Apple Releases Patch for Zero-day Vulnerabilities Used in Attack Against iOS and macOS (CVE-2024-23222, CVE-2023-42916, & CVE-2023-42917)

Qualys Security Advisory

Threat actors are using CVE-2024-23222, CVE-2023-42916, and CVE-2023-42917 vulnerabilities in attacks against iOS and Macs. Apple has addressed the vulnerabilities in products such as Safari, iOS, iPadOS, macOS, watchOS, and tvOS.

Along with the zero-day vulnerability, Apple has addressed multiple vulnerabilities affecting its popular products.

CVE-2024-23222

The type confusion flaw exists in the WebKit browser engine. An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with improved checks.

Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability.

CVE-2023-42916

An out-of-bounds read flaw exists in the WebKit browser engine. The vulnerability can be exploited by processing web content. Successful exploitation of the vulnerability may disclose sensitive information. Apple has fixed the vulnerability with improved input validation.

Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability against versions of iOS before iOS 16.7.1.

CVE-2023-42917

The memory corruption flaw exists in the WebKit browser engine. An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with improved locking.

Apple has mentioned in the advisory that they are aware of the exploitation of the vulnerability against versions of iOS before iOS 16.7.1.

CVE-2024-23211

The privacy issue may allow an attacker to view a user’s private browsing activity in Settings. Apple has fixed the vulnerability with improved handling of user preferences.

CVE-2024-23206

A maliciously crafted webpage can exploit an access issue to fingerprint the user. Apple has fixed the vulnerability with improved access restrictions.

CVE-2024-23213 & CVE-2024-23209

An attacker may exploit the vulnerability by processing maliciously crafted web content. Successful exploitation of the vulnerability may lead to arbitrary code execution. Apple has fixed the vulnerability with memory handling.

CVE-2024-23212

On successful exploitation, an app may execute arbitrary code with kernel privileges. Apple has fixed the vulnerability with improved memory handling.

CVE-2024-23218

An attacker may exploit the vulnerability to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key. Apple has fixed the vulnerability with improvements to constant-time computation in cryptographic functions.

CVE-2024-23224

Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved checks.

CVE-2024-23208

Successful exploitation of the vulnerability may allow an app to execute arbitrary code with kernel privileges. Apple has fixed the vulnerability with improved memory handling.

CVE-2024-23207

Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved redaction of sensitive information.

CVE-2024-23223 

Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved handling of files.

CVE-2024-23203 & CVE-2024-23204

Successful exploitation of the vulnerability may allow a shortcut to use sensitive data with specific actions without prompting the user. Apple has fixed the vulnerability with additional permissions checks.

CVE-2024-23217

Successful exploitation of the vulnerability may allow an app to bypass specific Privacy preferences. Apple has fixed the privacy vulnerability with improved handling of temporary files.

CVE-2024-23215

Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved handling of temporary files.

CVE-2024-23210

Successful exploitation of the vulnerability may allow an app to view a user’s phone number in system logs. Apple has fixed the vulnerability with improved redaction of sensitive information.

CVE-2023-42887

Successful exploitation of the vulnerability may allow an app to read arbitrary files. Apple has fixed the vulnerability with additional sandbox restrictions.

CVE-2023-42935

Successful exploitation of the vulnerability may allow a local attacker to view the previously logged-in user’s desktop from the fast user switching screen. Apple has fixed the vulnerability with improved state management. 

CVE-2023-42888

The vulnerability can be exploited by processing a maliciously crafted image, which may result in the disclosure of process memory. Apple has fixed the vulnerability with improved checks.

CVE-2023-42915, CVE-2023-38546, CVE-2023-38039, & CVE-2023-38545

Multiple vulnerabilities in Curl are addressed by updating to Curl version 8.4.0.

CVE-2023-40528

Successful exploitation of the vulnerability may allow an app to bypass Privacy preferences. Apple has fixed the vulnerability by removing the vulnerable code.

CVE-2023-42937

Successful exploitation of the vulnerability may allow an app to access sensitive user data. Apple has fixed the vulnerability with improved private data redaction for log entries.

Affected Products and Versions

  • iPhone 8
  • iPhone X
  • iPhone 8 Plus
  • iPad Pro 9.7-inch
  • Safari before 17.3
  • iPhone XS and later
  • iPad 5th generation
  • macOS Sonoma before 14.3
  • iPad 6th generation and later
  • macOS Ventura before 13.6.4
  • macOS Monterey before 12.7.3
  • iPad Air 3rd generation and later
  • iPad Pro 12.9-inch 1st generation
  • iPad mini 5th generation and later
  • iPad Pro 12.9-inch 2nd generation and later
  • iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later

Mitigation

To patch the vulnerabilities, customers must upgrade to the latest Safari 17.3 macOS Monterey 12.7.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, iOS 17.3, and iPadOS 17.3.

Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917. The patches for the vulnerabilities were released in December 2023 to older devices:

iOS 15.8.1 and iPadOS 15.8.1: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

For more information, please visit the Apple security advisories for macOS Ventura, macOS Monterey, macOS Sonoma, Safari, iOS, and iPadOS.

Qualys Detection

Qualys customers can scan their devices with QIDs  610538,  610539, 610540, 379300, 379299, 379298, and 379297 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.apple.com/kb/HT214056
https://support.apple.com/kb/HT214059
https://support.apple.com/kb/HT214061
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214057

READ MORE