Rewterz Threat Update –China-Linked UNC3886 Stealthily Weaponized Highly-Severe VMware Zero-Day Vulnerability for 2 Years
January 23, 2024Rewterz Threat Advisory – CVE-2023-51123 – D-Link dir815 Vulnerability
January 23, 2024Rewterz Threat Update –China-Linked UNC3886 Stealthily Weaponized Highly-Severe VMware Zero-Day Vulnerability for 2 Years
January 23, 2024Rewterz Threat Advisory – CVE-2023-51123 – D-Link dir815 Vulnerability
January 23, 2024Severity
Medium
Analysis Summary
CVE-2024-23206 CVSS:6.5
Apple tvOS could allow a remote attacker to bypass security restrictions, caused by an access error in the WebKit component. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to fingerprint the user.
CVE-2024-23210 CVSS:5.5
Apple tvOS could allow a local attacker to obtain sensitive information, caused by an error in the Time Zone component. By using a specially crafted application, an attacker could exploit this vulnerability to view a user’s phone number in system logs.
CVE-2024-23215 CVSS:5.5
Apple tvOS could allow a local attacker to obtain sensitive information, caused by an error in the TCC component. By using a specially crafted application, an attacker could exploit this vulnerability to access user-sensitive data.
CVE-2024-23223 CVSS:5.5
Apple tvOS could allow a local attacker to obtain sensitive information, caused by a privacy issue in the NSSpellChecker component. By using a specially crafted application, an attacker could exploit this vulnerability to access sensitive user data.
CVE-2024-23208 CVSS:7.8
Apple tvOS could allow a local attacker to gain elevated privileges on the system, caused by an error in the Kernel component. By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges.
CVE-2024-23218 CVSS:5.5
Apple tvOS could allow a local attacker to obtain sensitive information, caused by a timing side-channel issue in the CoreCrypto component. By using a specially crafted application, an attacker could exploit this vulnerability to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key.
CVE-2024-23212 CVSS:7.8
Apple tvOS could allow a local attacker to gain elevated privileges on the system, caused by an error in the Apple Neural Engine component. By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges.
CVE-2024-23222 CVSS:8.8
Apple tvOS could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in WebKit. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-23213 CVSS:8.8
Apple tvOS could allow a remote attacker to execute arbitrary code on the system, caused by an error in WebKit. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Code Execution
- Security Bypass
- Privilege Escalation
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2024-23206
- CVE-2024-23210
- CVE-2024-23215
- CVE-2024-23223
- CVE-2024-23208
- CVE-2024-23218
- CVE-2024-23212
- CVE-2024-23222
- CVE-2024-23213
Affected Vendors
Apple
Affected Products
- Apple tvOS 17.2
Remediation
Refer to Apple security document for patch, upgrade or suggested workaround information.