Ubuntu Security Notice 6403-1 - It was discovered that libvpx did not properly handle certain malformed media files. If an application using libvpx opened a specially crafted file, a remote attacker could cause a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6403-1October 02, 2023libvpx vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in libvpx.Software Description:- libvpx: VP8 and VP9 video codecDetails:It was discovered that libvpx did not properly handle certain malformedmedia files. If an application using libvpx opened a specially craftedfile, a remote attacker could cause a denial of service, or possiblyexecute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libvpx7                         1.12.0-1ubuntu1.2Ubuntu 22.04 LTS:   libvpx7                         1.11.0-2ubuntu2.2Ubuntu 20.04 LTS:   libvpx6                         1.8.2-1ubuntu0.2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6403-1   CVE-2023-44488, CVE-2023-5217Package Information:   https://launchpad.net/ubuntu/+source/libvpx/1.12.0-1ubuntu1.2   https://launchpad.net/ubuntu/+source/libvpx/1.11.0-2ubuntu2.2   https://launchpad.net/ubuntu/+source/libvpx/1.8.2-1ubuntu0.2

Ubuntu Security Notice USN-6403-1

Ubuntu Security Notice 6402-1 - It was discovered that LibTomMath incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code and cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6402-1  
October 02, 2023

libtommath vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

LibTomMatch could be made to execute arbitrary code or  
denial of service if it received a specially crafted input.

Software Description:  
- libtommath: multiple-precision integer library [development files]

Details:

It was discovered that LibTomMath incorrectly handled certain inputs.  
An attacker could possibly use this issue to execute arbitrary code  
and cause a denial of service (DoS).

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libtommath1                     1.2.0-6ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
  libtommath1                     1.2.0-6ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  libtommath1                     1.2.0-3ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libtommath1                     1.0.1-1ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  libtommath0                     0.42.0-1.2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6402-1  
  CVE-2023-36328

Package Information:  
  https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.23.04.1  
  https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/libtommath/1.2.0-3ubuntu0.1

Ubuntu Security Notice USN-6402-1

Apple Security Advisory 09-26-2023-7 - iOS 17 and iPadOS 17 addresses bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-7

Apple Security Advisory 09-26-2023-5 - macOS Monterey 12.7 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-5 Additional information for APPLE-SA-2023-09-21-7 macOS Monterey 12.7

macOS Monterey 12.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213932.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Monterey  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Monterey  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Disk Management  
Available for: macOS Monterey  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins  
Entry added September 26, 2023

Game Center  
Available for: macOS Monterey  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Monterey  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Monterey  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Monterey 12.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJgACgkQX+5d1TXa  
IvqcNQ/9GQlneQRhlET+3tkaIg7g0XJE+HkDOKOR/F5oi9yAkvpg5O+jAiwKq61E  
PXvBWN6b0dhrANcRswmEDF2SWVIbPLLnkne5F6XoA18SDVxOorUYXxdsXaOIVO3J  
Zssoxhc5cFLR41m8WqnJ2MqJHhPvjKAtFjqyUXiF/ZbBqrKtnYeiho+ueG/joDbb  
lMGf2AXUQQ5Zoc7J4EPgtlrBBXIeJobcRsFrYWnvimEADfyX87w7Idf5pfbrgmbu  
xy0B4742tPztEu7SvKpZzD9CqQU7Lpm+uK4JfiZjllkibe4sYyypyVptDGQRB08S  
WJ6zPXNA5Wm2F7Fjplx9m1qPqGen2kek5dBCT09QfqFwdnjp/tiAODmdHD+PYtdI  
ANoMRQ7J2i99mm8AtKpM279sNmF5byvpAYCJypJylmy0TRspvDfWv5ekfNutZ/iG  
JnTFck0V6j+a3VAKOvyDkP0kIpbEw4Efx7r9TBqcYJq+EkxZyRNlbqZyz21d7rpN  
aQKI5Q1hCZosOZt6ndeqsymJJatMsvFFV7QUKOyFYq9+WDaj1soOgeXQKcyX2LFN  
Iq7js+tS2t+r5A8t8tZEsEKfSObgOhX3gJhA81vbkVOM0NtqFHJj/YNBI16A16rz  
GNB6OtcLdc+omv5tu9g6WGGN7GVCspY4RmmnXnAJS2YKf1lZYAA=  
=bYk1  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-5

