Login Sign Up

CVE-2023-42844

7.5 HIGH

📋 TL;DR

This macOS vulnerability allows websites to access sensitive user data through improper symlink resolution. It affects macOS Monterey, Ventura, and Sonoma users who visit malicious websites. The issue enables unauthorized data access when resolving symbolic links.

💻 Affected Systems

Products:
  • macOS
Versions: macOS Monterey 12.0-12.7, macOS Ventura 13.0-13.6, macOS Sonoma 14.0-14.0
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected macOS versions are vulnerable. Requires user to visit a malicious website.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious website could access sensitive files including passwords, documents, and system files through symlink traversal, potentially leading to data theft or credential compromise.

🟠

Likely Case

Targeted attacks where users visit crafted websites that exploit symlink resolution to access specific sensitive files in predictable locations.

🟢

If Mitigated

With proper web browser sandboxing and file system permissions, impact is limited to files accessible to the user's current session and browser context.

🌐 Internet-Facing: HIGH - Exploitation requires only visiting a malicious website, making internet-facing systems particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal users could be targeted through phishing or compromised internal websites, but requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to visit malicious website but no authentication needed. Public disclosures include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1

Vendor Advisory: https://support.apple.com/en-us/HT213983

Restart Required: Yes

Instructions:

1. Open System Settings > General > Software Update. 2. Install available updates. 3. Restart when prompted.

🔧 Temporary Workarounds

Disable automatic symlink resolution in browser

all

Configure web browsers to restrict symlink resolution or use browser extensions that block symlink-based attacks

Use browser sandboxing

all

Ensure browsers run with strict sandboxing enabled to limit file system access

🧯 If You Can't Patch

  • Restrict web browsing to trusted sites only using browser extensions or network filtering
  • Implement application whitelisting to prevent unauthorized browser execution

🔍 How to Verify

Check if Vulnerable:

Check macOS version in System Settings > General > About. If version is Monterey 12.0-12.7, Ventura 13.0-13.6, or Sonoma 14.0-14.0, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is Monterey 12.7.1 or later, Ventura 13.6.1 or later, or Sonoma 14.1 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from browser processes
  • Symlink creation in user-accessible directories

Network Indicators:

  • Connections to known malicious domains serving exploit code
  • Unusual outbound data transfers from browser processes

SIEM Query:

process_name:"Safari" OR process_name:"Chrome" AND file_access:"*symlink*" OR file_access:"*ln -s*"

📊 Metadata

CVE ID: CVE-2023-42844
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-59
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42844, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)