{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-framework/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Security Framework"],"_cs_severities":["medium"],"_cs_tags":["security-framework","crash","uninitialized-pointer","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eA vulnerability exists within Apple\u0026rsquo;s Security framework that can lead to application crashes. The issue stems from an uninitialized pointer, \u003ccode\u003eCFErrorRef *error\u003c/code\u003e, within the \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e function. This function is part of the Swift framework responsible for handling cryptographic operations, specifically dealing with certificate authorities and key generation. When an error occurs during the execution of \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e, a catch block is invoked. This catch block then calls the \u003ccode\u003eSecError\u003c/code\u003e function with the uninitialized \u003ccode\u003eCFErrorRef\u003c/code\u003e pointer. The \u003ccode\u003eSecError\u003c/code\u003e function attempts to dereference this uninitialized pointer, resulting in an attempt to access an invalid memory address and triggering an \u003ccode\u003eEXC_BAD_ACCESS\u003c/code\u003e exception, ultimately crashing the application. This vulnerability was discovered during the development of a security utility named \u0026ldquo;Do Not Disturb (DND)\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eApplication invokes the \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e function within Apple\u0026rsquo;s Security framework.\u003c/li\u003e\n\u003cli\u003eAn error occurs during the execution of \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e, triggering a \u003ccode\u003eMacOSError\u003c/code\u003e, \u003ccode\u003eCommonError\u003c/code\u003e, \u003ccode\u003estd::bad_alloc\u003c/code\u003e, or other exception.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBEGIN_SECKEYAPI\u003c/code\u003e and \u003ccode\u003eEND_SECKEYAPI\u003c/code\u003e macros wrap the function in a try/catch block.\u003c/li\u003e\n\u003cli\u003eThe catch block is executed due to the error.\u003c/li\u003e\n\u003cli\u003eWithin the catch block, the \u003ccode\u003eSecError\u003c/code\u003e function is called.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSecError\u003c/code\u003e function receives an uninitialized \u003ccode\u003eCFErrorRef *error\u003c/code\u003e pointer because it was declared but not assigned a valid memory address within \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSecError\u003c/code\u003e attempts to dereference the invalid \u003ccode\u003eCFErrorRef *error\u003c/code\u003e pointer.\u003c/li\u003e\n\u003cli\u003eThis dereference operation results in an \u003ccode\u003eEXC_BAD_ACCESS\u003c/code\u003e exception, causing the application to crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to application crashes on macOS. While the source does not specify the number of victims or sectors targeted, any application utilizing the vulnerable \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e function within Apple\u0026rsquo;s Security framework is susceptible to this crash. A successful exploitation of this vulnerability results in a denial-of-service condition for the affected application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for crash reports indicating \u003ccode\u003eEXC_BAD_ACCESS\u003c/code\u003e exceptions originating within the \u003ccode\u003eSecError\u003c/code\u003e function of Apple\u0026rsquo;s Security framework, specifically when called from \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExamine the logs for exceptions or errors occurring within cryptographic functions that may trigger the described crash within \u003ccode\u003eSecCDSAKeyCopyPublicKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Security Framework Crashes due to Uninitialized Pointer\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring to detect attempts to call \u003ccode\u003eSecError\u003c/code\u003e with invalid \u003ccode\u003eCFErrorRef\u003c/code\u003e pointers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-apple-security-framework-crash/","summary":"A crash was identified in Apple's Security framework due to an uninitialized pointer in the SecError function, leading to the dereference of an invalid memory address.","title":"Apple Security Framework Crash due to Uninitialized Pointer","url":"https://feed.craftedsignal.io/briefs/2024-01-apple-security-framework-crash/"}],"language":"en","title":"CraftedSignal Threat Feed — Security-Framework","version":"https://jsonfeed.org/version/1.1"}