Apple Security Advisory 09-26-2023-4 - macOS Ventura 13.6 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-4 Additional information for APPLE-SA-2023-09-21-6 macOS Ventura 13.6

macOS Ventura 13.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213931.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Ventura  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Ventura  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: Apps that fail verification checks may still launch  
Description: The issue was addressed with improved checks.  
CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin  
(@patch1t)  
Entry added September 26, 2023

Security  
Available for: macOS Ventura  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Share Sheet  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)  
Entry added September 26, 2023

StorageKit  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Ventura 13.6 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJcACgkQX+5d1TXa  
Ivrutw/+Ol5wjstHEfGsIssJnU3b7HQCOvYrKn1SS6tZSVfh7AGB3wsqAn5RWSef  
bPnbHweF7/RFr87JIQcC0I/4gndXoLue4C0yr5zOS1QvH4F/WgUgoOgrJwMg0EfK  
vLWivfNuQyYPgmcmY9wQSJoaV+Rtty6v+EcefPWKMudWJ106javKmJM91TAaKYlv  
t+IRVudrG7ZElxIIMKRdwICbhx/AFpCApRIzkYj+pMLMnPyOtxg40Qa+a8bteM0q  
Yc2Q/muAfDDJfgKUPGDh6OlnGsz9ThcxwTVwy7dlC4ekGRjTReQ4iMBpw/vJhWjV  
SpheUsyNnmuPnOT79FpZN1OwWSlgogtmPdgjKhzoHBpoV9hHf1d3ZP/7kQY1E3NC  
OBIG7Jl2Yf/g3ynsL/fVW60c833d2HGGiXfF+OW4D11XF73fovh1qPUMTGHV67m+  
hnuSJEEVZBbRH0sicxCAlAT1IN3JW91wgSxGvAVQ3D83uARvqJJHPjr0GU4jbXBK  
GkZlI6/ATOT9vYRtlRL1oXKMsl9Mz+WUYGqjhtGJhxHSAz/I4nNTN/HIb0aoEOqo  
7mi86X2Etc+3jy2Y5Injqbyqre+Jybg2JiO+DggHhTBV2y02yScxhWGroO3dmJpL  
bEcR+YXsUs51E6fcUYag6CVi9Bi4F5nXHVw9Bs8TXmR/IPfO4NQ=  
=FJcW  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-4

