Apple has released emergency updates to address three zero-day vulnerabilities in multiple popular products. Tracked as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, the vulnerabilities may allow attackers to elevate privileges, perform arbitrary code execution, and bypass signature validation.
Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group have discovered the vulnerabilities.
Apple has mentioned in their advisories that they are aware of active exploitation of the vulnerabilities in attacks against iOS.
CISA has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and recommended users to patch before October 16, 2023.
Zero-day vulnerabilities addressed by Apple this year so far:
- CVE-2023-41061 and CVE-2023-41064 in September
- CVE-2023-37450 and CVE-2023-38606 in July
- CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 in June
- CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 in May
- CVE-2023-28206 and CVE-2023-28205 in April
- CVE-2023-23529 in February
CVE-2023-41991
CVE-2023-41991 is a certificate validation flaw in the security framework. Successful exploitation of the vulnerability may allow a malicious app to bypass signature validation.
CVE-2023-41992
The vulnerability that exists in the Kernel framework is addressed with improved checks. The vulnerability allows a local attacker to elevate their privileges.
CVE-2023-41993
The vulnerability in the WebKit browser engine is addressed with improved checks. Successful exploitation of the vulnerability may allow an attacker to perform arbitrary code execution.
Affected Products and Versions
- iPhone XS and later
- iPad 5th generation and later
- iPad 6th generation and later
- iPad Air 3rd generation and later
- iPad Air 3rd generation and later
- iPad mini 5th generation and later
- iPad mini 5th generation and later
- iPhone 8 and later, iPad Pro (all models)
- iPad Pro 12.9-inch 2nd generation and later
- Apple macOS Ventura Versions Before 13.6
- Apple macOS Monterey Versions Before 12.7
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
Mitigation
Customers must upgrade to the latest macOS Ventura 13.6, macOS Monterey 12.7, Safari 16.6.1, iOS 16.7, iPadOS 16.7, iOS 17.0.1, and iPadOS 17.0.1 to patch the vulnerabilities.
For more information, please visit the Apple security advisories for macOS Ventura, macOS Monterey, Safari, iOS, and iPadOS.
Qualys Detection
Qualys customers can scan their devices with QIDs 378874, 378875, 378877, 610509, and 610510 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://support.apple.com/en-us/HT213926
https://support.apple.com/en-us/HT213927
https://support.apple.com/en-us/HT213930
https://support.apple.com/en-us/HT213931
https://support.apple.com/en-us/HT213932