Apple Patches Everything. Releases iOS 17.1, MacOS 14.1 and updates for older versions fixing exploited vulnerability

Published: 2023-10-25. Last Updated: 2023-10-25 19:01:33 UTC
by Johannes Ullrich (Version: 1)

Apple released iOS, iPadOS, macOS, tvOS, and Safari updates today. The iOS/macOS updates go back two "generations". This is particularly important for iOS 15, which now receives a patch for CVE-2023-32434, a vulnerability already exploited against earlier versions of iOS. This is also the only issue addressed for these earlier iOS versions.

Apple does not pre-announce these updates. But was expected to release this update yesterday to fix compliance issues unrelated to security vulnerabilities.

For Apple's original announcements, see https://support.apple.com/en-us/HT201222

iOS 17.1 and iPadOS 17.1	iOS 16.7.2 and iPadOS 16.7.2	iOS 15.8 and iPadOS 15.8	macOS Sonoma 14.1	macOS Ventura 13.6.1	macOS Monterey 12.7.1	tvOS 17.1	watchOS 10.1	Safari 17.1
CVE-2023-32434 [important] * EXPLOITED * Kernel An integer overflow was addressed with improved input validation. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
		x
CVE-2023-41072 [moderate] Contacts A privacy issue was addressed with improved private data redaction for log entries. An app may be able to access sensitive user data
x			x
CVE-2023-42857 [moderate] Contacts A privacy issue was addressed with improved private data redaction for log entries. An app may be able to access sensitive user data
x			x
CVE-2023-40449 [important] CoreAnimation The issue was addressed with improved memory handling. An app may be able to cause a denial-of-service
x	x		x	x	x
CVE-2023-40413 [important] Find My The issue was addressed with improved handling of caches. An app may be able to read sensitive location information
x	x		x	x	x		x
CVE-2023-40416 [important] ImageIO The issue was addressed with improved memory handling. Processing an image may result in disclosure of process memory
x	x		x	x	x
CVE-2023-40423 [important] IOTextEncryptionFamily The issue was addressed with improved memory handling. An app may be able to execute arbitrary code with kernel privileges
x	x		x	x	x
CVE-2023-42849 [moderate] Kernel The issue was addressed with improved memory handling. An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
x	x		x	x	x		x
CVE-2023-40408 [moderate] Mail Drafts An inconsistent user interface issue was addressed with improved state management. Hide My Email may be deactivated unexpectedly
x	x		x				x
CVE-2023-42846 [moderate] mDNSResponder This issue was addressed by removing the vulnerable code. A device may be passively tracked by its Wi-Fi MAC address
x	x					x	x
CVE-2023-42847 [moderate] Passkeys A logic issue was addressed with improved checks. An attacker may be able to access passkeys without authentication
x			x
CVE-2023-42845 [moderate] Photos An authentication issue was addressed with improved state management. Photos in the Hidden Photos Album may be viewed without authentication
x			x
CVE-2023-42841 [important] Pro Res The issue was addressed with improved memory handling. An app may be able to execute arbitrary code with kernel privileges
x	x		x	x
CVE-2023-41982 [moderate] Siri This issue was addressed by restricting options offered on a locked device. An attacker with physical access may be able to use Siri to access sensitive user data
x	x		x				x
CVE-2023-41997 [moderate] Siri This issue was addressed by restricting options offered on a locked device. An attacker with physical access may be able to use Siri to access sensitive user data
x	x		x				x
CVE-2023-41988 [moderate] Siri This issue was addressed by restricting options offered on a locked device. An attacker with physical access may be able to use Siri to access sensitive user data
x			x				x
CVE-2023-40445 [moderate] Status Bar The issue was addressed with improved UI handling. A device may persistently fail to lock
x
CVE-2023-41254 [moderate] Weather A privacy issue was addressed with improved private data redaction for log entries. An app may be able to access sensitive user data
x	x		x	x			x
CVE-2023-40447 [critical] WebKit The issue was addressed with improved memory handling. Processing web content may lead to arbitrary code execution
x	x		x			x	x	x
CVE-2023-41976 [critical] WebKit A use-after-free issue was addressed with improved memory management. Processing web content may lead to arbitrary code execution
x	x		x			x	x	x
CVE-2023-42852 [critical] WebKit A logic issue was addressed with improved checks. Processing web content may lead to arbitrary code execution
x	x		x			x	x	x
CVE-2023-41983 [moderate] WebKit Process Model The issue was addressed with improved memory handling. Processing web content may lead to a denial-of-service
x	x		x					x
CVE-2023-41977 [moderate] Safari The issue was addressed with improved handling of caches. Visiting a malicious website may reveal browsing history
	x		x
CVE-2023-32359 [moderate] WebKit This issue was addressed with improved redaction of sensitive information. A user's password may be read aloud by VoiceOver
	x
CVE-2023-30774 [moderate] App Support This issue was addressed by removing the vulnerable code. Parsing a file may lead to an unexpected app termination or arbitrary code execution
			x
CVE-2023-40444 [important] AppSandbox A permissions issue was addressed with additional restrictions. An app may be able to access user-sensitive data
			x
CVE-2023-41989 [moderate] Emoji The issue was addressed by restricting options offered on a locked device. An attacker may be able to execute arbitrary code as root from the Lock Screen
			x
CVE-2023-42854 [important] FileProvider This issue was addressed by removing the vulnerable code. An app may be able to cause a denial-of-service to Endpoint Security clients
			x	x	x
CVE-2023-42844 [moderate] Foundation This issue was addressed with improved handling of symlinks. A website may be able to access sensitive user data when resolving symlinks
			x	x	x
CVE-2023-38403 [critical] iperf3 The issue was addressed with improved checks. A remote user may be able to cause unexpected app termination or arbitrary code execution
			x	x
CVE-2023-42850 [moderate] LaunchServices The issue was addressed with improved permissions logic. An app may be able to access sensitive user data
			x
CVE-2023-42861 [moderate] Login Window A logic issue was addressed with improved state management. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac
			x
CVE-2023-40405 [important] Maps A privacy issue was addressed with improved private data redaction for log entries. An app may be able to read sensitive location information
			x
CVE-2023-42856 [moderate] Model I/O The issue was addressed with improved memory handling. Processing a file may lead to unexpected app termination or arbitrary code execution
			x	x	x
CVE-2023-40404 [important] Networking A use-after-free issue was addressed with improved memory management. An app may be able to execute arbitrary code with kernel privileges
			x
CVE-2023-42438 [moderate] Safari An inconsistent user interface issue was addressed with improved state management. Visiting a malicious website may lead to user interface spoofing
			x
CVE-2023-40421 [moderate] talagent A permissions issue was addressed with additional restrictions. An app may be able to access sensitive user data
			x	x	x
CVE-2023-42842 [moderate] Terminal The issue was addressed with improved checks. An app may be able to access sensitive user data
			x
CVE-2023-4733 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4734 [critical] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4735 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4736 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4738 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4750 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4751 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4752 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-4781 [moderate] Vim A use-after-free issue was addressed with improved memory management. Processing malicious input may lead to code execution
			x
CVE-2023-41975 [moderate] WindowServer This issue was addressed by removing the vulnerable code. A website may be able to access the microphone without the microphone use indicator being shown
			x	x	x
CVE-2023-41077 [moderate] Image Capture The issue was addressed with improved checks. An app may be able to access protected user data
				x
CVE-2023-40401 [moderate] Passkeys The issue was addressed with additional permissions checks. An attacker may be able to access passkeys without authentication
				x
CVE-2023-40425 [important] Sandbox A privacy issue was addressed with improved private data redaction for log entries. An app with root privileges may be able to access private information
					x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: apple ios ipados