Apple Security Advisory 09-26-2023-3 - iOS 16.7 and iPadOS 16.7 addresses bypass, code execution, and out of bounds read vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-09-26-2023-3 Additional information for APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7iOS 16.7 and iPadOS 16.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213927.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.App StoreAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A remote attacker may be able to break out of Web ContentsandboxDescription: The issue was addressed with improved handling ofprotocols.CVE-2023-40448: w0wboxEntry added September 26, 2023Biometric AuthenticationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read was addressed with improved boundschecking.CVE-2023-41232: Liang Wei of PixiePoint SecurityEntry added September 26, 2023CoreAnimationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40420: 이준성(Junsung Lee) of Cross RepublicEntry added September 26, 2023Game CenterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access contactsDescription: The issue was addressed with improved handling of caches.CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive SecurityEntry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)Entry added September 26, 2023KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GrouplibxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access protected user dataDescription: An authorization issue was addressed with improved statemanagement.CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxpcAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to delete files for which it does not havepermissionDescription: A permissions issue was addressed with additionalrestrictions.CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab(xlab.tencent.com)Entry added September 26, 2023libxsltAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may disclose sensitive informationDescription: The issue was addressed with improved memory handling.CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK SecurityEntry added September 26, 2023MobileStorageMounterAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A user may be able to elevate privilegesDescription: An access issue was addressed with improved accessrestrictions.CVE-2023-41068: Mickey Jin (@patch1t)Entry added September 26, 2023Pro ResAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-41063: Certik Skyfall TeamEntry added September 26, 2023SafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to identify what other apps a user hasinstalledDescription: The issue was addressed with improved checks.CVE-2023-35990: Adriatik Raci of Sentry CybersecurityEntry added September 26, 2023SecurityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupShare SheetAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive data logged when a usershares a linkDescription: A logic issue was addressed with improved checks.CVE-2023-41070: Kirin (@Pwnrin)Entry added September 26, 2023WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupAdditional recognitionAppSandboxWe would like to acknowledge Kirin (@Pwnrin) for their assistance.Entry added September 26, 2023libxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.Entry added September 26, 2023KernelWe would like to acknowledge Bill Marczak of The Citizen Lab at TheUniversity of Toronto's Munk School and Maddie Stone of Google's ThreatAnalysis Group for their assistance.WebKitWe would like to acknowledge Khiem Tran, Narendra Bhati From Suma SoftPvt. Ltd, Pune (India) for their assistance.Entry added September 26, 2023WebRTCWe would like to acknowledge anonymous researcher for their assistance.Entry added September 26, 2023This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7 and iPadOS 16.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJYACgkQX+5d1TXaIvpAZBAAwt2P4P00xvAkwAiuPBf8IiaotxTgIVyUWKHWteDuUPKYm/I6gI10L/a1zWf9eHpFtiEtGsJ6ggXmbyXMBjKCEUglSqadeAaikMsQjeKyPTHwba00TMqhg5H3Cl7VB8QTW6CQtW+38M2z9hAQuEbGkgdgLR+GmEV84VrAz6nD3uzv+D84M4yrcGndVuaI6oENRGK+u+pYUAjlc1Q7B7np8fME4kTEwE29RXQBTmSzaMBSPDcL6bysLbQ/5KqyeGJqapeK7VY6DWHFlidjO205Y/s6sjyMtSTgNgcMQv90YSN2RGi2xzv69Hw0KWhWbZK9Clz/sYrJf9EDXEoPh/4D/khWVbiiRTyhIcpz/BbRmxnV+Ns5Bq1RHAax4MQrIoUSBCoswbA/LRZ2vryvNAHXXbgyA6zZhPwud6XhFdyElEMV7/rj5w6KYWxTitBBwPRv7iOnJS2kKvzDVklwYbzesrNjohGygLmSP69areh25NbAHr9FViiFf2mQtGkYsIbVSL0ds1oKieZGYJlymVfc2F0bxy1OL+MvKTRZPflXFW3j1MIroK2zcrzx55YzRClZY1TIT2NxcQec3IG50+r6mOhJoS8OqVa97ID6YQ1/DixxKucL0bK0H8NvuTq81vnJjAZPY1lXpNz2UjFbyt2+rdjAsbM1UJY0VRJeuM5lfF0==4GXG-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-3

Apple Security Advisory 09-26-2023-2 - macOS Sonoma 14 addresses buffer overflow, bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-2

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.
"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.

"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the protection mechanism ineffective," Certitude researcher Stefan Proksch said in a report published last week.

The problem, per the Austrian consulting firm, is the result of shared infrastructure available to all tenants within Cloudflare, regardless of whether they are legitimate or otherwise, thereby making it easy for malicious actors to abuse the implicit trust associated with service and defeat the guardrails.

The first issue stems from opting for a shared Cloudflare certificate to authenticate HTTP(S) requests between the service's reverse proxies and the customer's origin server as part of a feature called Authenticated Origin Pulls.

As the name implies, Authenticated Origin Pulls ensures requests sent to the origin server to fetch content when it's not available in the cache originate from Cloudflare and not from a threat actor.

A consequence of such a setup is that an attacker with a Cloudflare account can send their malicious payload via the platform by taking advantage of the fact that all connections originating from Cloudflare are permitted, even if the tenant that's initiating the connection is nefarious.

"An attacker can set up a custom domain with Cloudflare and point the DNS A record to \[a\] victim's IP address," Proksch explained.

"The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure. This approach allows attackers to bypass the protection features by the victim."

