CVE-2023-42878

Vulnerability

A privacy issue exists in the logging subsystems of Apple watchOS (before 10.1), macOS Sonoma (before 14.1), iOS (before 17.1), and iPadOS (before 17.1) [1][2][3]. The vulnerability stems from insufficient private data redaction in log entries, potentially allowing an app to read sensitive user data that was inadvertently written to system logs [1][2][3]. No specific configuration or user interaction is required to reach the affected code path beyond the app having access to system log entries.

Exploitation

An attacker would need to deploy a malicious app on a vulnerable device, as the app simply needs the ability to read system logs, a common permission granted to many iOS and macOS applications [1][2][3]. No additional network position or authentication beyond normal app installation is required. The attacker does not need to trigger a specific sequence of user actions; the vulnerability is present whenever system logging occurs with insufficient redaction.

Impact

A successful exploit allows the app to access sensitive user data that was logged without proper redaction [1][2][3]. This constitutes a confidentiality breach, as the attacker could obtain private information such as credentials, personal details, or other sensitive data depending on what the systems logged. No code execution or privilege escalation is described in the references; the impact is limited to information disclosure.

Mitigation

Apple addressed the issue with improved private data redaction for log entries in watchOS 10.1, macOS Sonoma 14.1, iOS 17.1, and iPadOS 17.1, released October 25, 2023 [1][2][3]. Users should update their devices to the latest available OS versions via the Software Update mechanism. No workarounds or KEV listing are mentioned in the available references. For devices that cannot update, no mitigation is provided.