Apple CFNetwork HSTS Bypass Vulnerability

A vulnerability exists in the CFNetwork component of multiple Apple products, including iOS, iPadOS, macOS, watchOS, and iTunes for Windows. This vulnerability allows an attacker in a privileged network position to bypass HTTP Strict Transport Security (HSTS) for certain top-level domains that are not included in the HSTS preload list. The issue arises from a configuration flaw that has now been addressed with additional restrictions.

Impact

Exploitation of this vulnerability could lead to a bypass of HSTS, allowing for potential man-in-the-middle attacks on the affected top-level domains.

Remediation

Users can update to the latest versions of the affected Apple products to address this vulnerability. Specific update details can be found on the Apple security updates page.