Certificate Validation Issue in Apple iOS and macOS Products
CVE-2023-41991

5.5MEDIUM

Key Information:

Vendor
Apple
Status
iOS And iPad OS
Mac OS
Vendor
CVE Published:
21 September 2023

Badges

👾 Exploit Exists🦅 CISA Reported📰 News Worthy

Summary

A flaw in the certificate validation process has been identified, allowing malicious applications to potentially bypass signature validation checks. This vulnerability affects various versions of iOS prior to 16.7, as well as macOS Ventura 13.6 and iPadOS before version 16.7. Apple has addressed this issue in the latest updates, and it is crucial for users to upgrade their devices to protect against potential exploitation.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

iOS and iPadOS < 16.7

macOS < 13.6

News Articles

favicon imageDuo Security

Apple Fixes Trio of Actively Exploited Bugs

The three zero days (CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993) impact various versions of macOS, iOS, iPadOS and watchOS.

favicon imageForbes

New Critical Security Warning For iPhone, iPad, Watch, Mac—Attacks Underway

Citizen Lab, alongside Google’s Threat Analysis Group, has uncovered a no-click zero-day exploit chain impacting iPhones, iPads, Apple Watch and Macs.

favicon imageHelp Net Security

Apple fixes 3 zero-day vulnerabilities exploited to compromise iPhones - Help Net Security

Apple has fixed 0-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) exploited "against versions of iOS before iOS 16.7."

References

https://support.apple.com/en-us/HT213927
https://support.apple.com/en-us/HT213931

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by The Register

  • Vulnerability published

  • Vulnerability Reserved

.