Apple Addressed Two Zero-day Vulnerabilities Affecting iOS and iPadOS (CVE-2023-42824 & CVE-2023-5217)

Posted by Author Diksha Ojha on Posted on

Apple has released an emergency update to fix an actively exploited zero-day vulnerability. CVE-2023-42824 is a critical severity vulnerability affecting iPhones and iPads. A local attacker can exploit the vulnerability that exists in the XNU kernel to gain privileges. Apple has fixed the vulnerability with improved checks.

Apple has mentioned in their advisories that they are aware of active exploitation of the CVE-2023-42824 in attacks against iOS versions before iOS 16.6.

The second vulnerability is CVE-2023-5217, a heap buffer overflow vulnerability in the VP8 encoding of the open-source libvpx video codec library. An attacker may exploit this vulnerability to perform arbitrary code execution. Apple has fixed the vulnerability by updating to libvpx 1.13.1.

Google has also addressed CVE-2023-5217 in its Chrome browser.

CISA acknowledged active exploitation of CVE-2023-42824 by adding it to its Known Exploited Vulnerabilities Catalog and recommended users to patch before October 26, 2023.

Zero-day vulnerabilities addressed by Apple this year so far:

Affected Versions

  • iPhone XS and later
  • iPad 6th generation and later
  • iPad Air 3rd generation and later
  • iPad mini 5th generation and later
  • iPad Pro 12.9-inch 2nd generation and later
  • iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later

Mitigation

Customers must upgrade to the latest iOS 17.0.3 and iPadOS 17.0.3 to patch the vulnerabilities.

For more information, please visit the Apple security advisory.

Qualys Detection

Qualys customers can scan their devices with QID 610511 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.apple.com/en-us/HT213961

Leave a Reply

Your email address will not be published. Required fields are marked *