CVE-2023-32434
Published: 23 June 2023
Summary
CVE-2023-32434 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An integer overflow vulnerability addressed through improved input validation affects multiple Apple operating systems, including iOS 15.7.7 and iPadOS 15.7.7, iOS 16.5.1 and iPadOS 16.5.1, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, watchOS 9.5.2, and watchOS 8.8.1. The flaw carries a CVSS score of 7.8 and is tracked under CWE-190.
A local attacker with the ability to run an app on an affected device can exploit the issue to execute arbitrary code with kernel privileges. The attack requires user interaction to open a malicious application but needs no additional permissions beyond that.
Apple security advisories for the listed updates confirm that the patches resolve the integer overflow and recommend installing the fixed releases. The updates are available via the standard software update mechanisms on each platform.
Apple has stated that the vulnerability may have been actively exploited in the wild against iOS versions prior to 15.7. The associated EPSS score reached a peak of 0.6905 with a current value of 0.5238.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36678
Vulnerability details
An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7, macOS Monterey 12.6.7, watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1. An app…
more
may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
- CWE(s)
- KEV Date Added
- 23 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements the improved input validation that Apple used to eliminate the integer overflow (CWE-190) before it can be triggered by a malicious app.
Requires timely application of the vendor patches that close CVE-2023-32434 on all listed Apple platforms.
Malicious-code protection mechanisms can block or detect the untrusted app used to trigger the kernel-level exploit.