Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1834 macOS Ventura 13.3 28 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: macOS Ventura Publisher: Apple Operating System: macOS Resolution: Patch/Upgrade CVE Names: CVE-2023-28200 CVE-2023-28192 CVE-2023-28190 CVE-2023-28182 CVE-2023-28181 CVE-2023-28180 CVE-2023-28178 CVE-2023-27969 CVE-2023-27968 CVE-2023-27965 CVE-2023-27963 CVE-2023-27962 CVE-2023-27961 CVE-2023-27958 CVE-2023-27957 CVE-2023-27956 CVE-2023-27955 CVE-2023-27954 CVE-2023-27953 CVE-2023-27952 CVE-2023-27951 CVE-2023-27949 CVE-2023-27946 CVE-2023-27944 CVE-2023-27943 CVE-2023-27942 CVE-2023-27941 CVE-2023-27937 CVE-2023-27936 CVE-2023-27935 CVE-2023-27934 CVE-2023-27933 CVE-2023-27932 CVE-2023-27931 CVE-2023-27929 CVE-2023-27928 CVE-2023-23543 CVE-2023-23542 CVE-2023-23538 CVE-2023-23537 CVE-2023-23535 CVE-2023-23534 CVE-2023-23533 CVE-2023-23532 CVE-2023-23527 CVE-2023-23526 CVE-2023-23525 CVE-2023-23523 CVE-2023-23514 CVE-2023-0512 CVE-2023-0433 CVE-2023-0288 CVE-2023-0054 CVE-2023-0051 CVE-2023-0049 CVE-2022-43552 CVE-2022-43551 Original Bulletin: https://support.apple.com/HT213670 Comment: CVSS (Max): 7.8* CVE-2023-23514 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2023-03-27-3 macOS Ventura 13.3 macOS Ventura 13.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213670. AMD Available for: macOS Ventura Impact: An app may be able to cause unexpected system termination or write kernel memory Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-27968: ABC Research s.r.o. Apple Neural Engine Available for: macOS Ventura Impact: An app may be able to break out of its sandbox Description: This issue was addressed with improved checks. CVE-2023-23532: Mohamed Ghannam (@_simo36) AppleMobileFileIntegrity Available for: macOS Ventura Impact: A user may gain access to protected parts of the file system Description: The issue was addressed with improved checks. CVE-2023-23527: Mickey Jin (@patch1t) AppleMobileFileIntegrity Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: This issue was addressed by removing the vulnerable code. CVE-2023-27931: Mickey Jin (@patch1t) Archive Utility Available for: macOS Ventura Impact: An archive may be able to bypass Gatekeeper Description: The issue was addressed with improved checks. CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security Calendar Available for: macOS Ventura Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information Description: Multiple validation issues were addressed with improved input sanitization. CVE-2023-27961: Riza Sabuncu - twitter.com/rizasabuncu Camera Available for: macOS Ventura Impact: A sandboxed app may be able to determine which app is currently using the camera Description: The issue was addressed with additional restrictions on the observability of app states. CVE-2023-23543: Yigit Can YILMAZ (@yilmazcanyigit) Carbon Core Available for: macOS Ventura Impact: Processing a maliciously crafted image may result in disclosure of process memory Description: The issue was addressed with improved checks. CVE-2023-23534: Mickey Jin (@patch1t) ColorSync Available for: macOS Ventura Impact: An app may be able to read arbitrary files Description: The issue was addressed with improved checks. CVE-2023-27955: JeongOhKyea CommCenter Available for: macOS Ventura Impact: An app may be able to cause unexpected system termination or write kernel memory Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2023-27936: Tingting Yin of Tsinghua University CoreCapture Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-28181: Tingting Yin of Tsinghua University curl Available for: macOS Ventura Impact: Multiple issues in curl Description: Multiple issues were addressed by updating curl. CVE-2022-43551 CVE-2022-43552 dcerpc Available for: macOS Ventura Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory initialization issue was addressed. CVE-2023-27934: Aleksandar Nikolic of Cisco Talos dcerpc Available for: macOS Ventura Impact: A user in a privileged network position may be able to cause a denial-of-service Description: A denial-of-service issue was addressed with improved memory handling. CVE-2023-28180: Aleksandar Nikolic of Cisco Talos dcerpc Available for: macOS Ventura Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2023-27935: Aleksandar Nikolic of Cisco Talos dcerpc Available for: macOS Ventura Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory Description: The issue was addressed