⚠ Actively exploited

Added to CISA KEV on 2024-01-08. Federal agencies required to patch by 2024-01-29. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-41990 — Apple IOS AND Ipados vulnerability

18 documents8 sources

Severity

7.8HIGHNVD

EPSS

2.7%

top 14.12%

CISA KEV

KEV

Added 2024-01-08

Due 2024-01-29

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Tvos +8 more

Timeline

PublishedSep 12

KEV addedJan 8

Latest updateJan 9

KEV dueJan 29

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages16 packages

▶Appleapple/macos_ventura13.2

▶Appleapple/macos_monterey12.6.8

▶CVEListV5apple/macosunspecified — 11.7+2

▶NVDapple/macos12.0.0 — 12.6.8+2

▶Appleapple/macos_big_sur11.7.9

🔴Vulnerability Details

GHSA

GHSA-pc7v-gfwg-hjx7: The issue was addressed with improved handling of caches↗2023-09-12

▶

VulnCheck

Apple Multiple Products Code Execution Vulnerability↗2023

▶

📋Vendor Advisories

CISA

Apple Multiple Products Code Execution Vulnerability↗2024-01-08

▶

Apple

CVE-2023-41990: iOS 15.7.8 and iPadOS 15.7.8↗2023-07-24

▶

Apple

CVE-2023-41990: macOS Monterey 12.6.8↗2023-07-24

▶

Apple

CVE-2023-41990: macOS Big Sur 11.7.9↗2023-07-24

▶

Apple

CVE-2023-41990: tvOS 16.3↗2023-01-24

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA warns agencies of fourth flaw used in Triangulation spyware attacks↗2024-01-09

▶

Sentinelone

Protecting macOS | 7 Strategies for Enterprise Security in 2024↗2024-01-02

▶

Sentinelone

Protecting macOS | 7 Strategies for Enterprise Security in 2024↗2024-01-02

▶

Bleepingcomputer

The biggest cybersecurity and cyberattack stories of 2023↗2024-01-01

▶

Securelist

Operation Triangulation: The last (hardware) mystery↗2023-12-27

▶