Request a Demo
Rewterz
Rewterz Threat Update –China-Linked UNC3886 Stealthily Weaponized Highly-Severe VMware Zero-Day Vulnerability for 2 Years
January 23, 2024
Rewterz
Rewterz Threat Advisory – CVE-2023-51123 – D-Link dir815 Vulnerability
January 23, 2024

Rewterz Threat Advisory – Multiple Apple tvOS Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-23206 CVSS:6.5

Apple tvOS could allow a remote attacker to bypass security restrictions, caused by an access error in the WebKit component. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to fingerprint the user.

CVE-2024-23210 CVSS:5.5

Apple tvOS could allow a local attacker to obtain sensitive information, caused by an error in the Time Zone component. By using a specially crafted application, an attacker could exploit this vulnerability to view a user’s phone number in system logs.

CVE-2024-23215 CVSS:5.5

Apple tvOS could allow a local attacker to obtain sensitive information, caused by an error in the TCC component. By using a specially crafted application, an attacker could exploit this vulnerability to access user-sensitive data.

CVE-2024-23223 CVSS:5.5

Apple tvOS could allow a local attacker to obtain sensitive information, caused by a privacy issue in the NSSpellChecker component. By using a specially crafted application, an attacker could exploit this vulnerability to access sensitive user data.

CVE-2024-23208 CVSS:7.8

Apple tvOS could allow a local attacker to gain elevated privileges on the system, caused by an error in the Kernel component. By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges.

CVE-2024-23218 CVSS:5.5

Apple tvOS could allow a local attacker to obtain sensitive information, caused by a timing side-channel issue in the CoreCrypto component. By using a specially crafted application, an attacker could exploit this vulnerability to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key.

CVE-2024-23212 CVSS:7.8

Apple tvOS could allow a local attacker to gain elevated privileges on the system, caused by an error in the Apple Neural Engine component. By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges.

CVE-2024-23222 CVSS:8.8

Apple tvOS could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in WebKit. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-23213 CVSS:8.8

Apple tvOS could allow a remote attacker to execute arbitrary code on the system, caused by an error in WebKit. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

  • Code Execution
  • Security Bypass
  • Privilege Escalation
  • Information Disclosure

Indicators Of Compromise

CVE

  • CVE-2024-23206
  • CVE-2024-23210
  • CVE-2024-23215
  • CVE-2024-23223
  • CVE-2024-23208
  • CVE-2024-23218
  • CVE-2024-23212
  • CVE-2024-23222
  • CVE-2024-23213

Affected Vendors

Apple

Affected Products

  • Apple tvOS 17.2

Remediation

Refer to Apple security document for patch, upgrade or suggested workaround information.

Apple Security Document