Warning - Apple released a security update fixing multiple vulnerabilities in iOS, iPadOS, macOS & watchOS, which are being actively exploited in the wild!
CVE-2023-32434
Type: Integer Overflow or Wraparound (CWE-190)
CVSS: Not Assigned Yet
CVE-2023-3243
Type: Out-of-bounds Write (CWE-787)
CVSS: Not Assigned Yet
CVE-2023-32439
Type: Type Confusion' (CWE-843)
CVSS: Not Assigned Yet
Sources
https://support.apple.com/en-gb/HT201222
https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://nvd.nist.gov/vuln/detail/CVE-2023-32435
https://nvd.nist.gov/vuln/detail/CVE-2023-32439
Risks
Apple fixed multiple vulnerabilities in their latest update and stated that all those patched vulnerabilities may have been actively exploited.
CVE-2023-32434 is a vulnerability within the kernel, CVE-2023-32435 & CVE-2023-32439 are vulnerabilities within the WebKit. All those vulnerabilities could lead to arbitrary code execution when successfully being exploited.
Description
Currently, no CVSS score has been assigned for these vulnerabilities. Since these vulnerabilities are being actively exploited in the wild and Apple created an update only to fix these vulnerabilities, it is very likely that the CVSS score will be HIGH or CRITICAL.
The exploit code for this vulnerability has not yet publicly been observed.
CVE-2023-32434: Successful exploitation of this vulnerability in the kernel allows a local application to execute arbitrary code with kernel privileges by triggering an integer overflow. This allows a local application to escalate privileges on the system.
CVE-2023-32435 & CVE-2023-32439: Successful exploitation of these vulnerabilities within the WebKit allow maliciously crafted web content to perform arbitrary code execution on the device. CVE-2023-32435 achieves this by causing an out-of-bounds memory write. CVE-2023-32439 achieves this arbitrary code execution by triggering a 'Type Confusion'.
It is extremely important to perform the following recommended actions as soon as possible!
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:
Upgrade to:
- Safari 16.5.1
- iOS 16.5.1 & iPadOS 16.5.1
- iOS 15.7.7 & iPadOS 15.7.7
- macOS Ventura <3.4.1
- macOS Monterey 12.6.7
- macOS Big Sur 11.7.8
- watchOS 9.5.2
- watchOS 8.8.1
References
https://support.apple.com/kb/HT213816
https://support.apple.com/kb/HT213814
https://support.apple.com/kb/HT213811
https://support.apple.com/kb/HT213813
https://support.apple.com/kb/HT213810
https://support.apple.com/kb/HT213809
https://support.apple.com/kb/HT213812
https://support.apple.com/kb/HT213808