Impact: High
TLP Rating: Clear 
CVE -2023-41991 – Apple Multiple Products Improper Certificate validation Vulnerability.
CVE -2023-41992 – Apple Multiple Products Kernel Privilege Escalation Vulnerability.
CVE -2023-41993 – Apple Multiple Products WebKit code Execution Vulnerability
Release Date 25th of September 2023
CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provide the following advisory of the above vulnerabilities.
On 26th of September 2023, CERT Vanuatu received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) on several Apple products with multiple vulnerabilities.
What is it?
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks.
Technical Details
CVE-2023-41991
Impact: Critical (Medium)
A certificate validation issue was addressed. The issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, watchOS 10.0.1.
A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
CVE-2023-41992
Impact: Critical (HIGH)
The issue was addressed with improved checks. The issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1
A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
CVE-2023-41993
Impact: Critical (HIGH)
The issue was addressed with improved checks. The issue is fixed in iOS 16.7 and ipadOS 16.7, iOS 17.0.1 and ipadOS 17.0.1, Safari 16.6.1. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
An attacker could exploit some of these vulnerabilities to take control of an affected device.
What should I do to Stay Safe?
Get the latest software updates from Apple for the vulnerable products..
- The latest version of iOS and iPadOS is 16.7.0
- The latest version of macOS is 13.6.0
- The latest version of watchOS is 9.6.3
Note that after a software update in installed for iOS, iPadOS and watchOS, it cannot be downgraded to a previous version. Apply mitigation per vendor instruction or discontinue use of the product if mitigations are unavailable.
Get more details on Apple security updates and release dates with the below link; https://support.apple.com/en-gb/HT201222
References
- https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
- https://nvd.nist.gov/vuln/detail/CVE-2023-41991
- https://nvd.nist.gov/vuln/detail/CVE-2023-41992
- https://nvd.nist.gov/vuln/detail/CVE-2023-4199
- http://seclists.org/fulldisclosure/2023/Sep/14
- Download advisory (English): CVE -2023-41991 – Apple Multiple Products Improper Certificate validation Vulnerability.
- Download advisory (Bislama): CVE-2023-41991 – Vulnerabiliti long ol Apple prodak
- Download advisory (French): CVE-2023-41991 - Produits Apple - Defaut de verification de certificat