CVE-2023-23494

Vulnerability

CVE-2023-23494 is a buffer overflow vulnerability in Apple iOS and iPadOS, addressed with improved bounds checking in iOS 16.4 and iPadOS 16.4 [1]. The issue affects iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later [1]. The specific affected component is not disclosed in the available references, but the vulnerability is reachable when an attacker has a privileged network position.

Exploitation

An attacker in a privileged network position, such as on the same network segment or capable of intercepting network traffic, can exploit this buffer overflow without authentication or user interaction. The exact sequence of steps is not detailed in the available references, but the vulnerability is triggered over the network, leading to a buffer overflow condition that can be exploited to cause a denial-of-service.

Impact

Successful exploitation allows the attacker to cause a denial-of-service, disrupting the device's normal operation. The impact is limited to availability; no information disclosure or code execution is indicated in the references.

Mitigation

The vulnerability is fixed in iOS 16.4 and iPadOS 16.4, released on March 27, 2023 [1]. Users should update to the latest version. No workarounds are provided by the vendor. The device versions listed in the advisory should be updated.