By Waqas
Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966.
This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.

Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a **Google-owned** prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.

The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisory by the company.

Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.

Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlight various post-exploitation techniques witnessed during their incident response investigations.

**Vulnerable Endpoints**

When Citrix released firmware updates addressing **CVE-2023-4966**, Mandiant employed similar methods as **Assetnote**, an external attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.

With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.

**Investigation Challenges**

A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on **web application firewalls (WAF)** or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.

**Techniques for Identifying Exploitation**

Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.

**Post-Exploitation Activities**

Following successful exploitation, Mandiant observed several post-exploitation tactics, such as surveillance, credential harvesting, and lateral movement through RDP. Threat actors used various tools and techniques to gain access, including **Mimikatz** for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, **AnyDesk**, and **SplashTop**.

**Victimology and Attribution**

Mandiant’s investigation spans multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.

> _“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”_
> 
> Mandiant

**Timothy Morris**, Chief Security Advisor at Tanium also commented on the issue and wanted that the Netscaler exploitation is at large scale right now. “Session Hijacking” could be low risk, however, it could also be extremely high-risk, depending upon the session being hijacked,” Morris said.

“It is important that customers patch immediately and do the necessary incident response threat hunting. In other words, don’t assume that “If I patch, I’m good.” That might prevent the next exploitation attempt (i.e. repairing the broken window) but doesn’t resolve what might have already happened (i.e. who is already in the house due to the previously broken window),” added Morris.

**Remediation Efforts**

Mandiant published a **blog post** offering remediation recommendations and guidance to mitigate this vulnerability.

In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.

****_Editor’s note:_****

_The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant._

****_RELATED ARTICLES_****

1.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
2.  Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
3.  JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
4.  iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird

Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other

Webinar / Web App Security

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other persistent threats.

We surveyed organizations responsible for securing critical web applications used by healthcare, financial services, technology, and other critical infrastructure verticals to learn how they tackle the most destructive threats and summarized our findings in the OPSWAT 2023 State of Web Application Security Report. The survey report revealed that:

*   97% of organizations use or will deploy containers in their web hosting environments.
*   75% use cloud storage access solutions and want to prevent malware, secure sensitive data, and mitigate security compliance risks.
*   94% connect to other storage services and are interested in stopping malicious files from infecting your storage.
*   Yet only 2% of organizations feel confident with current security strategies.

In this webinar, join our panel of web application security experts as they expand on the insights gathered while protecting the world's most critical applications.

Our experts will also share five must-know web application security insights, including:

1.  **The leap to cloud infrastructure, how to elevate security without hindering performance.**

Platforms like Microsoft Azure, Amazon Web Services, and Google Cloud Platform are ubiquitous for hosting web applications. However, embracing public cloud hosting without implementing the requisite security measures exposes applications to data breaches.

3.  **Containerization security risks, why you need to fortify your builds.**

Despite significant advantages, containers may bring additional security risks. Malware or vulnerabilities hidden in containers hosting web applications can disrupt business, risk customer data, and lead to compliance violations.

5.  **Strategies to secure file storage while defeating persistent threats and achieving security compliance.**

You must check files for malware and sensitive data to prevent breaches and ensure compliance. Our panel will outline pitfalls and tools you can use to avoid costly and embarrassing data leaks.

7.  **Best practices to secure your software supply chain by locking down every stage of the dev lifecycle.**

Organizations must implement automated tools, services, and standards that enable teams to securely develop, secure, deploy, and operate applications.

9.  **Proven technologies to prevent file-borne and zero-day malware by disarming threats at the perimeter.**

Despite most organizations increasing their security budgets, most only use five or fewer AV engines to detect malicious files. Surprisingly, very few disarm files with potentially dangerous payloads with Content Disarm and Reconstruction (CDR) technology.

Join our panel of cybersecurity veterans Emo Gokay, Multi-Cloud Security Engineer at EY Technologies and George Prichici, VP of Products at OPSWAT, as they share insights and strategies gathered from the frontlines of securing critical infrastructure from advanced and persistent malware.

