CVE-2023-23504: Apple Just Patched 19-Year-Old Kernel Vulnerability

This professor at Arizona State University maybe sounds a little too excited in their January 23rd research announcement:

[Found a] heap underwrite vulnerability in XNU’s dlil.c (which handles network interfaces) caused by an (uint16_t) integer overflow in if.c. This can be triggered by a root user creating 65536 total network interfaces.

[…]

From what I can tell, it seems the vulnerable code was introduced in XNU 517.3.7, Mac OSX 10.3.2, released on December 17th, 2003, making it a 19-year-old bug!

[…]

Ultimately I gave up, sent what I had to Apple, and moved on to the next bug (but I did learn a lot in the process).

That’s the unmistakable voice of a pure academic.

XNU is used in Apple’s laptops, phones, tablets, watches, TV… and the company quickly rolled the trivial fix into a January 23rd release of iOS 16.3 and iPadOS 16.3 including a rather important impact detail.

Kernel

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23504

Execute arbitrary code with kernel privileges.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.