CVE CyberSecurity Database News

CVE-2023-37285 - How a Simple Out-of-Bounds Bug Could Give Apps Kernel Privileges on Apple Devices

Poster -

In the ever-evolving landscape of cybersecurity, even the smallest mistakes can open the door to devastating attacks. One such example is CVE-2023-37285, an out-of-bounds read vulnerability in Apple’s popular operating systems—including iOS, iPadOS, and macOS. This bug was quietly patched in mid-2023, but under the hood, it could have allowed malicious apps to execute code, not just as you—but as the almighty kernel.

Let’s break down what happened, how it could be used by attackers, and what Apple did to close this hole.

What is CVE-2023-37285?

CVE-2023-37285 is an _out-of-bounds read_ vulnerability. Without getting overly technical, this means some piece of code in the operating system would read data outside the allowed memory region. It was like someone reading past the end of a book, picking up random scraps of paper—except those scraps might be your passwords, system data, or even instructions telling the computer to do something dangerous.

According to Apple (source), "An app may be able to execute arbitrary code with kernel privileges."

How Does an Out-of-Bounds Read Lead to Code Execution?

Let’s get practical. Most out-of-bounds bugs just cause a crash. But in kernel code (which manages your device’s core functions), a clever attacker can use this kind of bug to not only read random memory, but also to fool the system into running their own code.

Here’s a simplified example in C, similar to the dangerous code prior to Apple’s fix

// Imagine 'input' is user-controlled and 'buffer' is a sensitive kernel data structure
void vulnerable_function(int index, char *input) {
    char buffer[10];
    // No check to see if 'index' is too big or small!
    char value = buffer[index];
    // ...do something with value
}

An attacker could provide a negative or too-large index, causing the read to go outside buffer—and if the value read is used improperly, maybe even to take control over code flow.

The Real-World Impact

- Kernel privileges are everything on your device. Anyone who gains them can bypass all protections, install rootkits, steal files, spy on you, or brick your device.

Exploit Details

While Apple keeps exact details and proof-of-concept code private, security analysts often reconstruct exploits based on patch differences and informal reports.

A possible exploitation path

1. An attacker crafts a malicious app, which calls the vulnerable kernel function with an out-of-bounds index.
2. The app triggers the kernel to read arbitrary memory. With trial and error (and maybe paired with another bug or info leak), the attacker probes the system’s memory layout.
3. Using controlled memory allocations (like filling memory with their own data), the attacker arranges for the kernel to read attacker-supplied code/data on an out-of-bounds read.

Pseudocode of a simulated attack

// Userland: Filling up kernel memory with a controlled pattern
for (int i = ; i < NUM_ALLOCATIONS; i++) {
    allocate_controlled_buffer();
}
// Userland: Trigger kernel oob-read, landing on controlled data
trigger_oob_read(crafted_index);

Through this, an attacker could potentially execute their own code in the kernel context—making it impossible for antivirus or standard system protection to detect or remove their payload.

What Did Apple Fix?

Apple’s solution was simple but effective: improved bounds checking. Before allowing an app-controlled index to access critical kernel structures, the code now checks to make sure the index is within the expected range.

Simplified fix

void safe_function(int index, char *input) {
    char buffer[10];
    if (index <  || index >= 10) {
        // Prevent out-of-bounds access
        return;
    }
    char value = buffer[index];
    // ...do something with value
}

Update NOW.

Go to Settings > General > Software Update and install the latest version. If your device can't get updates past iOS 15 or macOS Big Sur, apply the patch versions above.

Learn about security updates and CVEs from

- Apple security updates
  - National Vulnerability Database - CVE-2023-37285

Final Thoughts

Out-of-bounds bugs seem simple, but in the world of system security, they can be devastating, especially when present in the kernel. CVE-2023-37285 serves as a reminder: always keep devices up to date and never underestimate the impact of a single line of code.

Apple didn’t publish a proof-of-concept or full details, but history shows these bugs are often chained with others for full device takeover. Fortunately, with coordinated disclosure and a fast patch, users who update are safe.

References

- Apple Security Update - iOS 15.7.8
- National Vulnerability Database - CVE-2023-37285
- Apple Security Updates Index


*Written exclusively for your security awareness. Share with anyone using an older iPhone, iPad, or Mac!*

Timeline

Published on: 07/28/2023 05:15:10 UTC
Last modified on: 08/03/2023 16:59:16 UTC