CVE-2023-41991

What is Apple's Security Framework Certificate Validation?

Apple's Security framework provides cryptographic services and certificate validation for iOS, iPadOS, macOS, and watchOS. Code signature validation — implemented through Apple's Security framework — verifies that apps and their components carry valid Apple-issued code signatures before execution. This signature enforcement is a fundamental iOS security mechanism that prevents unauthorized code from running on the device. Improper certificate validation (CWE-295) in the Security framework means a malicious app can present certificates or code signatures that appear valid to the security framework but are not genuinely Apple-authorized, bypassing the platform's code integrity enforcement.

Overview

CVE-2023-41991 is an improper certificate validation vulnerability (CWE-295) in Apple's Security framework that allows a malicious app to bypass Apple's signature validation, undermining iOS code signing enforcement. It was patched in Apple's September 21, 2023 emergency out-of-band security updates (iOS 17.0.1, iOS 16.7, macOS Sonoma 14.0, macOS Ventura 13.6, watchOS 10.0.1) as part of the second BLASTPASS-related zero-day chain — alongside CVE-2023-41992 (kernel LPE) and CVE-2023-41993 (WebKit type confusion RCE). CVE-2023-41991 was discovered by Bill Marczak of Citizen Lab and Maddie Stone of Google's Threat Analysis Group (TAG).

CISA added CVE-2023-41991 to the KEV catalog four days after Apple's emergency patch on September 25, 2023.

Affected Versions

Technical Details

Improper certificate validation (CWE-295) in the Security framework occurs when the certificate or code signature verification logic has a flaw that allows a certificate with certain characteristics to pass validation checks it should fail. Possible mechanisms include:

• Insufficient checking of certificate chain properties (length, intermediate CA validity, key usage constraints)
• Bypass of revocation checks (OCSP, CRL) under specific conditions
• Exploitation of edge cases in ASN.1 parsing of certificate structures
• A logic flaw in the decision path that determines whether a signature is "valid enough"

In the context of the BLASTPASS exploit chain, CVE-2023-41991's signature bypass serves to validate malicious payload components delivered via the exploit — allowing the spyware installer or implant to present as a validly signed binary to the iOS security checks, enabling execution of code that would otherwise be blocked by platform integrity enforcement.

The AV:L/UI:R/I:H CVSS reflects that the attacker's malicious app (local delivery via the exploit chain) bypasses signature checks with high integrity impact, but the exploit vector is through the broader chain rather than standalone.

Discovery

Bill Marczak (Citizen Lab) and Maddie Stone (Google TAG) discovered CVE-2023-41991 as part of their analysis of the September 2023 BLASTPASS II exploit chain. This was the second BLASTPASS-related zero-day emergency patch cycle within two weeks: the first (September 7) addressed CVE-2023-41064 and CVE-2023-41061; the second (September 21) addressed CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. The chain was associated with exploitation delivering NSO Group's PEGASUS spyware to targeted individuals including civil society members and human rights activists.

Exploitation Context

CVE-2023-41991 functions as the payload delivery validation stage in the September 21 BLASTPASS chain:

• CVE-2023-41993 (WebKit type confusion): initial code execution in the browser renderer via malicious web content (zero-click delivery)
• CVE-2023-41992 (kernel LPE): kernel privilege escalation from browser renderer context to kernel privileges
• CVE-2023-41991 (certificate bypass): validation bypass allowing the PEGASUS implant to be installed as an apparently valid signed application without triggering iOS security alerts

The zero-click delivery and certificate bypass combination represents a highly sophisticated attack requiring no user interaction — a single message or web request is sufficient to fully compromise an iOS device with PEGASUS spyware. This class of exploit chain is manufactured and sold by commercial surveillance vendors to government clients.

Remediation

1. Update to iOS/iPadOS 17.0.1 or 16.7 — apply via Settings → General → Software Update.
2. Update macOS to Sonoma 14.0 or Ventura 13.6 — apply via System Settings → General → Software Update.
3. Enable automatic security updates — Apple delivers zero-day patches through automatic updates; enabling this minimizes the window between patch availability and deployment.
4. Enable Lockdown Mode for individuals at elevated risk (journalists, lawyers, activists, political figures, diplomatic staff) — Lockdown Mode restricts WebKit and messaging features used in commercial surveillance exploit chains.
5. Monitor for PEGASUS indicators — Citizen Lab and Amnesty International's MVT (Mobile Verification Toolkit) can forensically analyze iOS backups for PEGASUS infection indicators.