#VU97576 Insufficient verification of data authenticity in visionOS - CVE-2024-40865

Cybersecurity Help s.r.o.

Published: 2024-09-19

Vulnerability identifier: #VU97576

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40865

CWE-ID: CWE-345

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
visionOS
Operating systems & Components / Operating system

Vendor: Apple Inc.

Description

The vulnerability allows a local application to alter virtual keyboard input.

The vulnerability exists due to insufficient verification of data authenticity in Presence when handling inputs to the virtual keyboard. A local application can abuse Persona to infer data passed to virtual keyboard.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

visionOS: 1.0 - 1.2

External links
https://support.apple.com/en-us/120915

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apple visionOS