Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1834
macOS Ventura 13.3
28 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: macOS Ventura
Publisher: Apple
Operating System: macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2023-28200 CVE-2023-28192 CVE-2023-28190
CVE-2023-28182 CVE-2023-28181 CVE-2023-28180
CVE-2023-28178 CVE-2023-27969 CVE-2023-27968
CVE-2023-27965 CVE-2023-27963 CVE-2023-27962
CVE-2023-27961 CVE-2023-27958 CVE-2023-27957
CVE-2023-27956 CVE-2023-27955 CVE-2023-27954
CVE-2023-27953 CVE-2023-27952 CVE-2023-27951
CVE-2023-27949 CVE-2023-27946 CVE-2023-27944
CVE-2023-27943 CVE-2023-27942 CVE-2023-27941
CVE-2023-27937 CVE-2023-27936 CVE-2023-27935
CVE-2023-27934 CVE-2023-27933 CVE-2023-27932
CVE-2023-27931 CVE-2023-27929 CVE-2023-27928
CVE-2023-23543 CVE-2023-23542 CVE-2023-23538
CVE-2023-23537 CVE-2023-23535 CVE-2023-23534
CVE-2023-23533 CVE-2023-23532 CVE-2023-23527
CVE-2023-23526 CVE-2023-23525 CVE-2023-23523
CVE-2023-23514 CVE-2023-0512 CVE-2023-0433
CVE-2023-0288 CVE-2023-0054 CVE-2023-0051
CVE-2023-0049 CVE-2022-43552 CVE-2022-43551
Original Bulletin:
https://support.apple.com/HT213670
Comment: CVSS (Max): 7.8* CVE-2023-23514 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2023-03-27-3 macOS Ventura 13.3
macOS Ventura 13.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213670.
AMD
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2023-27968: ABC Research s.r.o.
Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
CVE-2023-23532: Mohamed Ghannam (@_simo36)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)
Archive Utility
Available for: macOS Ventura
Impact: An archive may be able to bypass Gatekeeper
Description: The issue was addressed with improved checks.
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl
(@theevilbit) of Offensive Security
Calendar
Available for: macOS Ventura
Impact: Importing a maliciously crafted calendar invitation may
exfiltrate user information
Description: Multiple validation issues were addressed with improved
input sanitization.
CVE-2023-27961: Riza Sabuncu - twitter.com/rizasabuncu
Camera
Available for: macOS Ventura
Impact: A sandboxed app may be able to determine which app is
currently using the camera
Description: The issue was addressed with additional restrictions on
the observability of app states.
CVE-2023-23543: Yigit Can YILMAZ (@yilmazcanyigit)
Carbon Core
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2023-23534: Mickey Jin (@patch1t)
ColorSync
Available for: macOS Ventura
Impact: An app may be able to read arbitrary files
Description: The issue was addressed with improved checks.
CVE-2023-27955: JeongOhKyea
CommCenter
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2023-27936: Tingting Yin of Tsinghua University
CoreCapture
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University
curl
Available for: macOS Ventura
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating curl.
CVE-2022-43551
CVE-2022-43552
dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: A memory initialization issue was addressed.
CVE-2023-27934: Aleksandar Nikolic of Cisco Talos
dcerpc
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to cause
a denial-of-service
Description: A denial-of-service issue was addressed with improved
memory handling.
CVE-2023-28180: Aleksandar Nikolic of Cisco Talos
dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: The issue was addressed with improved bounds checks.
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos
dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected system
termination or corrupt kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos
Display
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2023-27965: Proteas of Pangu Lab
FaceTime
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data
to a more secure location.
CVE-2023-28190: Joshua Jones
Find My
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23537: an anonymous researcher
FontParser
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security
Foundation
Available for: macOS Ventura
Impact: Parsing a maliciously crafted plist may lead to an unexpected
app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2023-27937: an anonymous researcher
iCloud
Available for: macOS Ventura
Impact: A file from an iCloud shared-by-me folder may be able to
bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper
on files downloaded from an iCloud shared-by-me folder.
CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies
Identity Services
Available for: macOS Ventura
Impact: An app may be able to access information about a userÂ’s
contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz
Innovation Lab and jzhu working with Trend Micro Zero Day Initiative
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2023-27946: Mickey Jin (@patch1t)
ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2023-27957: Yigit Can YILMAZ (@yilmazcanyigit)
Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google
Project Zero
CVE-2023-27969: Adam Doupé of ASU SEFCOM
Kernel
Available for: macOS Ventura
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn
Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2023-27941: Arsenii Kostromin (0x3c3e)
Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2023-28200: Arsenii Kostromin (0x3c3e)
LaunchServices
Available for: macOS Ventura
Impact: Files downloaded from the internet may not have the
quarantine flag applied
Description: This issue was addressed with improved checks.
CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk,
and Arthur Valiev
LaunchServices
Available for: macOS Ventura
Impact: An app may be able to gain root privileges
Description: This issue was addressed with improved checks.
CVE-2023-23525: Mickey Jin (@patch1t)
Model I/O
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27949: Mickey Jin (@patch1t)
NetworkExtension
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to spoof
a VPN server that is configured with EAP-only authentication on a
device
Description: The issue was addressed with improved authentication.
CVE-2023-28182: Zhuowei Zhang
PackageKit
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file
system
Description: A logic issue was addressed with improved checks.
CVE-2023-23538: Mickey Jin (@patch1t)
CVE-2023-27962: Mickey Jin (@patch1t)
Photos
Available for: macOS Ventura
Impact: Photos belonging to the Hidden Photos Album could be viewed
without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.
CVE-2023-23523: developStorm
Podcasts
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch1t)
Safari
Available for: macOS Ventura
Impact: An app may bypass Gatekeeper checks
Description: A race condition was addressed with improved locking.
CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file
system
Description: A logic issue was addressed with improved checks.
CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI
Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: A logic issue was addressed with improved validation.
CVE-2023-28178: Yigit Can YILMAZ (@yilmazcanyigit)
Shortcuts
Available for: macOS Ventura
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions
checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and
Wenchao Li and Xiaolong Bai of Alibaba Group
System Settings
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23542: an anonymous researcher
System Settings
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A permissions issue was addressed with improved
validation.
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)
TCC
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)
Vim
Available for: macOS Ventura
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to Vim
version 9.0.1191.
CVE-2023-0049
CVE-2023-0051
CVE-2023-0054
CVE-2023-0288
CVE-2023-0433
CVE-2023-0512
WebKit
Available for: macOS Ventura
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: This issue was addressed with improved state management.
CVE-2023-27932: an anonymous researcher
WebKit
Available for: macOS Ventura
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
CVE-2023-27954: an anonymous researcher
XPC
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with a new entitlement.
CVE-2023-27944: Mickey Jin (@patch1t)
Additional recognition
Activation Lock
We would like to acknowledge Christian Mina for their assistance.
AppleScript
We would like to acknowledge Mickey Jin (@patch1t) for their
assistance.
CFNetwork
We would like to acknowledge an anonymous researcher for their
assistance.
Control Center
We would like to acknowledge an anonymous researcher for their
assistance.
CoreServices
We would like to acknowledge Mickey Jin (@patch1t) for their
assistance.
dcerpc
We would like to acknowledge Aleksandar Nikolic of Cisco Talos for
their assistance.
FaceTime
We would like to acknowledge Sajan Karki for their assistance.
file_cmds
We would like to acknowledge Lukas Zronek for their assistance.
Git
We would like to acknowledge for their assistance.
Heimdal
We would like to acknowledge Evgeny Legerov of Intevydis for their
assistance.
ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their
assistance.
Mail
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster
University of Applied Sciences, Damian Poddebniak of FH Münster
University of Applied Sciences, Tobias Kappert of Münster University
of Applied Sciences, Christoph Saatjohann of Münster University of
Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz
Center for Information Security for their assistance.
