CVE-2015-3793

Vulnerability

A vulnerability in CFPreferences on Apple iOS prior to version 8.4.1 allows a crafted third-party app to bypass the app-sandbox protection mechanism and read arbitrary managed preferences [1]. The issue exists in the preferences subsystem, which handles reading and writing of preference domains. The affected versions are iOS 8.4 and earlier; the fix was released in iOS 8.4.1 [1].

Exploitation

An attacker would need to distribute or entice a user to run a specially crafted app on a vulnerable iOS device. The app must be signed and installed normally (i.e., through the App Store or enterprise deployment). No particular user interaction beyond launching the app is required, as the exploit triggers automatically upon accessing certain CFPreferences API calls. The crafted app sends specific requests to read preference domains that are normally restricted to system processes or other apps [1].

Impact

A successful exploit results in disclosure of arbitrary managed preferences, which may include sensitive configuration or policy settings that are intended to be private to the system or other applications. The attacker gains read access to data that is protected by the third-party app-sandbox, leading to information disclosure. The privilege level achieved is that of the sandboxed app, but the sandbox bypass allows reading data outside its designated container [1].

Mitigation

The vulnerability is fixed in iOS 8.4.1, released on August 13, 2015 [1]. Users should update their devices to iOS 8.4.1 or later via the Settings > General > Software Update mechanism. No workarounds are described for devices that cannot be updated. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.