www.belgium.be Logo of the federal government

Warning: Critical Zero-Day Vulnerabilities Discovered in Apple Devices, Patch Immediately!

Reference: 
Advisory #2023-114
Version: 
1.0
Affected software: 
prior to iOS 16.7
prior to iOS 17.0.1
prior to iPadOS 16.7
prior to iPadOS 17.0.1
prior to watchOS 9.6.3
prior to watchOS 10.0.1
prior to macOS Ventura 13.6
prior to macOS Monterey 12.7
prior to Safari 16.6.1
CVE/CVSS: 

CVE-2023-41991 - CVSS not published yet
CVE-2023-41992 - CVSS not published yet
CVE-2023-41993 - CVSS not published yet

Sources

Risks

Apple has urgently released security updates to address three newly discovered zero-day vulnerabilities affecting a wide range of Apple products, including Safari, iPhones, iPads, Macs, and Apple Watches, potentially compromising the confidentiality, integrity, and availability of sensitive data.

These vulnerabilities pose a significant risk as they can be exploited to bypass security measures, execute arbitrary code, and escalate privileges.

Apple has not provided specific details about their exploitation in the wild. They do mention that they are aware that this issue may have been actively exploited against versions of iOS before iOS 16.7. The Citizen Lab and Google Threat Analysis Group have identified a history of zero-days being used in targeted spyware attacks related to Pegasus Spyware.

UPDATE: On October 15, 2023, a proof-of-concept (Poc) was released by the security researcher POXIS (@po6ix) available here: https://github.com/po6ix/POC-for-CVE-2023-41993

Description

Apple has identified and fixed three zero-day vulnerabilities in its software, which are actively being exploited. These vulnerabilities are identified as CVE-2023-41993 (in WebKit), CVE-2023-41991 (in the Security framework), and CVE-2023-41992 (in the Kernel Framework). They allow attackers to bypass security checks, execute malicious code, and escalate privileges on compromised devices.

Threat Actors: While specific threat actors have not been disclosed, historical data from Citizen Lab and the Google Threat Analysis Group suggests that zero-days like these have been exploited in targeted spyware attacks. High-risk individuals, such as journalists, opposition politicians, and dissidents, have been the primary targets.

Historical Context: Earlier this year, Citizen Lab and Apple reported the discovery and exploitation of other zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064) as part of a zero-click exploit chain. These vulnerabilities were used to deliver the NSO Group's Pegasus commercial spyware onto fully patched iPhones. (Link to our advisory)

Technology Targeted: The vulnerabilities target Apple devices, including iPhones, iPads, Apple Watches and Macs running macOS Monterey and newer. This makes them particularly attractive to threat actors due to the widespread adoption of Apple products.

Impact on CIA Triad: These vulnerabilities have the potential to compromise the Confidentiality, Integrity, and Availability (CIA) triad of information security. Attackers can gain unauthorized access to sensitive data (Confidentiality), tamper with device functionality and data (Integrity), and disrupt normal device operations (Availability).

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends updating all affected Apple devices to the latest available software version. Apple has released patches for these vulnerabilities in macOS Monterey 12.7/Ventura 13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, watchOS 9.6.3/10.0.1 and Safari 16.6.1.

References