ID

VAR-202301-1723


CVE

CVE-2023-23508


TITLE

apple's  macOS  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-004373

DESCRIPTION

The issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.7.3, macOS Ventura 13.2, macOS Monterey 12.6.3. An app may be able to bypass Privacy preferences. apple's macOS Exists in unspecified vulnerabilities.Information may be tampered with. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3 macOS Monterey 12.6.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213604. AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened runtime. CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing (wojciechregula.blog) curl Available for: macOS Monterey Impact: Multiple issues in curl Description: Multiple issues were addressed by updating to curl version 7.86.0. CVE-2022-42915 CVE-2022-42916 CVE-2022-32221 CVE-2022-35260 curl Available for: macOS Monterey Impact: Multiple issues in curl Description: Multiple issues were addressed by updating to curl version 7.85.0. CVE-2022-35252 dcerpc Available for: macOS Monterey Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco Talos DiskArbitration Available for: macOS Monterey Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com) DriverKit Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved checks. CVE-2022-32915: Tommy Muir (@Muirey03) Intel Graphics Driver Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2023-23507: an anonymous researcher Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-23504: Adam Doupé of ASU SEFCOM Kernel Available for: macOS Monterey Impact: An app may be able to determine kernel memory layout Description: An information disclosure issue was addressed by removing the vulnerable code. CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg) PackageKit Available for: macOS Monterey Impact: An app may be able to gain root privileges Description: A logic issue was addressed with improved state management. CVE-2023-23497: Mickey Jin (@patch1t) Screen Time Available for: macOS Monterey Impact: An app may be able to access information about a user’s contacts Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog) Weather Available for: macOS Monterey Impact: An app may be able to bypass Privacy preferences Description: The issue was addressed with improved memory handling. CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 248268 CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE WebKit Bugzilla: 248268 CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park (@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung), JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE Windows Installer Available for: macOS Monterey Impact: An app may be able to bypass Privacy preferences Description: The issue was addressed with improved memory handling. CVE-2023-23508: Mickey Jin (@patch1t) Additional recognition Kernel We would like to acknowledge Nick Stenning of Replicate for their assistance. macOS Monterey 12.6.3 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke NxlXeg/+JwvCu4zHuDTptxkKw1gxht0hTTVJvNjgNWj2XFtnOz9kCIupGj/xPTMl P9vABQWRbpEJfCJE31FbUcxRCMcr/jm8dDb1ocx4qsGLlY5iGLQ/M1G6OLxQVajg gGaCSMjW9Zk7l7sXztKj4XcirsB3ft9tiRJwgPUE0znaT70970usFdg+q95CzODm DHVoa5VNLi0zA4178CIiq4WayAZe90cRYYQQ1+Okjhab/U/blfGgEPhA/rrdjQ85 J4NKTXyGBIWl+Ix4HpLikYpnwm/TKyYiY+MogZ6xUmFwnUgXkPCc4gYdPANQk064 KNjy90yq3Os9IBjfDpw+Pqs6I3GMZ0oNYUKWO+45/0NVp5/qjDFt5K7ZS+Xz5Py7 YrodbwaYiESzsdfLja9ILf8X7taDLHxxfHEvWcXnhcMD1XNKU6mpsb8SOLicWYzp 8maZarjhzQl3dQi4Kz3vQk0hKHTIE6/04fRdDpqhM9WXljayLLO7bsryW8u98Y/b fR3BXgfsll+QjdLDeW3nfuY+q2JsW0a2lhJZnxuRQPC+wUGDoCY7vcCbv8zkx0oo y1w8VDBdUjj7vyVSAqoZNlpgl1ebKgciVhTvrgTsyVxuOA94VzDCeI5/6RkjDAJ+ WL2Em8qc4aqXvGEwimKdNkETbyqIRcNVXWhXLVGLsmHvDViVjGQ= =BbMS -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2023-23508 // JVNDB: JVNDB-2023-004373 // VULHUB: VHN-451819 // PACKETSTORM: 170697 // PACKETSTORM: 170698

