In the last fortnight, a CSS-based vulnerability was found to crash iPhones when the Safari browser would eventually exhaust the device's memory resources, leading to a kernel panic. The same proof-of-concept was found to cause temporarily freezing on Internet Explorer 11 and Microsoft Edge while Chrome appeared to be unaffected.
Unfortunately for Apple, it appears that it must now grapple with a flaw discovered in the company's Device Enrollment Program (DEP) which is used by enterprises and other organizations to manage fleets of iOS and macOS devices. DEP can be used to streamline the mobile device management (MDM) process, deploy specific apps to devices, and provision configuration settings to help simplify setup and minimize manual user intervention. However, Duo Security senior research and design engineer, James Barclay, discovered that all that was required to acquire potentially sensitive information from DEP-enrolled iOS hardware was the serial number.
According to the firm's research paper on the matter, information disclosure includes the address, email address, and support contact phone numbers of the managing organization. While an attacker may wish to target a device with a specific serial number, Duo Labs director Rich Smith indicated that coding a solution to brute-force serial number combinations was relatively easy, and said:
"While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed."
While the retrieved data may seem relatively benign on the surface, it could potentially give rise to attacks via IT help desks by requesting password resets or having foreign iOS devices enrolled into an organization's DEP. With respect to the issue, Apple has said that it does not perceive this to be a vulnerability but has highlighted that DEP administrators should implement hardening measures, such as user authentication, to help minimize the possible attack vector.
The paper also recommended that rate-limiting be implemented in DEP API requests, as its current implementation allowed the researchers to issue requests as quickly as their session could physically manage. Unfortunately, such an approach could come at the cost of initial device setups being successful.
Despite having been advised of the issue on May 16 and providing acknowledgment on May 17, Duo Security's disclosure timeline regarding this particular issue indicates that Apple has not taken any further mitigative actions.