CVE-2023-42847 - Unauthenticated Passkey Access due to Logical Issue in macOS Sonoma, iOS 17.1, and iPadOS 17.1

Authors: The Cybersecurity Squad

Introduction

In recent times, an issue marked as CVE-2023-42847 was revealed, which poses a significant threat in the Apple ecosystem. The problem stems from a logical error that could enable a cyberattacker to access passkeys without proper authentication. The bug's presence has been identified in macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1.

In this post, we present a detailed analysis of the issue, code snippets, links to original references, and an explanation of the exploit process, all intended to raise awareness and improve cybersecurity. Our language will be simple American, ensuring an easy-to-understand and exclusive discussion of the matter.

Exploit Details

CVE-2023-42847 is a vulnerability stemming from a logical issue which may allow cybercriminals to access private passkeys without proper authentication. The attacker could potentially use the passkeys to access sensitive files, user accounts, or online services for malicious purposes.

Upon thorough examination, researchers discovered a lack of appropriate input validation in the affected systems, enabling attackers to bypass the authentication processes. Apple has since released an update in macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1, improving the component checks to mitigate the vulnerability.

Code Snippet

Here's a simplified code snippet that demonstrates how the vulnerability might function in an affected system:

def authenticate_user(username, password, passkey):
  if username and password:
    if validate_credentials(username, password):
      return True
  if passkey:
    return validate_passkey(passkey)
  return False

In the example above, the function authenticate_user checks for valid username and password. If those are present and valid, the function returns True. However, if the passkey is provided instead of the username and password, the function returns the result of the call to validate_passkey. The problem in this example is that there's no validation for the provided passkey itself, which enables an attacker to bypass authentication and gain access to the passkeys without proper clearance.

The corrected version of the code should include proper validation checks for the passkeys, ensuring that only authenticated users can access the information:

def authenticate_user(username, password, passkey):
  if username and password:
    if validate_credentials(username, password):
      return True
  elif passkey:
    if validate_passkey_owner(passkey, username):
      return validate_passkey(passkey)
  return False

The fixed code in the example incorporates a new function, validate_passkey_owner, which validates whether the user of the passkey is indeed the rightful owner, and access should be granted. This additional measure addresses the logical error found in CVE-2023-42847.

Original References

Apple has officially acknowledged the vulnerability in its security documentation and provided fixes through the release of macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1. Further information and updates can be found through the links below:

- Apple Security Advisory
- National Vulnerability Database (NVD)

Conclusion

CVE-2023-42847 sheds light on the importance of proper input validation and logic checks in applications and systems. Apple's swift response to fix this vulnerability in macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1 ensures that the potential exploits are mitigated. In these cases, it's crucial to understand how the vulnerability works and to apply available updates promptly to preserve the users' safety.

Timeline

Published on: 10/25/2023 19:15:10 UTC
Last modified on: 11/02/2023 18:14:06 UTC