CVE-2024-23228

Vulnerability

Description

CVE-2024-23228 is a security issue in the Notes app on iOS and iPadOS, where locked notes could be unexpectedly unlocked. Apple addressed the issue through improved state management in iOS 17.3 and iPadOS 17.3 [1][2]. The root cause appears to be a flaw in how the operating system handles the lock state of notes, potentially allowing a bypass of the intended encryption or access controls on locked content.

Exploitation and

Impact

The vulnerability has a CVSS v3 base score of 3.3, indicating a low severity. The attack vector is local, requiring physical access to an unlocked device or the ability to trigger the lock state failure under specific conditions. No authentication is needed beyond the device being in an unlocked state. An attacker could view the content of notes that the user intended to keep locked, leading to a loss of confidentiality of sensitive information stored in Notes [2].

Mitigation

Apple released the fix for this vulnerability in iOS 17.3 and iPadOS 17.3 on January 22, 2024 [1]. Users are advised to update their devices to the latest operating system version to protect against this issue. There is no indication of this vulnerability being exploited in the wild, and no workaround is available aside from updating.