Apple Security Advisory 09-26-2023-4 - macOS Ventura 13.6 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-4 Additional information for APPLE-SA-2023-09-21-6 macOS Ventura 13.6

macOS Ventura 13.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213931.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)  
Entry added September 26, 2023

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai  
Entry added September 26, 2023

Biometric Authentication  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-41232: Liang Wei of PixiePoint Security  
Entry added September 26, 2023

ColorSync  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-40406: JeongOhKyea of Theori  
Entry added September 26, 2023

CoreAnimation  
Available for: macOS Ventura  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)  
Entry added September 26, 2023

Kernel  
Available for: macOS Ventura  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)  
Entry added September 26, 2023

libxslt  
Available for: macOS Ventura  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security  
Entry added September 26, 2023

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)  
Entry added September 26, 2023

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)  
Entry added September 26, 2023

Sandbox  
Available for: macOS Ventura  
Impact: Apps that fail verification checks may still launch  
Description: The issue was addressed with improved checks.  
CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin  
(@patch1t)  
Entry added September 26, 2023

Security  
Available for: macOS Ventura  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Share Sheet  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)  
Entry added September 26, 2023

StorageKit  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins  
Entry added September 26, 2023

Additional recognition

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.  
Entry added September 26, 2023

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.  
Entry added September 26, 2023

WebKit  
We would like to acknowledge Khiem Tran, and Narendra Bhati From Suma  
Soft Pvt. Ltd, Pune (India) for their assistance.  
Entry added September 26, 2023

WebRTC  
We would like to acknowledge anonymous researcher for their assistance.  
Entry added September 26, 2023

macOS Ventura 13.6 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJcACgkQX+5d1TXa  
Ivrutw/+Ol5wjstHEfGsIssJnU3b7HQCOvYrKn1SS6tZSVfh7AGB3wsqAn5RWSef  
bPnbHweF7/RFr87JIQcC0I/4gndXoLue4C0yr5zOS1QvH4F/WgUgoOgrJwMg0EfK  
vLWivfNuQyYPgmcmY9wQSJoaV+Rtty6v+EcefPWKMudWJ106javKmJM91TAaKYlv  
t+IRVudrG7ZElxIIMKRdwICbhx/AFpCApRIzkYj+pMLMnPyOtxg40Qa+a8bteM0q  
Yc2Q/muAfDDJfgKUPGDh6OlnGsz9ThcxwTVwy7dlC4ekGRjTReQ4iMBpw/vJhWjV  
SpheUsyNnmuPnOT79FpZN1OwWSlgogtmPdgjKhzoHBpoV9hHf1d3ZP/7kQY1E3NC  
OBIG7Jl2Yf/g3ynsL/fVW60c833d2HGGiXfF+OW4D11XF73fovh1qPUMTGHV67m+  
hnuSJEEVZBbRH0sicxCAlAT1IN3JW91wgSxGvAVQ3D83uARvqJJHPjr0GU4jbXBK  
GkZlI6/ATOT9vYRtlRL1oXKMsl9Mz+WUYGqjhtGJhxHSAz/I4nNTN/HIb0aoEOqo  
7mi86X2Etc+3jy2Y5Injqbyqre+Jybg2JiO+DggHhTBV2y02yScxhWGroO3dmJpL  
bEcR+YXsUs51E6fcUYag6CVi9Bi4F5nXHVw9Bs8TXmR/IPfO4NQ=  
=FJcW  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-4

Apple Security Advisory 09-26-2023-2 - macOS Sonoma 14 addresses buffer overflow, bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-2

Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.

Expand Up

@@ -2521,12 +2521,12 @@ public function cleanBean()

}

  

if (isset($def\['type'\]) && ($def\['type'\] == 'html' || $def\['type'\] == 'longhtml')) {

$this\->$key = htmlentities((string) SugarCleaner::cleanHtml($this\->$key, true));

$this\->$key = purify\_html($this\->$key);

} elseif (

(strpos((string) $type, 'char') !== false || strpos((string) $type, 'text') !== false || $type == 'enum') &&

!empty($this\->$key)

) {

$this\->$key = htmlentities((string) SugarCleaner::cleanHtml($this\->$key, true));

$this\->$key = purify\_html($this\->$key);

}

}

}

Expand Down

CVE-2023-5351: SuiteCRM 7.14.1 Release · salesagility/SuiteCRM@c43eaa3

By Owais Sultan
Discover the 20 leading Amazon PPC management agencies. Expertise, results-driven strategies, and proven track records. Dive in to…
This is a post from HackRead.com Read the original post: 20 Best Amazon PPC Management Agencies

20 Best Amazon PPC Management Agencies

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.
"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.

