By Waqas
Malicious code disguised as Dependabot contributions hits hundreds of GitHub repositories.
This is a post from HackRead.com Read the original post: Malware Concealed as Dependabot Contributions Strikes GitHub Projects

According to the application security provider Checkmarx, cybercriminals concealed malicious code, masquerading as Dependabot, within GitHub repositories as part of a supply chain attack.

Cybersecurity experts have uncovered a series of malicious code injections camouflaged as legitimate Dependabot contributions across hundreds of GitHub repositories. These incidents, which occurred in July 2023, have raised concerns about the security of personal access tokens (PATs) on GitHub and the growing sophistication of threat actors in supply chain attacks.

****What is Dependabot in GitHub?****

Dependabot is a GitHub-native tool for automating dependency updates in software projects hosted on GitHub. It helps developers keep their projects up to date by automatically monitoring the project’s dependencies (such as libraries and packages) for security vulnerabilities and outdated versions.

When Dependabot detects that an update is available or a security vulnerability has been patched, it generates pull requests with the necessary updates. This simplifies the process of maintaining dependencies and ensures that projects stay secure and up to date with the latest software components.

****The Deceptive Attack****

During the first half of July, threat actors targeted a wide range of GitHub repositories, affecting both public and private projects. The victims primarily consisted of Indonesian user accounts, making it a significant and potentially widespread issue. The attackers utilized a clever technique to mimic Dependabot’s commit messages, deceiving developers into believing these were authentic contributions.

The falsified commit messages often bore the name “dependabot,” effectively camouflaging their activities and evading suspicion. Within these repositories, experts discovered two distinct groups of code alterations, strongly suggesting automated script usage by the attackers.

****Malicious Payload and Tactics****

According to a blog post from Guy Nachshon of Checkmarx, the attackers introduced a new GitHub Action file named “hook.yml” into the repositories, creating a new workflow that triggered during code pushes. This action siphoned GitHub secrets and variables, sending them to a suspicious URL, (sendwagateway.pro/webhook). This maneuver was executed with every push event, compounding the potential damage.

Additionally, the malicious actors tampered with existing project files bearing the “.js” extension. An obfuscated line of code was appended to these files, designed to create a new script tag upon execution in a browser environment. This new code aimed to load an external script from (sendwagatewaypro/client.js?cache=ignore), with the sinister purpose of intercepting web-based password forms and transmitting user credentials to the same exfiltration endpoint.

Screenshot of a malicious commit (Checkmarx)

****Uncovering the Attack Vector****

Initially, it remained unclear how the attackers gained access to the targeted accounts, given GitHub’s strengthened mandatory two-factor authentication (2FA) measures. To shed light on the situation, experts contacted some of the victims and discovered that the attackers had exploited compromised PATs (Personal Access Tokens).

These tokens, stored locally on developers’ machines, facilitate Git operations without requiring 2FA. Attackers seemingly extracted these tokens quietly from the victims’ development environments, potentially through a malicious open-source package that had infiltrated their systems.

****Automated Scale of the Attack****

Analyzing the scale of the attack indicated a high level of automation in the threat actor’s approach. The efficiency and sophistication of the attack underscored the need for increased vigilance among developers and software maintainers.

****Lessons Learned and Moving Forward****

This incident serves as a reminder of the importance of code source verification, even from trusted platforms like GitHub. It highlights that even well-established platforms can fall victim to such attacks, emphasizing the need for continuous online vigilance.

To enhance security, developers are urged to consider adopting GitHub’s fine-grained personal access tokens, reducing the risk associated with compromised tokens. However, it’s worth noting that access log activity for personal access tokens is currently visible only for enterprise accounts, leaving non-enterprise users less informed about potential breaches.

The attackers’ Tactics, Techniques, and Procedures (TTPs) demonstrate a growing sophistication in supply chain attacks. Their use of fake commits, credential theft, and Dependabot impersonation highlights the evolving threat landscape.

****RELATED ARTICLES****

1.  New backdoor malware hits Slack and Github platforms
2.  Hackers use GitHub bot to steal $1,200 in ETH within 100 seconds
3.  Hackers can spoof commit metadata to create false GitHub repositories

Malware Concealed as Dependabot Contributions Strikes GitHub Projects

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.

10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

A Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: 'Minimum deposit', 'Maximum deposit' and/or 'Maximum balance'.

**Subrion CMS XSS in /panel/configuration/financial/**

Moderate severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 27, 2023

GHSA-q832-2275-rfqh: Subrion CMS XSS in /panel/configuration/financial/

A Cross-site scripting (XSS) vulnerability in /panel/languages/ of Subrion v4.2.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Title' parameter.

