CVE-2023-32353: Local privilege escalation via iTunes in Windows
Information has been disclosed about a new high criticality vulnerability that affects the Apple iTunes software in Windows environments. This vulnerability would allow an attacker who had access as a non-privileged user on a machine to escalate privileges to local administrator.
This vulnerability is caused by incorrectly setting permissions on one of the folders created during the installation of the software:
C:\ProgramData\Apple Computer\iTunes\SC Info
This folder would have write permissions for any user, so an unprivileged user could delete it, and create a symbolic link pointing to any system folder such as c:Windows.
Subsequently, using the repair function of the installation binary, the rewriting of certain files could be forced, allowing privileges to be escalated up to SYSTEM access.
This vulnerability has been discovered by The Synopsys Cybersecurity Research Center (CyRC).
iTunes is a software that works as a media player, media library, mobile device management utility and iTunes Store client application. It is developed by Apple Inc.
Main characteristics
The main characteristics of the vulnerability are detailed below:
- CVE Id: CVE-2023-32353
- Publishing date: 01/05/2023
- Affected Software: Apple iTunes (Microsoft Windows)
- CVSS Score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High)
- Affected versions
- Prior to 12.12.9
Mitigation
The main solution is to update Apple iTunes to the new version available that fixes this vulnerability:
- 12.12.9
Apple has released a statement with official information and updates regarding this vulnerability:
As part of its emerging vulnerability service, Tarlogic proactively monitors its customers’ perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.
References