Apple has released a security advisory for the latest zero day vulnerability in its iOS system.The Vulnerability was released on 13th February 2023 and has been assigned the CVE, CVE-2023-23529. The Vulnerable component is Apple iOS
Description of Vulnerability
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when parsing web content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Associated CWE
CWE-843 – Access of Resource Using Incompatible Type (‘Type Confusion’)
CWE-843 is a weakness in software security that is categorized as “Access of Resource Using Incompatible Type (‘Type Confusion’)” by the Common Weakness Enumeration (CWE) standard. This weakness arises when a program attempts to access a resource using a data type that is incompatible with the actual type of the resource, which can lead to unexpected behavior, including crashes or security vulnerabilities.
Type confusion vulnerabilities are a specific type of memory safety vulnerability that occurs when a program interprets a block of memory as a data type that is different from the actual type of the memory. This can happen when a program performs an unsafe cast, for example, by converting a pointer from one data type to another without checking whether the memory being pointed to actually has the expected data type.
One common example of a type confusion vulnerability is the use of JavaScript objects in web browsers. When a web page uses JavaScript, it can create objects that contain various properties and methods. These objects are typically implemented as a combination of pointers and metadata that describe the object’s structure. If an attacker can modify the metadata of an object, they may be able to cause the program to interpret the object as a different type than intended, potentially allowing the attacker to execute arbitrary code or perform other malicious actions.
Type confusion vulnerabilities can also occur in other types of programs that use dynamic memory allocation, such as programs written in C or C++. These languages provide low-level memory management capabilities, which can be used to create data structures that are vulnerable to type confusion. For example, a program might allocate a block of memory to hold one type of data, but later access the same memory as if it held a different type of data.
To prevent type confusion vulnerabilities, developers can use a variety of techniques, including safe type conversions, runtime type checking, and other forms of input validation. They can also use programming languages that provide stronger memory safety guarantees, such as Java or Rust. Finally, it is important to keep software up-to-date with the latest security patches and to follow best practices for secure software development, including code reviews and vulnerability scanning.
CVSS Score
9.6 Critical
The CVSS score for the string “CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C” is 9.6.
This score is based on the Common Vulnerability Scoring System (CVSS) version 3.1, which is a framework used to assess the severity of security vulnerabilities. The score is determined by analyzing various attributes of the vulnerability, including the attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality impact (C), integrity impact (I), availability impact (A), exploit code maturity (E), remediation level (RL), and report confidence (RC).
In this case, the vulnerability has a base score of 9.6, indicating a high severity level, with a vector string of AV:N/AC:L/PR:N/UI:R/S:U, which means that the vulnerability can be exploited remotely without authentication, has low complexity, does not require any privileges, does not require user interaction, and impacts the availability of the affected system. The confidentiality, integrity, and availability impact metrics are all rated as high (C:H/I:H/A:H), while the exploit code maturity is rated as high (E:H), indicating that the vulnerability is being actively exploited in the wild. Finally, the remediation level is rated as “official fix not yet available” (RL:O), and the report confidence is rated as “confirmed” (RC:C).