CVE-2023-41991
Published: 21 September 2023
Summary
CVE-2023-41991 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Apple Ipados. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
A certificate validation issue tracked as CVE-2023-41991 affects Apple platforms running versions of macOS Ventura prior to 13.6 as well as iOS and iPadOS prior to 16.7. The flaw, assigned CWE-295, permits bypass of signature validation checks and carries a CVSS 3.1 score of 5.5 reflecting local access, low attack complexity, and no required privileges.
A malicious application can exploit the weakness when a user interacts with it, allowing the app to circumvent signature validation and achieve unauthorized integrity impact on the affected system. Apple has stated that the vulnerability may have been actively exploited in the wild against iOS versions before 16.7.
Apple security advisories direct users to install the updates released in macOS Ventura 13.6, iOS 16.7, and iPadOS 16.7, which contain the fix for the certificate validation logic. The referenced support documents (HT213927 and HT213931) list the patched builds and installation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46450
Vulnerability details
A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have…
more
been actively exploited against versions of iOS before iOS 16.7.
- CWE(s)
- KEV Date Added
- 25 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires verification of digital signatures on software components, which the CVE's certificate-validation bypass circumvents.
Mandates integrity verification of software and firmware using cryptographic signatures, directly blocking the signature-bypass attack described in CVE-2023-41991.
Establishes proper issuance and validation rules for PKI certificates used in code signing, reducing the chance of flawed certificate handling that the CVE exploits.