CVE-2023-41993
Published: 21 September 2023
Summary
CVE-2023-41993 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability tracked as CVE-2023-41993 stems from insufficient validation checks when processing web content and is fixed in macOS Sonoma 14. The flaw affects Apple platforms that handle web content, with Apple confirming active exploitation against iOS versions prior to iOS 16.7. It carries a CVSS 3.1 base score of 8.8 and is associated with CWE-754.
An unauthenticated remote attacker can supply malicious web content that a user is tricked into processing, resulting in arbitrary code execution with full confidentiality, integrity, and availability impact. The attack requires user interaction but no privileges and can be delivered over the network.
Apple addressed the issue through improved checks in macOS Sonoma 14, with corresponding updates referenced in security advisories such as HT213940. Third-party vendors including Gentoo and NetApp have published related guidance pointing users to the vendor patches.
Apple has stated that the vulnerability was exploited in the wild against older iOS releases, and the associated EPSS score has reached a peak of 0.2489 with a current value of 0.2417.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46452
Vulnerability details
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions…
more
of iOS before iOS 16.7.
- CWE(s)
- KEV Date Added
- 25 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of web content inputs to block the insufficient checks (CWE-754) that enable arbitrary code execution.
Requires timely application of the vendor patches that add the improved validation checks fixing CVE-2023-41993.
Provides mechanisms to detect and block malicious web content before it is processed and triggers code execution.