In late 2023, Apple patched a critical security bug, tracked as CVE-2023-42873, across nearly all its major operating systems. This vulnerability allowed a malicious app to execute arbitrary code with kernel privileges, potentially giving hackers complete control over affected devices. In this deep dive, we'll break down what CVE-2023-42873 really means, how attackers could exploit it, and why simple errors like forgetting a bounds check can have dramatic consequences even in modern, well-protected operating systems like macOS, iOS, and tvOS.

What is CVE-2023-42873?

CVE-2023-42873 is a vulnerability found in Apple’s XNU kernel—the core part of the operating system running on Macs, iPhones, iPads, Apple TV, and more.

- CVE ID: CVE-2023-42873

tvOS 17.1

- Apple Advisory: HT213981 — About the security content of macOS Sonoma 14.1, macOS Ventura 13.6.1, and macOS Monterey 12.7.1

The Technical Root: A Missing Bounds Check

At its heart, CVE-2023-42873 was caused by insufficient bounds checking in the kernel. That means the code didn't adequately verify that variable values or memory indexes were safe before accessing data.

Why does this matter?
In a kernel, missing a bounds check often means a user process can trick the kernel into reading or writing memory it shouldn’t—which can lead to taking control of the whole device.

In C, bounds checks are often done like this

// Bad: No bounds check!
kernel_buffer[index] = value;

// Good: With bounds check
if (index < BUFFER_SIZE) {
    kernel_buffer[index] = value;
}

If the check is missing or wrong, an attacker can make index any number they want—and possibly write anywhere in memory, including code or data used by the kernel itself.

Exploit Details: Arbitrary Kernel Code Execution

Apple didn’t publish full technical details, but based on the advisory and prior research, here’s how such bugs are often exploited:

App Sends Malicious Input:

- The attacker makes their app send specially crafted requests (or data) to the kernel, targeting the vulnerable code path.

Hijacking Control Flow:

- By timing and crafting their attack, the malicious input can overwrite a function pointer or another kernel variable.

Get Root, Break Out of Sandbox:

- The code now runs at the highest possible privilege level ("kernel root"), escaping Apple’s security sandboxes.
- This means the attacker can, in theory, install rootkits, steal anything on the device, or brick it entirely.

Let’s say Apple’s kernel had a vulnerable function

// Vulnerable function (simplified example)
int foo_ioctl(user_input_t *input) {
    int idx = input->user_index;
    kernel_buffer[idx] = input->value; // No check!
    return ;
}

Exploit Step

The attacker sends a request from their app, setting user_index to a negative number or a huge number:

int malicious_idx = xFFFFFFFF; // Or -1, wraps around...

user_input_t evil = {
    .user_index = malicious_idx,
    .value = x41414141
};
ioctl(dev_fd, VULN_IOCTL_CODE, &evil);

Now, kernel_buffer[xFFFFFFFF] could point anywhere! If it hits kernel data structures, the attacker can hijack execution.

The Patch: Adding a Simple Bounds Check

Apple fixed the bug with a classic programming technique: validating that inputs are within expected ranges.

Patched code

int foo_ioctl(user_input_t *input) {
    int idx = input->user_index;
    if (idx >=  && idx < KERNEL_BUFFER_SIZE) {
        kernel_buffer[idx] = input->value;
        return ;
    } else {
        return -EINVAL;
    }
}

This stops attackers from abusing the vulnerability—even if they can send wild inputs, everything out-of-bounds is refused.

Mac computers (Monterey, Ventura, Sonoma)

- All supported iPhones and iPads (iOS and iPadOS 16/17)

Apple TV boxes (tvOS 17.x)

Because this is a kernel-level bug, device protection features like sandboxing, SIP (System Integrity Protection), and app permissions would be bypassed.

How do you stay safe?

Update, update, update!
If your device is not running at least the versions Apple released in October 2023 (macOS Sonoma 14.1, iOS/iPadOS 16.7.2, etc.), you are at risk!

Go to Settings > General > Software Update and apply all available fixes.

References and Further Reading

- Apple Security Updates
- Apple’s Official Advisory
- MITRE CVE Record for CVE-2023-42873
- The XNU Kernel (Apple Open Source)

Conclusion

CVE-2023-42873 is a reminder that even in the world’s most advanced operating systems, small mistakes in bounds checking can lead to major security disasters. Always keep your Apple devices up to date, and if you’re a developer, *never* forget to check your inputs—your users’ safety depends on it.

Timeline

Published on: 02/21/2024 07:15:49 UTC
Last modified on: 08/28/2024 20:35:03 UTC