**Register now to walk away with five key web application security insights and strategies**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Webinar: 5 Must-Know Trends Impacting AppSec

Apple Security Advisory 10-25-2023-5 - macOS Ventura 13.6.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-5 macOS Ventura 13.6.1

macOS Ventura 13.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213985.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Ventura  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

Image Capture  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: The issue was addressed with improved checks.  
CVE-2023-41077: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)

Model I/O  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Passkeys  
Available for: macOS Ventura  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-40401: an anonymous researcher, weize she

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

talagent  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Weather  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WindowServer  
Available for: macOS Ventura  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Ventura 13.6.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y38ACgkQX+5d1TXa  
Ivp+exAAw1mhJG3ak3Vbixgq7vCy2CVcwwT1ISygYRdE0vJ2BPJVVMiNtflLuqoG  
wLazegOLQkj8VFYt4tWHC+mceX7NWq6zDeoR/lvure5DkbeFRoiyzqJimqpzLhBL  
nqzTUPvu4xrsC3u0DTTsJscEbZPx8h2WxXo/Cd1pIS2ajSDS5qklQIj+foOgPgXF  
AawOcERzVIgScIPCS3M8sIbZz63FV2CjX2OE+flr5fPSFDq0vtrOwa46pGw3hLjW  
BKhTJjhaUDneN/qsTuj+5AmqwDrCBUPltOxLDI/vjRUX+LGPmJdsPmnVL0HShNk+  
y87mbJtrXrHv6IrvcjdHfbglJVX+jjBsoGoUadM2qLNCoVK7vrfSvoFsba09Z3U+  
YK/1DCPVGq253vDfdWfoNsMUorCOP6CwmGZARMM+FErD3rUqxm3XBpZ3Jv4sLBvv  
fYyMLsn7YCBj31VzFafbliKGfduu7iijTdnfgTXEuNviTcOozeag8uNc0IW5tJKG  
bOEq6teHBXSiVQ5V84/K0hndN/DGiTXrQPJw0rjZ3V7N0olCyMdvXFGUhoDYVY5L  
WgKEpYgIJn44644Jzuj4gXEbc+sDlm+027OS2u5KrxNCtEIO2iLKTfc8dd2yJeq2  
CmMdV3N0L4smeLelGxZAtcwJc4Rdjh0Skair1iossxep+PGWAAo=kCLD  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-5

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-4 macOS Sonoma 14.1

macOS Sonoma 14.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213984.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-30774

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Contacts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Csaba Fitzl (@theevilbit) of Offensive Security  
CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

CoreAnimation  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

Emoji  
Available for: macOS Sonoma  
Impact: An attacker may be able to execute arbitrary code as root from  
the Lock Screen  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2023-41989: Jewel Lambert

FileProvider  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Sonoma  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Sonoma  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved permissions logic.  
CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian  
McNulty, Zhongquan Li

Login Window  
Available for: macOS Sonoma  
Impact: An attacker with knowledge of a standard user's credentials can  
unlock another standard user's locked screen on the same Mac  
Description: A logic issue was addressed with improved state management.  
CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew  
McLean, Steven Maser, and Avalon IT Team of Concentrix

Mail Drafts  
Available for: macOS Sonoma  
Impact: Hide My Email may be deactivated unexpectedly  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-40408: Grzegorz Riegel

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

Model I/O  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Networking  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-40404: Certik Skyfall Team

Passkeys  
Available for: macOS Sonoma  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42847: an anonymous researcher

Photos  
Available for: macOS Sonoma  
Impact: Photos in the Hidden Photos Album may be viewed without  
authentication  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42845: Bistrit Dahla

Pro Res  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may reveal browsing history  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-41977: Alex Renda

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

Siri  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2023-41982: Bistrit Dahla  
CVE-2023-41997: Bistrit Dahla  
CVE-2023-41988: Bistrit Dahla

talagent  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Terminal  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

Vim  
Available for: macOS Sonoma  
Impact: Processing malicious input may lead to code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-4733  
CVE-2023-4734  
CVE-2023-4735  
CVE-2023-4736  
CVE-2023-4738  
CVE-2023-4750  
CVE-2023-4751  
CVE-2023-4752  
CVE-2023-4781

Weather  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

WebKit Process Model  
Available for: macOS Sonoma  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

WindowServer  
Available for: macOS Sonoma  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

Login Window  
We would like to acknowledge an anonymous researcher for their  
assistance.

man  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Power Manager  
We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of  
California, San Diego for their assistance.

