CVE-2024-23292

Vulnerability

CVE-2024-23292 is a privacy issue affecting Apple's iOS and iPadOS (version 17.4) and macOS Sonoma (version 14.4). According to Apple's advisories, the issue was addressed with improved data protection, preventing an app from accessing information about a user's contacts [1][2]. The root cause involves insufficient redaction of private data in log entries, which could leak contact information to a malicious application.

Exploitation

An attacker would need to have a malicious app installed on the user's device to exploit this vulnerability. No special system privileges or network position are required beyond the ability to run code on the device. The vulnerability can be triggered without user interaction beyond the initial installation of the malicious app [1][2].

Impact

If successfully exploited, a malicious app could access sensitive information about the user's contacts, potentially including names, phone numbers, and email addresses. This could lead to privacy breaches and unauthorized data collection, though the impact is limited to contact data and does not provide broader system compromise [1][2].

Mitigation

Apple has released patches in iOS 17.4, iPadOS 17.4, and macOS Sonoma 14.4. Users should update their devices to these versions to mitigate the vulnerability. There are no known workarounds, and the issue does not appear on the CISA Known Exploited Vulnerabilities (KEV) list as of publication.