CVE-2023-32404

Vulnerability

CVE-2023-32404 is a privacy bypass vulnerability in Apple's entitlement system. An app may be able to bypass Privacy preferences, potentially accessing data or features that the user has restricted. The issue affects iOS and iPadOS prior to 16.5, watchOS prior to 9.5, and macOS Ventura prior to 13.4 [1][2][4]. The vulnerability was addressed with improved entitlements.

Exploitation

An attacker would need to have a malicious app installed on the affected device. No additional privileges or user interaction beyond installing the app are required. The app can then exploit the entitlement flaw to bypass the user's Privacy preferences, gaining access to protected data or system features without explicit consent.

Impact

Successful exploitation allows the malicious app to bypass Privacy preferences, leading to unauthorized disclosure of sensitive user information or access to restricted system capabilities. The compromise occurs at the app level, but it circumvents user-configured privacy controls, potentially exposing contacts, location, photos, or other private data.

Mitigation

Apple fixed this issue in iOS 16.5, iPadOS 16.5, watchOS 9.5, and macOS Ventura 13.4, all released on May 18, 2023 [1][2][4]. Users should update their devices to the latest available versions. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.