CVE-2023-23520 - Race Condition Letting Users Read Any File as Root on Apple Devices

Security flaws in operating systems always catch the eyes of both defenders and attackers, especially when the stakes are high — like reading any file as root. CVE-2023-23520 is a notable one found in Apple’s macOS Ventura, iOS, and iPadOS. Here’s everything you need to know, in clear, simple language.

What is CVE-2023-23520?

CVE-2023-23520 is a race condition vulnerability found in Apple’s CoreServices component. A race condition is a bug that happens when software tries to perform two or more operations at the same time, but the order in which those operations happen can cause unexpected behavior.

In the case of this CVE, the bug meant that a local attacker (someone who can run code on your device) could trick the system into letting them read files that should only be accessible to the most powerful user — root.

What Does That Mean?

*Imagine you have a locked safe (your important files) and only the house owner (root) has the key. With this bug, an outsider could slip in and read whatever’s inside without needing the key!*

How Was it Fixed?

Apple fixed this issue by adding better validation — simply put, the system now double-checks that whoever is trying to access files really has permission. The fix shipped in:

The Race Condition Explained

In programming, files can be opened by one process and used by another if timing is just right (or wrong, in this case). This bug allowed normal users to “hijack” file handles during a tiny time window, leading the system to give out root-only files to people who aren’t root.

Here’s a rough idea (not a real weaponized code, but it shows the flaw)

// Step 1: Request access to a temp file
int fd = open("/tmp/my_temp_file", O_RDWR | O_CREAT, 060);

// Step 2: Before system checks permissions, swap the file!
rename("/tmp/my_temp_file", "/private/var/root/.ssh/id_rsa");

// Step 3: Try to read the file via the file descriptor you already got
char buffer[1024];
pread(fd, buffer, sizeof(buffer), ); // Might now read ROOT's private key!

If the system doesn’t validate access after rename, you might get to read sensitive info.

Real World Impact

- Any user could read sensitive files like password hashes, SSH keys, or any other data intended only for root or the system.
- Useful as a step in greater attacks — could help attackers escalate their privileges or steal sensitive information.

Apple’s official note summarizes this

> *“A race condition was addressed with additional validation. A user may be able to read arbitrary files as root.”*  
> — Apple Security Updates

Apple Security Update (January 2023):

https://support.apple.com/en-us/HT213604

MITRE CVE Database:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23520

Apple’s own CVE note:

https://support.apple.com/HT213635

Project Zero on race conditions (for deep dive):

https://googleprojectzero.blogspot.com/202/09/goodbye-to-race-conditions-in-ios.html

Conclusion

CVE-2023-23520 is a reminder that even the best secure systems can have dangerous bugs. Apple patched it fast, but it could have let ordinary users see files only root should ever see. If you haven’t updated already, now’s the time.

Timeline

Published on: 02/27/2023 20:15:00 UTC
Last modified on: 03/08/2023 16:40:00 UTC