Experts found a large new class of bugs ‘class’ in Apple devices

Tech giant Apple discloses three new vulnerabilities affecting its iOS, iPadOS, and macOS operating systems.

Apple updated its advisories by adding three new vulnerabilities, tracked as CVE-2023-23520, CVE-2023-23530 and CVE-2023-23531, that affect iOS, iPadOS, and macOS.

An attacker can trigger the CVE-2023-23530 flaw to execute arbitrary code out of its sandbox or with certain elevated privileges. The vulnerability resides in the Foundation framework, it was reported by Austin Emmitt from Trellix ARC.

The company addressed the issue with the release of version iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2, which improved memory handling.

“An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.” reads the advisory. “The issue was addressed with improved memory handling.”

Emmitt also discovered a similar issue, tracked as CVE-2023-23531, in the Foundation component.

“The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.” reads the post published by Trellix. “The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1.”

Trellix researchers pointed out the vulnerabilities can be used by malicious applications and exploits to gain access to sensitive information of the vulnerable devices.

The experts reported that these flaws can be exploited to bypass mitigations implemented by Apple to neutralize zero-click exploits like FORCEDENTRY. These exploits can be included in surveillance software developed by surveillance firms like the NSO Group, which relied on it to deploy their Pegasus spyware.

“The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else.” concludes the Trellix’s report. 

The flaws can allow attackers to access users’ messages, location data, call history, and photos.

The third vulnerability, tracked as CVE-2023-23520, is a race condition in the Crash Reporter component that can be exploited by a malicious actor to read arbitrary files as root. Apple addressed the vulnerability with additional validation.

Cees Elzinga reported the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)