Apple has released security advisories to address three zero-day vulnerabilities exploited in attacks against iPhones, Macs, and iPads. The vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) exist in the browser engine WebKit.
Apple has mentioned in the advisory that reports suggesting the vulnerabilities (CVE-2023-32409, CVE-2023-28204, & CVE-2023-32373) may have been actively exploited.
Along with three zero-day vulnerabilities, Apple has addressed 33 other vulnerabilities affecting its multiple products.
CISA has added the three vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) to its Known Exploitable Vulnerabilities Catalog and requested users to patch it before June 12th, 2023.
Description
CVE-2023-32409
This sandbox escape vulnerability could allow a remote attacker to break out of the Web Content sandbox. Apple has fixed the vulnerability with improved bounds checks.
Sandbox escape is a type of flaw that enables the execution of malicious code from a sandbox outside of the secure environment.
Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab have discovered the vulnerability.
CVE-2023-28204
This out-of-bounds read vulnerability could allow attackers to disclose sensitive information. An attacker may exploit this vulnerability by processing malicious web content. The vulnerability has been fixed with improved input validation.
Note: Apple has addressed the vulnerability in Rapid Security Response macOS 13.3.1 (a).
CVE-2023-32373
This use-after-free vulnerability allows attackers to perform arbitrary code execution. An attacker may exploit the vulnerability by processing maliciously crafted web content. Apple has fixed the vulnerability with improved memory management.
Note: Apple has addressed the vulnerability in Rapid Security Response macOS 13.3.1 (a).
CVE-2023-32369 (Migraine)
A team of security researchers at Microsoft has reported the vulnerability termed as “Migrain” to Apple. The vulnerability may allow attackers with root privileges to install “undeletable” malware, bypass System Integrity Protection (SIP), and gain access to the victim’s private data by evading Transparency, Consent, and Control (TCC) security procedures. Apple has patched the vulnerability with improved state management.
Rapid Security Response
An innovative new software release for iPhone, iPad, and Mac is called Rapid Security Responses. Apple releases significant security updates between software updates, such as upgrades to the WebKit framework stack, the Safari web browser, or other vital system libraries.
Affected Products and Versions
- Apple Safari Versions before 16.5
- Apple iOS and iPadOS versions before 16.5
- Apple macOS Ventura Versions before 13.4
- Apple macOS Big Sur versions before 11.7.7
- Apple iOS and iPadOS versions before 15.7.6
- Apple macOS Monterey versions before 12.6.6
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
Mitigation
To patch the vulnerability, customers must upgrade to the latest macOS Ventura 13.4, macOS Monterey 12.6.6, macOS Big Sur 11.7.7, iOS and iPadOS 16.5, and Safari 16.5.
For more information, please visit the Apple security advisory HT213757.
Qualys Detection
Qualys customers can scan their devices with QIDs 378474, 378503, 378504, 378505, 378506, and 610479 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://support.apple.com/en-us/HT213757
https://support.apple.com/en-us/HT213758
https://support.apple.com/en-us/HT213759
https://support.apple.com/en-us/HT213760
https://support.apple.com/en-in/HT213765