Full Report
Kaspersky GReAT experts look into the Coruna exploit kit targeting iPhones. We discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the Operation Triangulation exploit.
Analysis Summary
# Vulnerability: Coruna Exploit Kit (Operation Triangulation Evolution)
## CVE Details
* **CVE ID:** CVE-2023-32434, CVE-2023-38606
* **CVSS Score:** 7.8 (High) for both.
* **CWE:**
* CVE-2023-32434: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
* CVE-2023-38606: CWE-284 (Improper Access Control - specifically involving hardware registers)
## Affected Systems
* **Products:** Apple iOS, iPadOS, macOS, watchOS, and tvOS.
* **Versions:**
* iOS/iPadOS versions prior to 16.5.1
* macOS Ventura versions prior to 13.4.1
* iOS/iPadOS versions prior to 15.7.7 (older devices)
* **Configurations:** Devices using Apple A-series chips (specifically those containing certain undocumented hardware MMIO registers).
## Vulnerability Description
The "Coruna" framework utilizes a chain of two primary vulnerabilities to achieve kernel-level code execution:
1. **CVE-2023-32434:** An integer overflow in the `Kernel.framework` that allows a malicious application to execute arbitrary code with kernel privileges through memory corruption.
2. **CVE-2023-38606:** A flaw in the hardware's memory-mapped I/O (MMIO) registers. The exploit bypasses hardware-based memory protection (Page Protection Layer or PPL) by writing to undocumented registers to modify sensitive kernel memory directly.
The Coruna framework is an updated version of the "Operation Triangulation" exploit, modified to target newer versions of iOS by adapting the memory offsets and exploitation logic.
## Exploitation
* **Status:** Exploited in the wild (targeted attacks).
* **Complexity:** High (requires sophisticated knowledge of undocumented hardware features).
* **Attack Vector:** Local (typically part of a multi-stage chain initiated via a remote vector like iMessage).
## Impact
* **Confidentiality:** High (Full access to device data and memory).
* **Integrity:** High (Ability to modify kernel memory and bypass security features).
* **Availability:** High (Potential for system instability or persistent control).
## Remediation
### Patches
Apple released emergency security updates in June and July 2023 to address these flaws:
* **iOS/iPadOS 16.5.1 / 15.7.7**
* **macOS Ventura 13.4.1**
* **watchOS 9.5.2**
### Workarounds
* There are no effective software workarounds; users must update to a patched OS version.
* Enabling **Lockdown Mode** on iOS/macOS can reduce the attack surface for the initial infection vectors (like iMessage).
## Detection
* **Indicators of Compromise (IoCs):** Execution of the "Coruna" exploit framework is characterized by specific memory manipulation patterns and the use of undocumented MMIO addresses (e.g., `0x206040000`).
* **Detection Methods:**
* Kaspersky's **triangle_check** utility (for detecting traces of Operation Triangulation).
* Mvt-tool (Mobile Verification Toolkit) to scan for known malicious patterns in backups.
* Monitoring for unexpected kernel-level crashes or abnormal battery drain.
## References
* Apple Security Advisory (CVE-2023-32434): hxxps[://]support[.]apple[.]com/en-us/HT213811
* Apple Security Advisory (CVE-2023-38606): hxxps[://]support[.]apple[.]com/en-us/HT213842
* Kaspersky Securelist Analysis: hxxps[://]securelist[.]com/coruna-framework-updated-operation-triangulation-exploit/119228/