www.belgium.be Logo of the federal government

Warning - Apple released a security update fixing multiple vulnerabilities in iOS, iPadOS, macOS & watchOS, which are being actively exploited in the wild!

Reference: 
Advisory #2023-73
Version: 
1.0
Affected software: 
iOS <15.7.7 & iPadOS <15.7.7
iOS <16.5.1 & iPadOS <16.5.1
watchOS <9.5.2
watchOS <8.8.1
macOS Big Sur <11.7.8
macOS Monterey <12.6.7
macOS Ventura <13.4.1
Safari <16.5.1
Type: 
Multiple vulnerability types
CVE/CVSS: 

CVE-2023-32434
Type: Integer Overflow or Wraparound (CWE-190)
CVSS: Not Assigned Yet

CVE-2023-3243
Type: Out-of-bounds Write (CWE-787)
CVSS: Not Assigned Yet

CVE-2023-32439
Type: Type Confusion' (CWE-843)
CVSS: Not Assigned Yet

Date: 
22/06/2023

Sources

https://support.apple.com/en-gb/HT201222
https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://nvd.nist.gov/vuln/detail/CVE-2023-32435
https://nvd.nist.gov/vuln/detail/CVE-2023-32439

Risks

Apple fixed multiple vulnerabilities in their latest update and stated that all those patched vulnerabilities may have been actively exploited.

CVE-2023-32434 is a vulnerability within the kernel, CVE-2023-32435 & CVE-2023-32439 are vulnerabilities within the WebKit. All those vulnerabilities could lead to arbitrary code execution when successfully being exploited.

Description

Currently, no CVSS score has been assigned for these vulnerabilities. Since these vulnerabilities are being actively exploited in the wild and Apple created an update only to fix these vulnerabilities, it is very likely that the CVSS score will be HIGH or CRITICAL.

The exploit code for this vulnerability has not yet publicly been observed.

CVE-2023-32434: Successful exploitation of this vulnerability in the kernel allows a local application to execute arbitrary code with kernel privileges by triggering an integer overflow. This allows a local application to escalate privileges on the system.

CVE-2023-32435 & CVE-2023-32439: Successful exploitation of these vulnerabilities within the WebKit allow maliciously crafted web content to perform arbitrary code execution on the device. CVE-2023-32435 achieves this by causing an out-of-bounds memory write. CVE-2023-32439 achieves this arbitrary code execution by triggering a 'Type Confusion'.

It is extremely important to perform the following recommended actions as soon as possible!

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:

Upgrade to:

  • Safari 16.5.1
  • iOS 16.5.1 & iPadOS 16.5.1
  • iOS 15.7.7 & iPadOS 15.7.7
  • macOS Ventura <3.4.1
  • macOS Monterey 12.6.7
  • macOS Big Sur 11.7.8
  • watchOS 9.5.2
  • watchOS 8.8.1

References

https://support.apple.com/kb/HT213816
https://support.apple.com/kb/HT213814
https://support.apple.com/kb/HT213811
https://support.apple.com/kb/HT213813
https://support.apple.com/kb/HT213810
https://support.apple.com/kb/HT213809
https://support.apple.com/kb/HT213812
https://support.apple.com/kb/HT213808