CVE-2023-32409
Published: 23 June 2023
Summary
CVE-2023-32409 is a high-severity an unspecified weakness vulnerability in Apple Ipados. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 46.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-32409 is a bounds-checking flaw in Apple's Web Content sandbox implementation. It affects watchOS prior to 9.5, tvOS prior to 16.5, macOS Ventura prior to 13.4, iOS and iPadOS prior to 15.7.8 and 16.5, and Safari prior to 16.5. The vulnerability was resolved by adding improved bounds checks in those releases.
A remote attacker can exploit the issue over the network with no privileges or user interaction required. Successful exploitation allows escape from the Web Content sandbox, resulting in high-integrity impact on the host system as reflected by the CVSS 8.6 rating with changed scope.
Apple security advisories for the listed updates state that installing the patched versions of watchOS, tvOS, macOS, iOS, iPadOS, and Safari eliminates the vulnerability.
Apple has stated that it is aware of reports indicating the flaw may have been actively exploited in the wild. The associated EPSS score rose materially from a low baseline to a peak of 0.0214 on 2024-06-18 before receding to its current value of 0.0030.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36653
Vulnerability details
The issue was addressed with improved bounds checks. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.8 and iPadOS 15.7.8, Safari 16.5, iOS 16.5 and iPadOS 16.5. A remote attacker may be able to break…
more
out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 22 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that add the missing bounds checks, eliminating the sandbox-escape flaw.
Mandates memory-protection mechanisms that enforce bounds checking and thereby block the exact flaw exploited to escape the Web Content sandbox.
Requires process isolation boundaries whose failure (via the bounds-check defect) is what enables the remote sandbox escape.