Reminders  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Sonoma 14.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y1gACgkQX+5d1TXa  
Ivp59RAA2EQwY61OvHZQ0u99Wov8TAoM9popyjLrkWBvKbTH03vdZIXyeCOaqFR8  
aT5SAlRwGOv0QIp/KmRweGlLl96/YP5fhgmDxISwahJZqOuwFkcj9OTfmoENyd6w  
7YYr0BwSfFhrFEQm/OdE4TbiXp+87YiPXA0NPVeClw15bpmQ830aIY3iMJrCLcAE  
ZI6QW9Yi3ynYhor1U+24V8hCM6LgMClNCWavZMorx3D1dfcPkhfspZL1cLqrGNqz  
cCF0IJaJDqKiFG//4FQqDbMOUuP3/FMkH4vED+9krIRqe51P6XDkVeI/BgFo6wpu  
hgZVgcPxMgbeiZX7O4BAY/ygLe2pKpyvBDJKCCo4GjkypcjmFhyyul+J45yLOSA1  
+x9EzYE8OSOn4dGA+qT9aKC4Csti9idoK0KsYHN7jCLU56Y9gvIV2n+PcWVhI4RF  
gE4BD+71vPyn6+tpf27+Kt5qW1Mj3ru6Q3u0w2xobbLdpgxc66EfCn2ZLxuzSqvc  
kSgwf1yOpiMLzBMAqWxgX51qppsQA1du8G6ZNmPjdyV28GpaWNzL/qb3vivaSYkK  
b6vrLEGID7U4wFjbVfuc7v0xmZeOgUprH6eQ7PnjRdmMq0xDaW8xFs3iGc6GScvl  
ZCI4CcZSLGPrCzmyUpbD+OMFT4SDDaOGSNEXW7jOrRjgQMc6bJQ=  
=YgRC  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-6 - macOS Monterey 12.7.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-6 macOS Monterey 12.7.1

macOS Monterey 12.7.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213983.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Monterey  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

Kernel  
Available for: macOS Monterey  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

Model I/O  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Sandbox  
Available for: macOS Monterey  
Impact: An app with root privileges may be able to access private  
information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40425: Csaba Fitzl (@theevilbit) of Offensive Security

talagent  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WindowServer  
Available for: macOS Monterey  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Monterey 12.7.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y5oACgkQX+5d1TXa  
Ivqb6BAAieI+tJLfoXDjA0sTp609OWejWuxdN1SYm8DCRu6P5Qdt3YMa8pn00HhO  
qEzCi8UdZ39itc7duw8iQa5SbMdXaMahFOV/LBCaMeYLtQbIHhMPJLe8sV3MPLgt  
keAs21DKhlAVKfxG3Y3v6aIxf2RUbv19fFC2k+cqNvieHj8S5WxMLC0LSIfekHJ2  
uewaIpTrUHxjnJkStF/e+9QquJB4FXWX6Vx3vWY6UjclO380u8lilOQ13JW8kWNU  
Hhxz/CnH4u0H92RnVOY5vOHt4bY+uh7JOj/PZNIhPAv3MrvPWzFcqQvfQPjRa5zZ  
AAcWReslUWwnEVlCkdTAyitqTsbxKaMn9h60jy03HE5ydcSjsBIGhX4TWETv9r2m  
LqMHpsvQanPJZz2zi9LsptDOtVOiDji/5EVwZd5IG4z8fauLgbJ5VGgSj9RE8q01  
FGzYSmuMY4BNf+bu2w9SexbBsVvCtAvMuedFy8Z4Gdi4nz2OauVjAXVo/AdKKeQk  
aN2PnXOmTJLigJziwCbyTUbYEy4pjL9mJwAkbYDm5fUbU5FYhrBJ+XuhIIz/MkIN  
foFk82DGzre1yORU+zPXlT0Y/khO5ZvFvQUDyG9FClrw0GrBGBMBtUriTTm46n0b  
RF2rs8ucMPOfM0fFpWZIeiulY2tekAFOLOK5j425pjjfRN2+XJw=zXmL  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-6

A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.

