Apple Security Framework Signature Validation Bypass
CVE-2023-41991 is a vulnerability in Apple's Security framework caused by a certificate validation issue. According to Apple, a malicious application may be able to bypass signature validation. The issue affects Apple platforms including iOS, iPadOS, macOS, and watchOS, and was fixed in releases including macOS Ventura 13.6, iOS 16.7, and iPadOS 16.7, with corresponding fixes also shipped for watchOS. Apple stated it is aware of reports that the vulnerability may have been actively exploited against versions of iOS prior to iOS 16.7. Publicly available information does not identify the exact vulnerable function or code path beyond the Security framework certificate validation logic.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a sophisticated exploit tool targeting Apple's CoreTrust code signature verification on iOS and macOS. The main entry point is `src/main.m`, which orchestrates the process of extracting the preferred Mach-O slice from a (potentially FAT) binary, performing ad-hoc signing, and then applying a CoreTrust bypass. The bypass is implemented in `src/coretrust_bug.c`, which manipulates the code signature superblob of the Mach-O binary by injecting a template App Store code directory, updating hashes, and generating a new signature using a bundled private key. The exploit ensures the Team ID matches between code directories and removes problematic flags to maximize compatibility. The tool is intended to be run locally on a binary file, and does not interact with network endpoints. The codebase is modular, with reusable components for Mach-O and code signature manipulation, and includes a number of template blobs and cryptographic routines. The exploit is operational and can be used to allow unsigned or self-signed binaries to run on iOS devices by bypassing CoreTrust signature checks.
This repository contains a tool for bypassing Apple's CoreTrust code signature enforcement on iOS. The main entry point is 'src/main.m', which processes either a single Mach-O binary or recursively processes all binaries in an app bundle. The tool works by first performing ad-hoc signing of the target binary, then extracting the appropriate architecture slice, and finally applying a CoreTrust bypass by modifying the code signature blobs. The bypass leverages embedded CA certificates and private keys (see 'src/templates/CADetails.h') and signature templates (see 'src/templates/TemplateSignatureBlob.h', 'src/templates/DERTemplate.h'). The code interacts with low-level Mach-O structures and Apple's security frameworks, and uses the third-party 'ChOma' library for Mach-O manipulation. The exploit is operational and can be used to re-sign iOS binaries to run with forged signatures, which is useful for running unauthorized code on iOS devices, especially in a jailbroken or app repackaging context. The attack vector is local, requiring access to the target binary or bundle. The only notable fingerprintable endpoint is the use of '/tmp/XXXXXX' as a temporary file for Mach-O slice extraction.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Access to sensitive logged data related to link sharing due to logic issue (fixed with improved checks).
An Apple iOS/iPadOS security/certificate validation flaw that may allow a malicious app to bypass signature validation; Apple reports it may have been actively exploited against iOS versions prior to iOS 16.7.
A signature/certificate validation vulnerability that may allow a malicious app to bypass signature validation; Apple reports it may have been actively exploited against iOS versions prior to iOS 16.7.
A certificate validation bypass vulnerability in Apple's Security framework, used in Predator exploit chains to escalate privileges on iOS devices.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.