Threat actors are using CVE-2024-23222, CVE-2023-42916, and CVE-2023-42917 vulnerabilities in attacks against iOS and Macs. Apple has addressed the vulnerabilities in products such as Safari, iOS, iPadOS, macOS, watchOS, and tvOS.
Along with the zero-day vulnerability, Apple has addressed multiple vulnerabilities affecting its popular products.
CISA has added the CVE-2024-23222 to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before Feb 13, 2024.
CVE-2024-23222
The type confusion flaw exists in the WebKit browser engine. An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with improved checks.
Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability.
CVE-2023-42916
An out-of-bounds read flaw exists in the WebKit browser engine. The vulnerability can be exploited by processing web content. Successful exploitation of the vulnerability may disclose sensitive information. Apple has fixed the vulnerability with improved input validation.
Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability against versions of iOS before iOS 16.7.1.
CVE-2023-42917
The memory corruption flaw exists in the WebKit browser engine. An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with improved locking.
Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability against versions of iOS before iOS 16.7.1.
CVE-2024-23211
The privacy issue may allow an attacker to view a user’s private browsing activity in Settings. Apple has fixed the vulnerability with improved handling of user preferences.
CVE-2024-23206
A maliciously crafted webpage can exploit an access issue to fingerprint the user. Apple has fixed the vulnerability with improved access restrictions.
CVE-2024-23213 & CVE-2024-23209
An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with memory handling.
CVE-2024-23212
On successful exploitation, an app may execute arbitrary code with kernel privileges. Apple has fixed the vulnerability with improved memory handling.
CVE-2024-23218
An attacker may exploit the vulnerability to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key. Apple has fixed the vulnerability with improvements to constant-time computation in cryptographic functions.
CVE-2024-23224
Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved checks.
CVE-2024-23208
Successful exploitation of the vulnerability may allow an app to execute arbitrary code with kernel privileges. Apple has fixed the vulnerability with improved memory handling.
CVE-2024-23207
Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved redaction of sensitive information.
CVE-2024-23223
Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved handling of files.
CVE-2024-23203 & CVE-2024-23204
Successful exploitation of the vulnerability may allow a shortcut to use sensitive data with specific actions without prompting the user. Apple has fixed the vulnerability with additional permissions checks.
CVE-2024-23217
Successful exploitation of the vulnerability may allow an app to bypass specific Privacy preferences. Apple has fixed the privacy vulnerability with improved handling of temporary files.
CVE-2024-23215
Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved handling of temporary files.
CVE-2024-23210
Successful exploitation of the vulnerability may allow an app to view a user’s phone number in system logs. Apple has fixed the vulnerability with improved redaction of sensitive information.
CVE-2023-42887
Successful exploitation of the vulnerability may allow an app to read arbitrary files. Apple has fixed the vulnerability with additional sandbox restrictions.
CVE-2023-42935
Successful exploitation of the vulnerability may allow a local attacker to view the previously logged-in user’s desktop from the fast user switching screen. Apple has fixed the vulnerability with improved state management.
CVE-2023-42888
The vulnerability can be exploited by processing a maliciously crafted image, which may result in the disclosure of process memory. Apple has fixed the vulnerability with improved checks.
CVE-2023-42915, CVE-2023-38546, CVE-2023-38039, & CVE-2023-38545
Multiple vulnerabilities in Curl are addressed by updating to Curl version 8.4.0.
CVE-2023-40528
Successful exploitation of the vulnerability may allow an app to bypass Privacy preferences. Apple has fixed the vulnerability by removing the vulnerable code.
CVE-2023-42937
Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved private data redaction for log entries.
Affected Products and Versions
- iPhone 8
- iPhone X
- iPhone 8 Plus
- iPad Pro 9.7-inch
- Safari before 17.3
- iPhone XS and later
- iPad 5th generation
- macOS Sonoma before 14.3
- iPad 6th generation and later
- macOS Ventura before 13.6.4
- macOS Monterey before 12.7.3
- iPad Air 3rd generation and later
- iPad Pro 12.9-inch 1st generation
- iPad mini 5th generation and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
Mitigation
To patch the vulnerabilities, customers must upgrade to the latest iOS 16.7.5 and iPadOS 16.7.5; Safari 17.3, macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, iOS 17.3, and iPadOS 17.3.
Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917. The patches for the vulnerabilities were released in December 2023 to older devices:
iOS 15.8.1 and iPadOS 15.8.1: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
For more information, please visit the Apple security advisories for macOS Ventura, macOS Monterey, macOS Sonoma, Safari, iOS, and iPadOS.
Qualys Detection
Qualys customers can scan their devices with QIDs 610538, 610539, 610540, 379300, 379299, 379298, and 379297 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://support.apple.com/kb/HT214056
https://support.apple.com/kb/HT214059
https://support.apple.com/kb/HT214061
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214062