NSOpenPanel
We would like to acknowledge Alexandre Colucci (@timacfr) for their
assistance.
quarantine
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc.
for their assistance.
Safari Downloads
We would like to acknowledge Andrew Gonzalez for their assistance.
WebKit
We would like to acknowledge an anonymous researcher for their
assistance.
WebKit Web Inspector
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer
(@pwning_me) of SSD Labs for their assistance.
Wi-Fi
We would like to acknowledge an anonymous researcher for their
assistance.
macOS Ventura 13.3 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke
NxlDUw/8COhSvqsTrIJtGhMmZJ83+R9pZPGZIhY0eOZbFp+yCFBRYE9IIzv785uM
LQ+2ZsBqCtsMp3ZDhYFvEvigGPnCpfnZrd/JBsPXz7O6HfSG2whOIHtSu+LAvOxk
OwACJZru6PqmTh4br7QRDHt41E4fP4KZPpAdM7Wbiu6Ikg2h71kp+9CMdliVr7o1
+B1yVUqnihsB1IDs2grNhmuVGWG1bP7fgAON0zQa4HkvqU9p4XlDeohnZ2V9y+3n
J8C7agCkos+7aKDrbv72sJ3T5sBe1dozca5pEYZyh0zGhxP8Q6c0zwhiatRY0hKw
I6yeFPBQ94ez+qTCj2YU/9Nz0tFQja3UBJw9zyIJr5A/ZiporZCwe8HUp5n3bGAm
JZlSM6aNdVjgbrGBjwpHSE2kSv3WpBe8EZhMA1iCbGIxwGWdz23L/Hrnqs7TFqzm
kXV0bHIjbO6jNPhm0V+QqZbDCC88H54ovrLuojgW2L562n+vLDb4u3VE5yfAJ9Zk
KZCqNPXm0kkSimjF5JExGBTDFpt92XY3cMYItxSCtSnebL+5OmbY90C2OnAjAIwJ
qGiD/AEPRgcuJpfMvtydLo0eau5hptR4nqFY1oHEpbWCHfDycz0zhvZaTUHyVIv5
m1X8VhzBgXwKUzjkz7lBLl9R9pebBLU90KXLOJsF8j3bOUS6ddU=
=7+Lt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZCJjIckNZI30y1K9AQil/xAAieJQ5MttmnsJes5pSjBM+Pn/ozy8psWz
GiPUaPUh4E9BK4RhgamgrBr5O5C8rNT5WOka3B1C9Vwumq5NkL6ZV6gOV446P5mW
bTAJf52CafnEN8k09bOK2S/kdyTwCIt93QDOycBnrcN3DJQH4iywjcuHx0hbzhmi
V8Olfo+iq6fWo5n0b0f6QopHyEUE7xk8ECidOSsvITM9AQMgvFSa3r/bds15m2rn
Qzy7XUtlNJtXGY5FVEikZBJ2OUN/4ZvbcmnhNeIjLRPrDwr3oe3gYEJ+6HOTEA6u
OS377sUpIU8XeNRCD5QSFLoLeyDL5ovf4MI/SemyvrnxcGki8xoPcLWSgwsp3+EU
cPMSkkjQ2CLRwGt9j1jHxX39Nu8YfV3n0bw/1Ed3bfKAvso6D9dihED5+ZG4h8Sc
17tyAHleWz9Mn/p2WRrgDb3X2g+95/U3t3c+BBonhRJSQwT6uFfBx/q+o3x9MMFw
cfVAn6/t20WWtyyrXVLIuvXNBSUh37kr/ZIrQLHy3+2iUKRQIL/OOlavsR1G+Fdz
i3jmurW+xag+ZF1sJ6geIpkAPVXVEJzngAg6Ksjilr8X06/VHgjrOMe1ChCVupkp
t+IV9DXeQFzcvu0dpncp2y/gYLDC68plrAXwyMKIjJ81lXyjOKKInW53Va9BkYlb
8TaXu7WNrSE=
=fQHw
-----END PGP SIGNATURE-----