0 comment(s)

Sporadic scans for "server-info.action", possibly looking for Confluence Server and Data Center Vulnerability CVE-2023-22515

Published: 2023-10-25. Last Updated: 2023-10-25 15:51:41 UTC
by Johannes Ullrich (Version: 1)

0 comment(s)

I noticed many scans for "/server-info.action" showing up in our "First Seen URLs" report. This URL didn't ring a bell at first but may be associated with CVE-2023-22515, a recent vulnerability in Confluence Server and Data Center.

Atlassian published an advisory describing this vulnerability on October 4th [1]. The vulnerability is a broken access control vulnerability. Initially exploited against a small number of sites, exploit code is now widely available. The trivial exploit will allow an unauthenticated user to create an admin account. For example, a request to exploit this issue may look like:

POST /setup/setupadministrator.action HTTP/1.1 Host: [target host] Accept: */* Connection: keep-alive X-Atlassian-Token: no-check Content-Length: 131 Content-Type: application/x-www-form-urlencoded

username=test&fullName=test&email=test&password=test&confirm=test

However, this isn't the only URL that is available for exploitation. Rapid7 first noted, and Atlassian later confirmed, that the vulnerability may also be exploited via the "/server-info.action" endpoint [2].

Today, I noticed that we did see some probes for the "server-info.action" URL in addition to the "setupadministrator.action" URL.

Please ensure that any filter you use covers both URLs and, even better, do not allow access to any Atlassian product from the open internet.

[1] https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
[2] https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:

0 comment(s)

ISC Stormcast For Wednesday, October 25th, 2023 https://isc.sans.edu/podcastdetail/8716