"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the protection mechanism ineffective," Certitude researcher Stefan Proksch said in a report published last week.

The problem, per the Austrian consulting firm, is the result of shared infrastructure available to all tenants within Cloudflare, regardless of whether they are legitimate or otherwise, thereby making it easy for malicious actors to abuse the implicit trust associated with service and defeat the guardrails.

The first issue stems from opting for a shared Cloudflare certificate to authenticate HTTP(S) requests between the service's reverse proxies and the customer's origin server as part of a feature called Authenticated Origin Pulls.

As the name implies, Authenticated Origin Pulls ensures requests sent to the origin server to fetch content when it's not available in the cache originate from Cloudflare and not from a threat actor.

A consequence of such a setup is that an attacker with a Cloudflare account can send their malicious payload via the platform by taking advantage of the fact that all connections originating from Cloudflare are permitted, even if the tenant that's initiating the connection is nefarious.

"An attacker can set up a custom domain with Cloudflare and point the DNS A record to \[a\] victim's IP address," Proksch explained.

"The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure. This approach allows attackers to bypass the protection features by the victim."

The second problem entails the abuse of allowlisting Cloudflare IP addresses – which stops the origin server from receiving traffic from individual visitor IP addresses and limits it to Cloudflare IP addresses – to transmit rogue inputs and target other users on the platform.

Following responsible disclosure on March 16, 2023, Cloudflare acknowledged the findings as informative, adding a new warning in its documentation.

"Note that the certificate Cloudflare provides for you to set up Authenticated Origin Pulls is not exclusive to your account, only guaranteeing that a request is coming from the Cloudflare network," Cloudflare now explicitly states.

"For more strict security, you should set up Authenticated Origin Pulls with your own certificate and consider other security measures for your origin."

"The 'Allowlist Cloudflare IP addresses' mechanism should be regarded as defense-in-depth, and not be the sole mechanism to protect origin servers," Proksch said. "The 'Authenticated Origin Pulls' mechanism should be configured with custom certificates rather than the Cloudflare certificate."

Certitude previously also uncovered that it's possible for attackers to leverage "dangling" DNS records to hijack subdomains belonging to over 1,000 organizations spanning governments, media outlets, political parties, and universities, and likely use them for malware distribution, disinformation campaigns, and phishing attacks.

"In most cases, the hijacking of subdomains could be effectively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration," security researcher Florian Schweitzer noted.

The disclosures arrive as Akamai revealed that adversaries are increasingly leveraging dynamically seeded domain generation algorithms (DGA) to avoid detection and complicate analysis, effectively extending the lifespan of command-and-control (C2) communication channels.

"Knowing which DGA domains will activate tomorrow allows us to proactively put these domains on our blocklists to protect end users from botnets," security researchers Connor Faulkner and Stijn Tilborghs said.

"Unfortunately, that scenario isn't possible with unpredictable seeds, such as Google Trends, temperatures, or foreign exchange rates. Even if we have the source code of the family, we are not able to correctly predict future-generated DGA domain names."

Back in August, a group of academics from the University of California, Irvine and Tsinghua University demonstrated a DNS poisoning attack called MaginotDNS that exploits flaws in the bailiwick checking algorithms to take over entire DNS zones, even including top-level domains such as .com and .net.

"The key to the discovery of MaginotDNS is the inconsistent bailiwick implementations between different DNS modes," the researchers pointed out. "The vulnerabilities do not harm the regular forwarders as they do not perform recursive domain resolutions, but for conditional DNS servers (CDNS), severe consequences can be caused."

"CDNS is a prevalent type of DNS server but not yet systematically studied. It is configured to act as recursive resolver and forwarder simultaneously, and the different server modes share the same global cache. As a result, attackers can exploit the forwarder vulnerabilities and 'cross the boundary' – attack recursive resolvers on the same server."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researcher Reveals New Techniques to Bypass Cloudflare's Firewall and DDoS Protection

Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.

**asyncua vulnerable to denial of service via infinite loop**

Moderate severity GitHub Reviewed Published Oct 3, 2023 to the GitHub Advisory Database • Updated Oct 4, 2023

GHSA-gfvq-mxw3-mfq3: asyncua vulnerable to denial of service via infinite loop

Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication.

**Note:**

This issue is a result of missing checks for services that require an active session.

**asyncua Improper Authentication vulnerability**

Moderate severity GitHub Reviewed Published Oct 3, 2023 to the GitHub Advisory Database • Updated Oct 4, 2023

GHSA-2894-qcqf-g23g: asyncua Improper Authentication vulnerability

All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the validPath function of server.js.

