CVE-2023-27958: 
macOS vulnerability analysis and mitigation

CVE-2023-27958 is a vulnerability in the fixed size array marshaling code of DCERPC library as used in Apple macOS. The vulnerability was discovered by Aleksandar Nikolic of Cisco Talos and fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, and macOS Big Sur 11.7.5, released on March 27, 2023. The vulnerability affects all versions of macOS from Big Sur 11.0 through Ventura 13.3 (Apple Advisory, Cisco Talos).

The vulnerability exists in the DCERPC framework's handling of fixed size arrays. A use-after-free condition can occur when memory pointed to by IDLmp is freed without updating IDLleftinbuff, which can lead to memory corruption. The vulnerability has a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is classified as CWE-416 (Use After Free) (NVD, Cisco Talos).

A remote user may be able to cause unexpected system termination or corrupt kernel memory. The vulnerability can be triggered through netlogon RPC service by making an invalid or overly-long RPC request targeting function 0x04 to /var/rpc/ncalrpc/netlogon endpoint directly or over SMB (Apple Advisory, Cisco Talos).

Apple has addressed this vulnerability with improved memory handling in macOS Ventura 13.3, macOS Monterey 12.6.4, and macOS Big Sur 11.7.5. Users should update to these or later versions to protect against this vulnerability (Apple Advisory).