Released October 25, 2023

**App Support**

Available for: macOS Sonoma

Impact: Parsing a file may lead to an unexpected app termination or arbitrary code execution

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-30774

**AppSandbox**

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Contacts**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and Csaba Fitzl (@theevilbit) of Offensive Security

CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**CoreAnimation**

Available for: macOS Sonoma

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**Emoji**

Available for: macOS Sonoma

Impact: An attacker may be able to execute arbitrary code as root from the Lock Screen

Description: The issue was addressed by restricting options offered on a locked device.

CVE-2023-41989: Jewel Lambert

**FileProvider**

Available for: macOS Sonoma

Impact: An app may be able to cause a denial-of-service to Endpoint Security clients

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**Foundation**

Available for: macOS Sonoma

Impact: A website may be able to access sensitive user data when resolving symlinks

Description: This issue was addressed with improved handling of symlinks.

CVE-2023-42844: Ron Masas of BreakPoint.SH

**ImageIO**

Available for: macOS Sonoma

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**iperf3**

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-38403

**Kernel**

Available for: macOS Sonoma

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**LaunchServices**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved permissions logic.

CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian McNulty, Zhongquan Li

**Login Window**

Available for: macOS Sonoma

Impact: An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac

Description: A logic issue was addressed with improved state management.

CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew McLean, Steven Maser, and Avalon IT Team of Concentrix

**Mail Drafts**

Available for: macOS Sonoma

Impact: Hide My Email may be deactivated unexpectedly

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-40408: Grzegorz Riegel

**Maps**

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

**Model I/O**

Available for: macOS Sonoma

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**Networking**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-40404: Certik Skyfall Team

**Passkeys**

Available for: macOS Sonoma

Impact: An attacker may be able to access passkeys without authentication

Description: A logic issue was addressed with improved checks.

CVE-2023-42847: an anonymous researcher

**Photos**

Available for: macOS Sonoma

Impact: Photos in the Hidden Photos Album may be viewed without authentication

Description: An authentication issue was addressed with improved state management.

CVE-2023-42845: Bistrit Dahla

**Pro Res**

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**Safari**

Available for: macOS Sonoma

Impact: Visiting a malicious website may reveal browsing history

Description: The issue was addressed with improved handling of caches.

CVE-2023-41977: Alex Renda

**Safari**

Available for: macOS Sonoma

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

**Siri**

Available for: macOS Sonoma

Impact: An attacker with physical access may be able to use Siri to access sensitive user data

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2023-41982: Bistrit Dahla

CVE-2023-41997: Bistrit Dahla

CVE-2023-41988: Bistrit Dahla

**talagent**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Terminal**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

**Vim**

Available for: macOS Sonoma

Impact: Processing malicious input may lead to code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-4733

CVE-2023-4734

CVE-2023-4735

CVE-2023-4736

CVE-2023-4738

CVE-2023-4750

CVE-2023-4751

CVE-2023-4752

CVE-2023-4781

**Weather**

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

**WebKit**

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved checks.

WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

**WebKit Process Model**

Available for: macOS Sonoma

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

**WindowServer**

Available for: macOS Sonoma

Impact: A website may be able to access the microphone without the microphone use indicator being shown

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-41975: an anonymous researcher

CVE-2023-42861: About the security content of macOS Sonoma 14.1

The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. Processing a file may lead to unexpected app termination or arbitrary code execution.

Released October 25, 2023

**CoreAnimation**

Available for: macOS Monterey

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**FileProvider**

Available for: macOS Monterey

Impact: An app may be able to cause a denial-of-service to Endpoint Security clients

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**Foundation**

Available for: macOS Monterey

Impact: A website may be able to access sensitive user data when resolving symlinks

Description: This issue was addressed with improved handling of symlinks.