AFFECTED PRODUCTS

vendor:applemodel:macosscope:gteversion:12.0.0

Trust: 1.0

vendor:applemodel:macosscope:ltversion:13.2

Trust: 1.0

vendor:applemodel:macosscope:gteversion:13.0

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.0

Trust: 1.0

vendor:applemodel:macosscope:ltversion:12.6.3

Trust: 1.0

vendor:applemodel:macosscope:ltversion:11.7.3

Trust: 1.0

vendor:アップルmodel:macosscope:eqversion:13.0 that's all 13.2

Trust: 0.8

vendor:アップルmodel:macosscope:eqversion:11.0 that's all 11.7.3

Trust: 0.8

vendor:アップルmodel:macosscope:eqversion: -

Trust: 0.8

vendor:アップルmodel:macosscope:eqversion:12.0.0 that's all 12.6.3

Trust: 0.8

sources: JVNDB: JVNDB-2023-004373 // NVD: CVE-2023-23508

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-23508
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-23508
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202301-1761
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2023-23508
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2023-23508
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-004373 // CNNVD: CNNVD-202301-1761 // NVD: CVE-2023-23508

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-004373 // NVD: CVE-2023-23508

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202301-1761

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202301-1761

PATCH

title:HT213604 Apple  Security updateurl:https://support.apple.com/en-us/HT213603

Trust: 0.8

title:Apple macOS Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=226933

Trust: 0.6

sources: JVNDB: JVNDB-2023-004373 // CNNVD: CNNVD-202301-1761

EXTERNAL IDS

db:NVDid:CVE-2023-23508

Trust: 3.5

db:JVNDBid:JVNDB-2023-004373

Trust: 0.8

db:PACKETSTORMid:170698

Trust: 0.7

db:CNNVDid:CNNVD-202301-1761

Trust: 0.6

db:VULHUBid:VHN-451819

Trust: 0.1

db:PACKETSTORMid:170697

Trust: 0.1

sources: VULHUB: VHN-451819 // JVNDB: JVNDB-2023-004373 // PACKETSTORM: 170697 // PACKETSTORM: 170698 // CNNVD: CNNVD-202301-1761 // NVD: CVE-2023-23508

REFERENCES

url:https://support.apple.com/en-us/ht213604

Trust: 2.3

url:https://support.apple.com/en-us/ht213603

Trust: 1.7

url:https://support.apple.com/en-us/ht213605

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2023-23508

Trust: 1.0

url:https://packetstormsecurity.com/files/170698/apple-security-advisory-2023-01-23-6.html

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2023-23508/

Trust: 0.6

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-35252

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-23497

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-23505

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-23499

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://support.apple.com/en-us/ht201222.

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-23507

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42915

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32221

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42916

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23493

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23504

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32915

Trust: 0.1

url:https://support.apple.com/ht213604.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-35260

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23502

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23518

Trust: 0.1

url:https://support.apple.com/ht213603.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23517

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-23513

Trust: 0.1

sources: VULHUB: VHN-451819 // JVNDB: JVNDB-2023-004373 // PACKETSTORM: 170697 // PACKETSTORM: 170698 // CNNVD: CNNVD-202301-1761 // NVD: CVE-2023-23508

CREDITS

Apple

Trust: 0.2

sources: PACKETSTORM: 170697 // PACKETSTORM: 170698

SOURCES

db:VULHUBid:VHN-451819
db:JVNDBid:JVNDB-2023-004373
db:PACKETSTORMid:170697
db:PACKETSTORMid:170698
db:CNNVDid:CNNVD-202301-1761
db:NVDid:CVE-2023-23508

LAST UPDATE DATE

2024-08-14T12:37:47.546000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-451819date:2023-03-04T00:00:00
db:JVNDBid:JVNDB-2023-004373date:2023-10-30T04:14:00
db:CNNVDid:CNNVD-202301-1761date:2023-03-06T00:00:00
db:NVDid:CVE-2023-23508date:2023-07-27T04:15:13.717

SOURCES RELEASE DATE

db:VULHUBid:VHN-451819date:2023-02-27T00:00:00
db:JVNDBid:JVNDB-2023-004373date:2023-10-30T00:00:00
db:PACKETSTORMid:170697date:2023-01-24T16:41:07
db:PACKETSTORMid:170698date:2023-01-24T16:41:28
db:CNNVDid:CNNVD-202301-1761date:2023-01-23T00:00:00
db:NVDid:CVE-2023-23508date:2023-02-27T20:15:13.940