affected Systems
This vulnerability affects all devices on macOS, iOS, iPadOS, watchOS
and visionOS platforms with Safari and Screen Time enabled, impacting an
estimated 250 million devices globally.<\/p>\n
## Attack Scenarios
The vulnerability can be exploited both locally and remotely:
1. Local Exploitation: Users can manipulate the address bar to manually
enter a crafted URI, bypassing Screen Time restrictions.
2. Network-Based Exploitation: Attackers can load restricted content
remotely by embedding a crafted URI within an iframe, bypassing
restrictions without requiring user interaction.<\/p>\n
## Impact
1. Confidentiality: Unrestricted access to restricted websites
compromises the confidentiality of content filtering controls,
potentially exposing sensitive or inappropriate material.
2. Scope and Integrity: This vulnerability spans across two separate
security mechanisms (Screen Time and WebKit), representing a critical
architecture-level issue. Additionally, accessing unsecured or unlogged
resources poses potential integrity risks.<\/p>\n
## CVSS Score
Vector: CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:L\/A:N
Score: 9.1 (Critical)<\/p>\n
## Mitigations
Upgrade to the latest iOS\/iPadOS 17.x or 18.x \/ macOS Sonoma 14.x \/
visionOS 1.x \/ watchOS 10.x \/ Safari 17.6 respectively. Users who are
unable to apply a fix can contact us for more info.<\/p>\n
## Vendor Response
Apple has issued CVE-2024-44206 and supplied a fix within WebKit;
however, a fix remains pending for iOS\/iPadOS version 16.x. We recommend
that Apple undertake further review to address the issue comprehensively.<\/p>\n
## Timeline
\u2013
Milestone:
2020-11-24 Vulnerability discovered internally at NBL
\u2013
Milestone:
2021-03-08 Initial disclosure to Apple Product Security
\u2013
2021-03-09 Apple Product Security recommends to open a bug report on
Feedback Assistant
2021-03-10 We opened a bug report on Feedback Assistant as advised by
Apple Product Security
2021-03-15 We follow-up by adding additional info to the open bug report
on F.A.
2021-08-16 We follow-up again referring Apple Product Security to open
ticket, stressing that the issue can be also demonstrated in their EU
Apple Stores
2021-08-24 We follow-up again to Apple Product Security, referring to
the previous follow-up
2021-08-25 Rejected by Apple Security – \u201cWe do not see any actual
security implications. We recommended reporting this issue via Feedback
Assistant\u201d
2024-03-18 NBL submits a second report 3 years later to appeal via Apple
Security Bounty Program, urging to re-evaluate, also providing PoC code
2024-03-19 Apple Security Research closes report – \u201cWe\u2019re unable to
identify a security issue in your report\u201d – \u201cScreen Time is not intended
to protect a device against manipulation\u201d – \u201cWe recommend reporting this
via Feedback Assistant\u201d
2024-04-02 Status of Bug Report on F.A. from 2021-03-10 \u201cOpen, Similar
Reports None\u201d
2024-04-03 We follow-up again asking Apple Security for a final
reassessment, providing a temporary workaround
2024-04-03 Apple Security recommends opening a bug report – \u201cST is not
intended to protect a device against manipulation\u201d – \u201cMDM profiles
provide configuration management but do not establish additional
security boundaries beyond what iOS and iPadOS have to offer.\u201d
2024-05-05 Initial contact with Joanna Stern of WSJ
2024-05-06 Referring PSIRT ticket # directly to an Apple PSIRT contact
via undisclosed SOC – no response
2024-05-28 Joanna Stern\/WSJ runs Apple through this
2024-05-29 Apple commits patches to Safari branch
\u2013
Milestone:
2024-06-05 Wall Street Journal addresses our finding in their article \u201cA
Bug Allowed Kids to Visit X-Rated Sites. Apple Took Three Years to Fix
It.\u201d by Joanna Stern
\u2013
2024-06-18 We follow-up again with Urgent request for re-evaluation to
Apple Product Security (\u201cAddendum\u201d)
2024-06-27 We follow-up on our follow-up Update Request Screen Time
Security Vulnerability Report (\u201cFollow-Up\u201d)
2024-07-23 Apple releases fix in iOS 17.6RC et al.
2024-07-26 Letter to Apple welcoming first fix, reiterating our
dedication to Responsible Disclosure, intended to coordinate further
disclosure process and close the affair asking them to give credit and
align to their SBP
\u2013
Milestone:
2024-07-29 Apple releases fixes for macOS Sonoma 14.6, iOS\/iPadOS 17.6,
watchOS 10.6, visionOS 1.3 and Safari 17.6, leaving iOS\/iPadOS 16.x
still affected.
\u2013
2024-07-31 Apple responds \u201cST is not intended to protect a device from
malicious manipulation, and bug reports on features like this are
therefore typically ineligible for credit or Apple Security Bounty
award. However, we\u2019d like to make an exception and award you USD (…)*
as a thank you for your report. Also, we\u2019d like to credit you on our
security advisory under the \u2018Additional recognition\u2019 section of the
page.\u201d *We were offered the minimum possible amount.
2024-08-01 We inquire about the bounty amount asking Apple to \u201ccomment
on our proposed evaluation under the CVSS metrics, sharing with us their
transparent assessment of the vulnerability under the terms and broad
criteria of the bounty program.\u201d
2024-08-01 Apple \u201cappreciates our suggestions, but CVSS scores are not
something that they publish to their security advisory.\u201d
2024-08-03 Patches merged with public WebKit branch
2024-08-19 We are reaching out to Apple again \u201cRinging the escalation
bell for the SBP team\u201d
2024-08-23 Apple Product Security advises a call
2024-09-10 Apple Security rejects adjustment of the bounty as \u201cout of
scope\/edge case policy\u201d in the call, offering a $20,000 charity donation
instead We request Apple to assign a CVE.
\u2013
Milestone:
2024-10-17 Apple follows-up with CVE-2024-44206 and an update to the
advisories
https:\/\/support.apple.com\/en-us\/120909
https:\/\/support.apple.com\/en-us\/120911
https:\/\/support.apple.com\/en-us\/120913
https:\/\/support.apple.com\/en-us\/120915
https:\/\/support.apple.com\/en-us\/120916
\u2013
2024-10-23 We follow-up one more time to request a further review of the
severity and reward
2024-11-02 NBL-001 advisory draft shared with Apple
2024-11-14 Apple requests naming their charity offer among bounty payout
details, leaving out further comments on the contents of the advisory
itself.
2024-11-15 NBL-001 published<\/p>\n
## Contact
For more information, please contact Andreas Jaegersberger or Ro
Achterberg from Nosebeard Labs at labs@nosebeard.co.<\/p>\n
## Special Thanks
Much love goes out to Joanna Stern for her incredible support in making
this happen.
We also want to thank Aaron Kaplan for the tailwind throughout the
journey and Arnoud Engelfriet for the rapid legal advice.
Buongiorno to the cap\u2019n <3<\/p>\n","protected":false},"excerpt":{"rendered":"
Dear colleagues, Nosebeard Labs is pleased to share its latest advisory, detailing a bypass of Apple’s system wide web content filter. The HTML version of this advisory is also available at:https:\/\/nosebeard.co\/advisories\/nbl-001.html Warmest regards,Nosebeard Labs ## SummaryNosebeard Labs Security Advisory NBL-001Title: Apple web content filter bypass allows unrestricted access to blocked content (macOS\/iOS\/iPadOS\/visionOS\/watchOS)Advisory ID: NBL-001Date: 2024-11-15Severity: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60455","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60455"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60455\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}