The Mysteries Behind ColdIntro and ColdInvite: TL;DR edition

A vulnerability that was believed to be patched back in 2022 by Apple is more mysterious than researchers initially believed it to be. The patch mitigated a vulnerability that was exploited in the wild as part of an attack chain targeting co-processors.

During the process of analyzing ColdIntro (CVE-2022-32894), we discovered another vulnerability that allows attackers to escape a co-processor and initiate memory corruption in the Application Processor (AP). This vulnerability was identified by Jamf, and credits security researcher 08tc3wbb for the discovery — named ColdInvite (CVE-2023-27930).

ColdInvite impacts iPhone users by taking advantage of a vulnerability in certain versions of iOS.

What are ColdIntro and ColdInvite?

A vulnerability that allows an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.

Following an analysis of the historical data, we have observed signs of attacks that were targeting co-processors while an advisory released by Google Project Zero asserted a similar conclusion, with their research identifying commercial threat actors currently scoping co-processor vulnerabilities in the wild.

Apple released iOS 15.6.1 to patch CVE-2022-32894, addressing a kernel vulnerability. Our research shows that the intention of this patch was to mitigate the method used by an attacker to jump from the co-processor to the Application Processor. We’ve named this vulnerability ColdIntro: an undesirable introduction from the Display Co-Processor (DCP) to the AP Kernel. Furthermore, we continued to dig deeper and found another vulnerability that allows threat actors to similarly escape from the DCP to the AP kernel. We have named the newly patched vulnerability: ColdInvite.

Why is it so important?

It’s expected that as the modern threat landscape continues to evolve, we predict that more co-processor attacks and escape vulnerabilities will be seen in the future.

In accordance with our responsible disclosure policy, we will release the proof of concept for CVE-2023-27930 after Apple issues a patch to mitigate this threat.

Which platforms are affected?

ColdIntro: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) with iOS 15.6 (and older versions of iOS) installed.

ColdInvite: iPhone 12 (and newer models) with versions of iOS 14 through 16.3.1 installed.

How can I protect myself against this threat?

To patch this vulnerability, Apple and Jamf recommend updating affected devices to iOS 16.x.x. Jamf would like to thank the Apple Product Security team for patching the vulnerability quickly.

Customers with Jamf Pro are advised to upgrade to the latest version of iOS on their mobile fleets as soon as it is released. Customers with Jamf Protect will have affected versions of iOS flagged as highly vulnerable.