with improved memory handling. CVE-2023-27953: Aleksandar Nikolic of Cisco Talos CVE-2023-27958: Aleksandar Nikolic of Cisco Talos Display Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2023-27965: Proteas of Pangu Lab FaceTime Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: A privacy issue was addressed by moving sensitive data to a more secure location. CVE-2023-28190: Joshua Jones Find My Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-23537: an anonymous researcher FontParser Available for: macOS Ventura Impact: Processing a maliciously crafted image may result in disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2023-27956: Ye Zhang of Baidu Security Foundation Available for: macOS Ventura Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution Description: An integer overflow was addressed with improved input validation. CVE-2023-27937: an anonymous researcher iCloud Available for: macOS Ventura Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder. CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies Identity Services Available for: macOS Ventura Impact: An app may be able to access information about a user’s contacts Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security ImageIO Available for: macOS Ventura Impact: Processing a maliciously crafted image may result in disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2023-23535: ryuzaki ImageIO Available for: macOS Ventura Impact: Processing a maliciously crafted image may result in disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative ImageIO Available for: macOS Ventura Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2023-27946: Mickey Jin (@patch1t) ImageIO Available for: macOS Ventura Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-27957: Yigit Can YILMAZ (@yilmazcanyigit) Kernel Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero CVE-2023-27969: Adam Doupé of ASU SEFCOM Kernel Available for: macOS Ventura Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-27933: sqrtpwn Kernel Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2023-27941: Arsenii Kostromin (0x3c3e) Kernel Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: A validation issue was addressed with improved input sanitization. CVE-2023-28200: Arsenii Kostromin (0x3c3e) LaunchServices Available for: macOS Ventura Impact: Files downloaded from the internet may not have the quarantine flag applied Description: This issue was addressed with improved checks. CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev LaunchServices Available for: macOS Ventura Impact: An app may be able to gain root privileges Description: This issue was addressed with improved checks. CVE-2023-23525: Mickey Jin (@patch1t) Model I/O Available for: macOS Ventura Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-27949: Mickey Jin (@patch1t) NetworkExtension Available for: macOS Ventura Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device Description: The issue was addressed with improved authentication. CVE-2023-28182: Zhuowei Zhang PackageKit Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved checks. CVE-2023-23538: Mickey Jin (@patch1t) CVE-2023-27962: Mickey Jin (@patch1t) Photos Available for: macOS Ventura Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup Description: A logic issue was addressed with improved restrictions. CVE-2023-23523: developStorm Podcasts Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: The issue was addressed with improved checks. CVE-2023-27942: Mickey Jin (@patch1t) Safari Available for: macOS Ventura Impact: An app may bypass Gatekeeper checks Description: A race condition was addressed with improved locking. CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security Sandbox Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved checks. CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security Sandbox Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: A logic issue was addressed with improved validation. CVE-2023-28178: Yigit Can YILMAZ (@yilmazcanyigit) Shortcuts Available for: macOS Ventura Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user Description: The issue was addressed with additional permissions checks. CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group System Settings Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-23542: an anonymous researcher System Settings Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: A permissions issue