CVE-2023-42844: Ron Masas of BreakPoint.SH

**ImageIO**

Available for: macOS Monterey

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**Model I/O**

Available for: macOS Monterey

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**Sandbox**

Available for: macOS Monterey

Impact: An app with root privileges may be able to access private information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-40425: Csaba Fitzl (@theevilbit) of Offensive Security

**talagent**

Available for: macOS Monterey

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**WindowServer**

Available for: macOS Monterey

Impact: A website may be able to access the microphone without the microphone use indicator being shown

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-41975: an anonymous researcher

CVE-2023-42856: About the security content of macOS Monterey 12.7.1

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.1. An app may be able to access protected user data.

Released October 25, 2023

**CoreAnimation**

Available for: macOS Ventura

Impact: An app may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

**FileProvider**

Available for: macOS Ventura

Impact: An app may be able to cause a denial-of-service to Endpoint Security clients

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40413: Adam M.

**Foundation**

Available for: macOS Ventura

Impact: A website may be able to access sensitive user data when resolving symlinks

Description: This issue was addressed with improved handling of symlinks.

CVE-2023-42844: Ron Masas of BreakPoint.SH

**Image Capture**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: The issue was addressed with improved checks.

CVE-2023-41077: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40416: JZ

**IOTextEncryptionFamily**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40423: an anonymous researcher

**iperf3**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved checks.

CVE-2023-38403

**Kernel**

Available for: macOS Ventura

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

**Passkeys**

Available for: macOS Ventura

Impact: An attacker may be able to access passkeys without authentication

Description: The issue was addressed with additional permissions checks.

CVE-2023-40401: an anonymous researcher, weize she

**Pro Res**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute

**talagent**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

**Weather**

Available for: macOS Ventura

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania

**WindowServer**

Available for: macOS Ventura

Impact: A website may be able to access the microphone without the microphone use indicator being shown

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-41975: an anonymous researcher

CVE-2023-41077: About the security content of macOS Ventura 13.6.1

A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.

Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user's browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.

Roundcube is a freely available, open source webmail solution that's especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of "program/lib/Roundcube/rcube\_washtml.php," according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.

ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.

**Long-Term Targeting**

Winter Vivern's activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.

The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year — is consistent with the group's typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.

"Since at least 2022, they have been exploiting XSS vulnerabilities in Zimbra and Roundcube to load arbitrary JavaScript code and steal emails," he tells Dark Reading. "However, most of those vulnerabilities were known and as such they could only work on unpatched mail servers."

The fact that the group is now "burning zero-day vulnerabilities" and attacking even updated versions of widely-used webmail servers could be a harbinger of future activity, as it demonstrates a long-term interest in European governmental organizations as primary targets, Faou says.

**How the Campaign Works**

The latest campaign begins with a phishing email to targets sent from the address \[email protected\] with the subject line "Get started in your Outlook." The message purports to be from The Microsoft Accounts Team and aims to guide users with their Outlook accounts, seeming innocent enough.

However, just viewing the email sets into motion a process spurred by an SVG tag at the end of the email's HTML source code that includes a base64-encoded payload. Decoding the payload produces a JavaScript code that is executed in the browser of the victim in the context of their Roundcube session, according to ESET.

The researchers realized that the exploit was for a zero-day flaw when the JavaScript injection worked on a fully patched Roundcube instance. They found that the XSS vulnerability being exploited affected the server-side "script rcube\_washtml.php," which doesn't properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user.

The final JavaScript payload in the attack can list folders and emails in the current Roundcube account and exfiltrate email messages to Winter Vivern's command and control server by making HTTP requests to "https://recsecas\[.\]com/controlserver/saveMessage."

**Patch Now**

Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise. However, in the case of any future zero-day flaws discovered and subsequently exploited by Winter Vivern, this defense would not be sufficient enough, Faou notes.

Other endpoint-defense practices that can protect vulnerable systems in the event of similar zero-day exploits would be to put technology in place that automatically block the loading of JavaScript payloads and exfiltration of emails, he advises. "As such, it is also recommended to deploy an endpoint security solution on all machines."

Tag

#zero_day