CVE-2023-42836

Vulnerability

A logic issue in the handling of network volumes mounted in the home directory on affected Apple devices allows an attacker to access those volumes. The issue exists in iOS 17.0 and earlier, iPadOS 17.0 and earlier, macOS Sonoma 14.0 and earlier, macOS Ventura 13.6.2 and earlier, and macOS Monterey 12.7.1 and earlier. The fix is included in iOS 17.1, iPadOS 17.1, macOS Sonoma 14.1, macOS Ventura 13.6.3, and macOS Monterey 12.7.2 [1][2][3][4].

Exploitation

An attacker with local access to the device or the ability to run code (e.g., via a malicious app) could exploit the logic issue to access network volumes that are mounted in the user's home directory. No specific user interaction beyond mounting the volume is required; the attacker can leverage the flawed checks to bypass intended restrictions.

Impact

Successful exploitation allows the attacker to read, modify, or delete data on connected network volumes mounted in the home directory, leading to unauthorized access to sensitive user data. The attacker gains the same level of access as the user to those volumes.

Mitigation

Apple has addressed the issue in iOS 17.1 and iPadOS 17.1 (released October 25, 2023), macOS Sonoma 14.1 (released October 25, 2023), macOS Ventura 13.6.3 (released December 11, 2023), and macOS Monterey 12.7.2 (released December 11, 2023) [1][2][3][4]. Users should update to the latest available versions. No workarounds are documented.