**static-server Path Traversal vulnerability**

High severity GitHub Reviewed Published Oct 3, 2023 to the GitHub Advisory Database • Updated Oct 4, 2023

GHSA-v834-rhv4-65m3: static-server Path Traversal vulnerability

Disclaimer: It is important to note that a previous vulnerability related to DoS attacks on asyncua servers exists.

However, the vulnerability described here is entirely different in nature. The previous vulnerability relied on

resource exhaustion by sending an unlimited number of large chunks.

This crafted message is sufficient to cause the server to enter an infinite loop,

gradually consuming more and more resources. Notably,

in comparison to CVE-2022-25304, the vulnerability discussed in this gist requires less effort to exploi

#How was the vulnerability discovered ?

During my experiments for my Ph.D., I identified this vulnerability and promptly alerted the maintainers

by creating an issue on Git, as their request.

#Reproduce:

To reproduce this vulnerability:

0/send a message with a size field set to 0.

I used an open secure channel request but others are working.

All of this is described in the issue:

The first comment made a mistake by thinking that this vulnerability is CVE-2022-25304. But if you read the complete issue

you will see that it is not.

https://github.com/FreeOpcUa/opcua-asyncio/issues/1013

CVE-2023-26151: DoS asyncua Server

static-server is a local HTTP file server, or as is it describes itself:

    A simple http server to serve static resource files from a local directory.
    

Observation:

*   It has 40,055 weekly downloads to the time of this advisory
*   It was last published 5 years ago
*   The source code repository on GitHub is archived

Resources:

*   Project's GitHub source code: https://github.com/nbluis/static-server
*   Project's npm package: https://www.npmjs.com/package/static-server

**Background on exploitation**

The static-server npm package is joining paths from users to the root directory and assert for the path accessed being relative to that of the root directory, however this last case is where this is implemented in a vulnerable way:

(Starting with line 140-142\](https://github.com/nbluis/static-server/blob/master/server.js#LL140C1-L143C1) in server.js, just joins the paths:

    var uri \= req.path \= decodeURIComponent(url.parse(req.url).pathname);
    var filename \= path.join(server.rootPath, uri);

and then a code in a utility function at Lines 218 of server.js attempts to jail it to the specific root directory:

function validPath(rootPath, file) {
  var resolvedPath \= path.resolve(rootPath, file);

  // only if we are still in the rootPath of the static site
  return resolvedPath.indexOf(rootPath) \=== 0;
}

However, it is a flawed assertion.

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

**Proof of Concept exploit**

1.  Install the latest version of static-server: npm install static-server@2.2.1
2.  Make sure you have a public/ directory with files in it
3.  Make sure you have a public-isprivate directory with files in it
4.  Make sure you have a private/ directory with files in it

All directories above should share the same relative parent, meaning the directory structure should look as follows:

    .
    ├── private
    │   └── index.html
    ├── public
    │   └── index.html
    └── public-isprivate
        └── index.html
    

Then, run a server powered by static-server as follows:

var StaticServer \= require('static-server');
var server \= new StaticServer({
  rootPath: 'public',            // required, the root of the server file tree
  name: 'my-http-server',   // optional, will set "X-Powered-by" HTTP header
  port: 3000,               // optional, defaults to a random port
  host: '0.0.0.0',       // optional, defaults to any interface
  cors: '\*',                 // optional, defaults to undefined
  followSymlink: true,      // optional, defaults to a 404 error
  templates: {
    index: 'foo.html',      // optional, defaults to 'index.html'
    notFound: '404.html'    // optional, defaults to undefined
  }
});
 
server.start(function () {
  console.log('Server listening to', server.port);
});

(or you can simply just run it as an executable from the public/ directory we created)

which sets the public root directory to the public/ directory that we previously created:

The server should run within the local folder where all private/, public/, and public-isprivate are subfolders.

Next, verify the following:

1.  curl --path-as-is "http://localhost:3000/../private/index.html" -> this request is denied, as expected with prior vulnerability fix.
2.  curl --path-as-is "http://localhost:3000/../public/index.html" -> this request is allowed, as expected with the functionality of this local http server
3.  curl --path-as-is "http://localhost:3000/../public-isprivate/index.html" -> this request SHOULD BE DENIED because it is outside the public/ folder, but it is actually allowed.

Case (3) shouldn't happen, but it does, due to an improper fix in the library's source code.

**Author**

Liran Tal

Tag

#git