**Subrion CMS Cross-site Scripting vulnerability in /panel/languages**

Moderate severity GitHub Reviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

GHSA-4w2j-wj9q-6wpx: Subrion CMS Cross-site Scripting vulnerability in /panel/languages

Ubuntu Security Notice 6396-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6396-1September 26, 2023linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernel- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:It was discovered that some AMD x86-64 processors with SMT enabled couldspeculatively execute instructions using a return address from a siblingthread. A local attacker could possibly use this to expose sensitiveinformation. (CVE-2022-27672)Daniel Moghimi discovered that some Intel(R) Processors did not properlyclear microarchitectural state after speculative execution of variousinstructions. A local unprivileged user could use this to obtain tosensitive information. (CVE-2022-40982)Yang Lan discovered that the GFS2 file system implementation in the Linuxkernel could attempt to dereference a null pointer in some situations. Anattacker could use this to construct a malicious GFS2 image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2023-3212)It was discovered that the NFC implementation in the Linux kernel containeda use-after-free vulnerability when performing peer-to-peer communicationin certain conditions. A privileged attacker could use this to cause adenial of service (system crash) or possibly expose sensitive information(kernel memory). (CVE-2023-3863)It was discovered that the bluetooth subsystem in the Linux kernel did notproperly handle L2CAP socket release, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-40283)It was discovered that some network classifier implementations in the Linuxkernel contained use-after-free vulnerabilities. A local attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-4128)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1155-gcp     4.15.0-1155.172   linux-image-4.15.0-1161-aws     4.15.0-1161.174   linux-image-4.15.0-1170-azure   4.15.0-1170.185   linux-image-4.15.0-218-generic  4.15.0-218.229   linux-image-4.15.0-218-lowlatency  4.15.0-218.229   linux-image-aws-lts-18.04       4.15.0.1161.159   linux-image-azure-lts-18.04     4.15.0.1170.138   linux-image-gcp-lts-18.04       4.15.0.1155.169   linux-image-generic             4.15.0.218.202   linux-image-lowlatency          4.15.0.218.202   linux-image-virtual             4.15.0.218.202Ubuntu 16.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1124-oracle  4.15.0-1124.135~16.04.1   linux-image-4.15.0-1155-gcp     4.15.0-1155.172~16.04.1   linux-image-4.15.0-1161-aws     4.15.0-1161.174~16.04.1   linux-image-4.15.0-1170-azure   4.15.0-1170.185~16.04.1   linux-image-4.15.0-218-generic  4.15.0-218.229~16.04.1   linux-image-4.15.0-218-lowlatency  4.15.0-218.229~16.04.1   linux-image-aws-hwe             4.15.0.1161.144   linux-image-azure               4.15.0.1170.154   linux-image-gcp                 4.15.0.1155.145   linux-image-generic-hwe-16.04   4.15.0.218.2   linux-image-gke                 4.15.0.1155.145   linux-image-lowlatency-hwe-16.04  4.15.0.218.2   linux-image-oem                 4.15.0.218.2   linux-image-oracle              4.15.0.1124.105   linux-image-virtual-hwe-16.04   4.15.0.218.2After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6396-1   CVE-2022-27672, CVE-2022-40982, CVE-2023-3212, CVE-2023-3863,   CVE-2023-40283, CVE-2023-4128

Ubuntu Security Notice USN-6396-1

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.

Released September 26, 2023

**Safari**

Available for: macOS Monterey and macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd, Pune (India)

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: An attacker with JavaScript execution may be able to execute arbitrary code

Description: This issue was addressed with improved iframe sandbox enforcement.

WebKit Bugzilla: 251276  
CVE-2023-40451: an anonymous researcher

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

CVE-2023-40451: About the security content of Safari 17

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read sensitive location information.

CVE-2023-40384: About the security content of iOS 17 and iPadOS 17

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6. Apps that fail verification checks may still launch.

Released September 21, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added September 26, 2023

**Biometric Authentication**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-41232: Liang Wei of PixiePoint Security

Entry added September 26, 2023

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-40406: JeongOhKyea of Theori

Entry added September 26, 2023

**CoreAnimation**

Available for: macOS Ventura

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxslt**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Entry added September 26, 2023

**Maps**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

Entry added September 26, 2023

**Pro Res**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41063: Certik Skyfall Team

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: Apps that fail verification checks may still launch

Description: The issue was addressed with improved checks.

CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin (@patch1t)

Entry added September 26, 2023

**Security**

Available for: macOS Ventura

Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: A certificate validation issue was addressed.

CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**Share Sheet**

Available for: macOS Ventura

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

Entry added September 26, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

Entry added September 26, 2023

CVE-2023-41996: About the security content of macOS Ventura 13.6

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3.