The second problem entails the abuse of allowlisting Cloudflare IP addresses – which stops the origin server from receiving traffic from individual visitor IP addresses and limits it to Cloudflare IP addresses – to transmit rogue inputs and target other users on the platform.

Following responsible disclosure on March 16, 2023, Cloudflare acknowledged the findings as informative, adding a new warning in its documentation.

"Note that the certificate Cloudflare provides for you to set up Authenticated Origin Pulls is not exclusive to your account, only guaranteeing that a request is coming from the Cloudflare network," Cloudflare now explicitly states.

"For more strict security, you should set up Authenticated Origin Pulls with your own certificate and consider other security measures for your origin."

"The 'Allowlist Cloudflare IP addresses' mechanism should be regarded as defense-in-depth, and not be the sole mechanism to protect origin servers," Proksch said. "The 'Authenticated Origin Pulls' mechanism should be configured with custom certificates rather than the Cloudflare certificate."

Certitude previously also uncovered that it's possible for attackers to leverage "dangling" DNS records to hijack subdomains belonging to over 1,000 organizations spanning governments, media outlets, political parties, and universities, and likely use them for malware distribution, disinformation campaigns, and phishing attacks.

"In most cases, the hijacking of subdomains could be effectively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration," security researcher Florian Schweitzer noted.

The disclosures arrive as Akamai revealed that adversaries are increasingly leveraging dynamically seeded domain generation algorithms (DGA) to avoid detection and complicate analysis, effectively extending the lifespan of command-and-control (C2) communication channels.

"Knowing which DGA domains will activate tomorrow allows us to proactively put these domains on our blocklists to protect end users from botnets," security researchers Connor Faulkner and Stijn Tilborghs said.

"Unfortunately, that scenario isn't possible with unpredictable seeds, such as Google Trends, temperatures, or foreign exchange rates. Even if we have the source code of the family, we are not able to correctly predict future-generated DGA domain names."

Back in August, a group of academics from the University of California, Irvine and Tsinghua University demonstrated a DNS poisoning attack called MaginotDNS that exploits flaws in the bailiwick checking algorithms to take over entire DNS zones, even including top-level domains such as .com and .net.

"The key to the discovery of MaginotDNS is the inconsistent bailiwick implementations between different DNS modes," the researchers pointed out. "The vulnerabilities do not harm the regular forwarders as they do not perform recursive domain resolutions, but for conditional DNS servers (CDNS), severe consequences can be caused."

"CDNS is a prevalent type of DNS server but not yet systematically studied. It is configured to act as recursive resolver and forwarder simultaneously, and the different server modes share the same global cache. As a result, attackers can exploit the forwarder vulnerabilities and 'cross the boundary' – attack recursive resolvers on the same server."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researcher Reveals New Techniques to Bypass Cloudflare's Firewall and DDoS Protection

Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.

**asyncua vulnerable to denial of service via infinite loop**

Moderate severity GitHub Reviewed Published Oct 3, 2023 to the GitHub Advisory Database • Updated Oct 4, 2023

GHSA-gfvq-mxw3-mfq3: asyncua vulnerable to denial of service via infinite loop

Disclaimer: It is important to note that a previous vulnerability related to DoS attacks on asyncua servers exists.

However, the vulnerability described here is entirely different in nature. The previous vulnerability relied on

resource exhaustion by sending an unlimited number of large chunks.

This crafted message is sufficient to cause the server to enter an infinite loop,

gradually consuming more and more resources. Notably,

in comparison to CVE-2022-25304, the vulnerability discussed in this gist requires less effort to exploi

#How was the vulnerability discovered ?

During my experiments for my Ph.D., I identified this vulnerability and promptly alerted the maintainers

by creating an issue on Git, as their request.

#Reproduce:

To reproduce this vulnerability:

0/send a message with a size field set to 0.

I used an open secure channel request but others are working.

All of this is described in the issue:

The first comment made a mistake by thinking that this vulnerability is CVE-2022-25304. But if you read the complete issue

you will see that it is not.

https://github.com/FreeOpcUa/opcua-asyncio/issues/1013

Tag

#dos