CVE-2023-41991 vulnerability in Apple Products
Published on September 21, 2023
Known Exploited Vulnerability
This Apple Multiple Products Improper Certificate Validation Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.
The following remediation steps are recommended / required by October 16, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-41991 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2023-41991
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-41991 are published in these products:
What versions are vulnerable to CVE-2023-41991?
- Apple Macos Version 13.0 Fixed in Version 13.6
- Apple iOS Version 17.0
- Apple iOS Fixed in Version 16.7
- Apple iPad OS Fixed in Version 16.7
- Apple iPad OS Version 17.0