CVE-2023-42917
Published: 30 November 2023
Summary
CVE-2023-42917 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 25.4th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A memory corruption vulnerability addressed through improved locking affects the web content processing component in Apple's platforms. It impacts iOS and iPadOS prior to version 17.1.2, macOS Sonoma prior to 14.1.2, and Safari prior to 17.1.2. The flaw carries a CVSS score of 8.8 and is categorized under CWE-787, with successful exploitation resulting in arbitrary code execution when malicious web content is processed.
An attacker can trigger the issue remotely by serving specially crafted web content that a user visits in Safari or another affected browser. No authentication is required, though user interaction is needed to load the page, after which the attacker can achieve full code execution with the privileges of the browser process.
Apple's security updates for the listed versions resolve the issue, and full disclosure advisories published in December 2023 detail the affected builds and fixed releases. The vendor has stated that the vulnerability may have been exploited in the wild against iOS versions before 16.7.1. The current EPSS score remains low at 0.0009 with no indicated upward movement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47338
Vulnerability details
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that…
more
this issue may have been exploited against versions of iOS before iOS 16.7.1.
- CWE(s)
- KEV Date Added
- 04 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that correct the locking deficiency in WebKit before malicious web content can trigger the out-of-bounds write.
Enforces memory-protection mechanisms that mitigate exploitation of the out-of-bounds write (CWE-787) that leads to arbitrary code execution.
Restricts or inspects mobile code (JavaScript, etc.) delivered as web content, limiting the attack vector used to reach the vulnerable WebKit component.