CVE-2024-23218: 
macOS vulnerability analysis and mitigation

CVE-2024-23218 is a timing side-channel vulnerability discovered in Apple's CoreCrypto component that affects multiple Apple operating systems including macOS Sonoma, watchOS, tvOS, iOS, and iPadOS. The vulnerability was disclosed and patched on January 22, 2024, with fixes released in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3 (Apple Support).

The vulnerability is a timing side-channel issue in cryptographic functions related to RSA PKCS#1 v1.5 operations. The issue was addressed by implementing improvements to constant-time computation in cryptographic functions. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

An attacker exploiting this vulnerability may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having access to the private key. This could potentially lead to unauthorized access to encrypted data (Apple Support, Apple Support).

Apple has released security updates to address this vulnerability across their affected operating systems. Users should update to macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3 or later versions. The fixes implement improved constant-time computation in cryptographic functions to prevent timing side-channel attacks (Apple Support).