Exploit
CVE-2024-23222

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Jan 22, 2024

010
CVSS 8.8EPSS 0.18%High
CVE info copied to clipboard

Summary

A type confusion vulnerability has been identified in Apple's Safari web browser, iOS, iPadOS, macOS, tvOS, and VisionOS. This vulnerability allows the processing of maliciously crafted web content to potentially lead to arbitrary code execution. The issue requires user interaction, typically through visiting a misleading website or interacting with malicious web content. The vulnerability is classified as a type confusion issue, which was addressed by implementing improved checks in the affected software.

Impact

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the victim's device with the same privileges as the user running the affected software. This could potentially lead to a complete compromise of the device's data confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 base score of 8.8 (High severity), indicating a significant risk. The attack vector is network-based, requires low attack complexity, and no privileges, but does need user interaction. The impact on confidentiality, integrity, and availability is rated as high across all three categories.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including forbes.com, apple.com.

Patch

Patches are available to address this vulnerability. Apple has released software updates that fix the issue in the following versions: - tvOS 17.3 - iOS 17.3 and iPadOS 17.3 - iOS 16.7.5 and iPadOS 16.7.5 - macOS Sonoma 14.3 - macOS Ventura 13.6.4 - macOS Monterey 12.7.3 - Safari 17.3 It is crucial to update to these patched versions immediately to mitigate the risk.

Mitigation

To mitigate this vulnerability, the following actions are recommended: 1. Apply the latest software updates from Apple to all affected devices and systems immediately. 2. Implement and maintain robust web content filtering to reduce exposure to potentially malicious websites. 3. Disable unnecessary browser functionality and plugins to reduce the attack surface. 4. Educate users about the risks of visiting untrusted websites or opening web content from unknown sources. 5. Consider implementing additional security measures such as endpoint detection and response (EDR) solutions to detect and prevent potential exploitation attempts. 6. Regularly monitor for any new updates or security advisories from Apple regarding this vulnerability. 7. Implement the principle of least privilege to minimize the potential impact if exploitation occurs.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Jan 22, 2024 at 12:00 AM / inthewild.io
Vendor Advisory

Apple released a security advisory (HT214059).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214063).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214061).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214058).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214057).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214055).

Jan 22, 2024 at 10:40 AM
Vendor Advisory

Apple released a security advisory (HT214056).

Jan 22, 2024 at 3:10 PM
CVE Assignment

NVD published the first details for CVE-2024-23222

Jan 22, 2024 at 5:15 PM
Static CVE Timeline Graph

Affected Systems

Apple/tvos
+null more

Proof Of Exploit

https://support.apple.com/en-us/HT214059
+null more

Patches

Apple
+null more

References

About the security content of iOS 17.3 and iPadOS 17.3 - Apple Support (NG)
Impact: An app may be able to execute arbitrary code with kernel privileges Impact: An app may be able to execute arbitrary code with kernel privileges
About the security content of iOS 16.7.5 and iPadOS 16.7.5 - Apple Support
Description: The issue was addressed with improved memory handling. Description: A privacy issue was addressed with improved private data redaction for log entries.
About the security content of visionOS 1.0.2 - Apple Support
Apple Id: HT214070 Release Date: 2024-01-31 CVE-2024-23222 A type confusion issue was addressed with improved checks. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited. Affected product: WebKit Update available for: Apple Vision Pro
See 9 more references

News

Red Hat Security Advisory 2024-9680-03
Red Hat Security Advisory 2024-9680-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security: Mehrere Probleme in webkit2gtk3 (Red Hat)
* webkitgtk: Processing web content may lead to arbitrary code execution * webkitgtk: Processing web content may lead to arbitrary code execution
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days. . Ahold Delhaize experienced a cyber incident ...
See 588 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI