CVE-2023-32439
Published: 23 June 2023
Summary
CVE-2023-32439 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
A type confusion vulnerability, tracked as CVE-2023-32439 and assigned CWE-843, was present in WebKit components used by Apple platforms. The flaw affected iOS 16.5 and earlier, iPadOS 16.5 and earlier, iOS 15.7.6 and earlier, iPadOS 15.7.6 and earlier, macOS Ventura 13.4 and earlier, and Safari 16.5 and earlier. It was resolved through improved type checks in the updates iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, iPadOS 15.7.7, macOS Ventura 13.4.1, and Safari 16.5.1.
An unauthenticated remote attacker could exploit the issue by serving maliciously crafted web content that a victim processes in a vulnerable browser or app. Successful exploitation grants arbitrary code execution with the privileges of the affected process, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges.
Apple security advisories HT213811, HT213813, HT213814, and HT213816 state that users should install the listed updates to address the vulnerability. The same advisories note that Apple is aware of reports indicating the issue may have been actively exploited in the wild. The associated EPSS score has remained flat at 0.0116 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36683
Vulnerability details
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution.…
more
Apple is aware of a report that this issue may have been actively exploited.
- CWE(s)
- KEV Date Added
- 23 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the WebKit type-confusion flaw before malicious web content can be processed.
Restricts or sandbox-executes mobile code (JavaScript, WebAssembly) delivered via web content, limiting exploitation of the type-confusion issue in WebKit.
Deploys malicious-code detection mechanisms that can block or alert on web-delivered payloads crafted to trigger the WebKit vulnerability.