was addressed with improved validation. CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes) TCC Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: This issue was addressed by removing the vulnerable code. CVE-2023-27931: Mickey Jin (@patch1t) Vim Available for: macOS Ventura Impact: Multiple issues in Vim Description: Multiple issues were addressed by updating to Vim version 9.0.1191. CVE-2023-0049 CVE-2023-0051 CVE-2023-0054 CVE-2023-0288 CVE-2023-0433 CVE-2023-0512 WebKit Available for: macOS Ventura Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: This issue was addressed with improved state management. CVE-2023-27932: an anonymous researcher WebKit Available for: macOS Ventura Impact: A website may be able to track sensitive user information Description: The issue was addressed by removing origin information. CVE-2023-27954: an anonymous researcher XPC Available for: macOS Ventura Impact: An app may be able to break out of its sandbox Description: This issue was addressed with a new entitlement. CVE-2023-27944: Mickey Jin (@patch1t) Additional recognition Activation Lock We would like to acknowledge Christian Mina for their assistance. AppleScript We would like to acknowledge Mickey Jin (@patch1t) for their assistance. CFNetwork We would like to acknowledge an anonymous researcher for their assistance. Control Center We would like to acknowledge an anonymous researcher for their assistance. CoreServices We would like to acknowledge Mickey Jin (@patch1t) for their assistance. dcerpc We would like to acknowledge Aleksandar Nikolic of Cisco Talos for their assistance. FaceTime We would like to acknowledge Sajan Karki for their assistance. file_cmds We would like to acknowledge Lukas Zronek for their assistance. Git We would like to acknowledge for their assistance. Heimdal We would like to acknowledge Evgeny Legerov of Intevydis for their assistance. ImageIO We would like to acknowledge Meysam Firouzi @R00tkitSMM for their assistance. Mail We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster University of Applied Sciences, Damian Poddebniak of FH Münster University of Applied Sciences, Tobias Kappert of Münster University of Applied Sciences, Christoph Saatjohann of Münster University of Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz Center for Information Security for their assistance. NSOpenPanel We would like to acknowledge Alexandre Colucci (@timacfr) for their assistance. quarantine We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance. Safari Downloads We would like to acknowledge Andrew Gonzalez for their assistance. WebKit We would like to acknowledge an anonymous researcher for their assistance. WebKit Web Inspector We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer (@pwning_me) of SSD Labs for their assistance. Wi-Fi We would like to acknowledge an anonymous researcher for their assistance. macOS Ventura 13.3 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke NxlDUw/8COhSvqsTrIJtGhMmZJ83+R9pZPGZIhY0eOZbFp+yCFBRYE9IIzv785uM LQ+2ZsBqCtsMp3ZDhYFvEvigGPnCpfnZrd/JBsPXz7O6HfSG2whOIHtSu+LAvOxk OwACJZru6PqmTh4br7QRDHt41E4fP4KZPpAdM7Wbiu6Ikg2h71kp+9CMdliVr7o1 +B1yVUqnihsB1IDs2grNhmuVGWG1bP7fgAON0zQa4HkvqU9p4XlDeohnZ2V9y+3n J8C7agCkos+7aKDrbv72sJ3T5sBe1dozca5pEYZyh0zGhxP8Q6c0zwhiatRY0hKw I6yeFPBQ94ez+qTCj2YU/9Nz0tFQja3UBJw9zyIJr5A/ZiporZCwe8HUp5n3bGAm JZlSM6aNdVjgbrGBjwpHSE2kSv3WpBe8EZhMA1iCbGIxwGWdz23L/Hrnqs7TFqzm kXV0bHIjbO6jNPhm0V+QqZbDCC88H54ovrLuojgW2L562n+vLDb4u3VE5yfAJ9Zk KZCqNPXm0kkSimjF5JExGBTDFpt92XY3cMYItxSCtSnebL+5OmbY90C2OnAjAIwJ qGiD/AEPRgcuJpfMvtydLo0eau5hptR4nqFY1oHEpbWCHfDycz0zhvZaTUHyVIv5 m1X8VhzBgXwKUzjkz7lBLl9R9pebBLU90KXLOJsF8j3bOUS6ddU= =7+Lt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCJjIckNZI30y1K9AQil/xAAieJQ5MttmnsJes5pSjBM+Pn/ozy8psWz GiPUaPUh4E9BK4RhgamgrBr5O5C8rNT5WOka3B1C9Vwumq5NkL6ZV6gOV446P5mW bTAJf52CafnEN8k09bOK2S/kdyTwCIt93QDOycBnrcN3DJQH4iywjcuHx0hbzhmi V8Olfo+iq6fWo5n0b0f6QopHyEUE7xk8ECidOSsvITM9AQMgvFSa3r/bds15m2rn Qzy7XUtlNJtXGY5FVEikZBJ2OUN/4ZvbcmnhNeIjLRPrDwr3oe3gYEJ+6HOTEA6u OS377sUpIU8XeNRCD5QSFLoLeyDL5ovf4MI/SemyvrnxcGki8xoPcLWSgwsp3+EU cPMSkkjQ2CLRwGt9j1jHxX39Nu8YfV3n0bw/1Ed3bfKAvso6D9dihED5+ZG4h8Sc 17tyAHleWz9Mn/p2WRrgDb3X2g+95/U3t3c+BBonhRJSQwT6uFfBx/q+o3x9MMFw cfVAn6/t20WWtyyrXVLIuvXNBSUh37kr/ZIrQLHy3+2iUKRQIL/OOlavsR1G+Fdz i3jmurW+xag+ZF1sJ6geIpkAPVXVEJzngAg6Ksjilr8X06/VHgjrOMe1ChCVupkp t+IV9DXeQFzcvu0dpncp2y/gYLDC68plrAXwyMKIjJ81lXyjOKKInW53Va9BkYlb 8TaXu7WNrSE= =fQHw -----END PGP SIGNATURE-----