Quick take - Nosebeard Labs has issued a critical advisory regarding a significant vulnerability in Apple’s web content filter affecting Safari on devices with Screen Time enabled, allowing users to bypass content restrictions, with a CVSS score of 9.1, and has recommended users upgrade to the latest software versions to mitigate risks.

Fast Facts

Nosebeard Labs issued a critical advisory (NBL-001) on November 15, 2024, regarding a vulnerability in Apple’s web content filter affecting Safari with Screen Time enabled, classified with a CVSS score of 9.1.
The vulnerability (CVE-2024-44206) allows users to bypass content restrictions, impacting approximately 250 million devices across macOS, iOS, iPadOS, watchOS, and visionOS.
The root cause is a misalignment between Screen Time’s Access Control List and WebKit’s URI validation, enabling exploitation through crafted URIs.
Apple has released fixes for recent versions of its operating systems and Safari, but a fix for iOS/iPadOS 16.x is still pending.
Users are advised to upgrade to the latest versions to mitigate risks, and Nosebeard Labs encourages those unable to do so to seek assistance.

Critical Advisory on Apple Web Content Filter Vulnerability

Nosebeard Labs has issued a critical advisory concerning a significant vulnerability in Apple’s web content filter. This vulnerability specifically affects Safari on devices with Screen Time enabled.

Advisory Details

The advisory is titled “Apple web content filter bypass allows unrestricted access to blocked content.” It is cataloged under Advisory ID NBL-001 and dated November 15, 2024. The vulnerability is classified as critical, with a CVSS score of 9.1. It allows users and potential attackers to bypass content restrictions set by the Screen Time feature. The issue has been assigned the CVE ID CVE-2024-44206.

The root cause is a misalignment between Screen Time’s Access Control List (ACL) and WebKit’s URI validation. This misalignment enables a specially crafted URI to circumvent both Screen Time and WebKit protections. Approximately 250 million devices worldwide are affected by this vulnerability, including all macOS, iOS, iPadOS, watchOS, and visionOS devices using Safari with Screen Time enabled.

Attack Vectors and Implications

Two primary attack vectors have been identified:

Local exploitation through the manual entry of a crafted URI.
Network-based exploitation via embedding a crafted URI within an iframe.

The implications of this vulnerability are severe, including compromised confidentiality due to unrestricted access to websites that should be blocked. There are also potential integrity risks from accessing unsecured or unlogged resources. The CVSS score vector is detailed as CVSS:3.1/AV:N /AC:L /PR:N /UI:N /S:C /C:H /I:L /A:N .

Mitigation and Acknowledgment

To mitigate the risks, users are strongly advised to upgrade to the latest versions of iOS/iPadOS, macOS, visionOS, watchOS, and Safari. For those unable to apply the fix, Nosebeard Labs encourages reaching out for further assistance.

Apple has acknowledged the vulnerability and has released a fix for macOS Sonoma 14.x, iOS/iPadOS 17.x, watchOS 10.x, visionOS 1.x, and Safari 17.x and later. However, a fix for the backport channels and for iOS/iPadOS version 16.x remains pending.

The advisory includes a timeline detailing the discovery of the vulnerability, initial disclosures, follow-ups, and interactions with Apple Product Security. These interactions encompassed bug reports and requests for reassessment. Apple has offered a charitable donation in lieu of a bounty for the report of this vulnerability. Nosebeard Labs expresses gratitude to those who supported their efforts in addressing this issue.

For further details or inquiries, contact information for Nosebeard Labs is provided in the advisory.

Original Source: Read the Full Article Here