cbcvebase.
CVE-2023-23524
published 2023-02-27

CVE-2023-23524: A denial-of-service issue was addressed with improved input validation. This issue is fixed in tvOS 16.3.2, iOS 16.3.1 and iPadOS 16.3.1, watchOS 9.3.1, macOS…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.5th percentile
A denial-of-service issue was addressed with improved input validation. This issue is fixed in tvOS 16.3.2, iOS 16.3.1 and iPadOS 16.3.1, watchOS 9.3.1, macOS Ventura 13.2.1. Processing a maliciously crafted certificate may lead to a denial-of-service.

Affected

13 ranges
VendorProductVersion rangeFixed in
appleios_16.3.1_and_ipados
appleios_and_ipados>= unspecified < 16.316.3
appleipados< 16.3.116.3.1
appleiphone_os< 16.3.116.3.1
applemacos< 13.2.113.2.1
applemacos>= unspecified < 13.213.2
applemacos_ventura
appletvos< 16.3.216.3.2
appletvos
appletvos>= unspecified < 16.316.3
applewatchos< 9.3.19.3.1
applewatchos
applewatchos>= unspecified < 9.39.3

Detection & IOCsextracted from sources · hover to see the quote

  • The denial-of-service is triggered by submitting a malicious certificate chain to an application that performs X.509 certificate validation, such as a TLS server performing client certificate validation, causing exponential memory and CPU consumption in the policy tree builder.
  • The root cause is exponential growth in the valid_policy_tree: a single policy P can produce multiple child nodes when multiple issuer policies map to P (step d.1 of RFC 5280 Section 6.1.3), causing tree size to increase multiplicatively at each certificate chain level.
  • ·The vulnerability affects X.509 policy validation in Apple platforms; fixed versions are tvOS 16.3.2, iOS 16.3.1, iPadOS 16.3.1, watchOS 9.3.1, and macOS Ventura 13.2.1. Detection should focus on unpatched versions of these platforms.
  • ·The exponential growth vulnerability exists specifically in the RFC 5280 policy tree algorithm; implementations that have replaced the policy tree with a policy graph (as described in RFC 9618) are not vulnerable to this attack vector.
  • ·Alternative mitigations for implementations that cannot adopt the policy graph include: verifying signatures before policy processing, limiting certificate chain depth, limiting policy tree size, inhibiting policy mapping, or disabling policy checking entirely.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.