**Mozilla Foundation Security Advisory 2023-41**

Announced

September 26, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 118

**#CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1**

Reporter

sonakkbi

Impact

high

**Description**

A compromised content process could have provided malicious data to FilterNodeD2D1 resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.

**References**

*   Bug 1846683

**#CVE-2023-5169: Out-of-bounds write in PathOps**

Reporter

sonakkbi

Impact

high

**Description**

A compromised content process could have provided malicious data in a PathRecording resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process.

**References**

*   Bug 1846685

**#CVE-2023-5170: Memory leak from a privileged process**

Reporter

sonakkbi

Impact

high

**Description**

In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked.

**References**

*   Bug 1846686

**#CVE-2023-5171: Use-after-free in Ion Compiler**

Reporter

Lukas Bernhard

Impact

high

**Description**

During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash.

**References**

*   Bug 1851599

**#CVE-2023-5172: Memory Corruption in Ion Hints**

Reporter

Mozilla Fuzzing Team

Impact

high

**Description**

A hashtable in the Ion Engine could have been mutated while there was a live interior reference, leading to a potential use-after-free and exploitable crash.

**References**

*   Bug 1852218

**#CVE-2023-5173: Out-of-bounds write in HTTP Alternate Services**

Reporter

Ronald Crane

Impact

moderate

**Description**

In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory.  
_This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (network.http.altsvc.oe) is enabled._

**References**

*   Bug 1823172

**#CVE-2023-5174: Double-free in process spawning on Windows**

Reporter

Ronald Crane

Impact

moderate

**Description**

If Windows failed to duplicate a handle during process creation, the sandbox code may have inadvertently freed a pointer twice, resulting in a use-after-free and a potentially exploitable crash.  
_This bug only affects Firefox on Windows when run in non-standard configurations (such as using runas). Other operating systems are unaffected._

**References**

*   Bug 1848454

**#CVE-2023-5175: Use-after-free of ImageBitmap during process shutdown**

Reporter

Yangkang of 360 ATA Team

Impact

low

**Description**

During process shutdown, it was possible that an ImageBitmap was created that would later be used after being freed from a different codepath, leading to a potentially exploitable crash.

**References**

*   Bug 1849704

**#CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3**

Reporter

Chris Peterson, Andrew McCreight, André Bargull, Nika Layzell and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3

CVE-2023-5176: Security Vulnerabilities fixed in Firefox 118

A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.

Released September 18, 2023

**App Store**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox

Description: The issue was addressed with improved handling of protocols.

CVE-2023-40448: w0wbox

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40432: Mohamed GHANNAM (@\_simo36)

CVE-2023-41174: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40399: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

**AuthKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved handling of caches.

CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

**Bluetooth**

Available for: Apple Watch Series 4 and later

Impact: An attacker in physical proximity can cause a limited out of bounds write

Description: The issue was addressed with improved checks.

CVE-2023-35984: zer0k

**bootp**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)

**CFNetwork**

Available for: Apple Watch Series 4 and later

Impact: An app may fail to enforce App Transport Security

Description: The issue was addressed with improved handling of protocols.

CVE-2023-38596: Will Brattain at Trail of Bits

**CoreAnimation**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

**Dev Tools**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2023-32396: Mickey Jin (@patch1t)

**Game Center**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access contacts

Description: The issue was addressed with improved handling of caches.

CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with improved validation.

CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

**libpcap**

Available for: Apple Watch Series 4 and later

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2023-40400: Sei K.

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxslt**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

**Maps**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

**MobileStorageMounter**

Available for: Apple Watch Series 4 and later

Impact: A user may be able to elevate privileges

Description: An access issue was addressed with improved access restrictions.

CVE-2023-41068: Mickey Jin (@patch1t)

**Passcode**

Available for: Apple Watch Ultra (all models)

Impact: An Apple Watch Ultra may not lock when using the Depth app

Description: An authentication issue was addressed with improved state management.

CVE-2023-40418: serkan Gurbuz

**Photos Storage**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access edited photos saved to a temporary directory

Description: The issue was addressed with improved checks.

CVE-2023-40456: Kirin (@Pwnrin)

CVE-2023-40520: Kirin (@Pwnrin)

**Safari**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to identify what other apps a user has installed

Description: The issue was addressed with improved checks.

CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

**Safari**

Available for: Apple Watch Series 4 and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

**Share Sheet**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

**Simulator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: The issue was addressed with improved checks.

CVE-2023-40419: Arsenii Kostromin (0x3c3e)

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

**TCC**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee (@l33d0hyun) of PK Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

Tag

#web