The Cybersecurity and Infrastructure Security Agency has identified a security flaw in Apple operating systems, specifically iOS and macOS, and has included it in the agency’s Known Exploited Vulnerabilities catalog. This vulnerability could enable attackers to circumvent Pointer Authentication, leading to unauthorized read and write access to the system.
CRITICAL APPLE OPERATING SYSTEMS VULNERABILITIES EXPLOITED
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included in its Known Exploited Vulnerabilities catalog a critical vulnerability in Apple’s iOS and macOS, uncovered by Apple’s security team. This flaw, identified as CVE-2022-48618, carries a high severity rating of CVSS 7.8. Successful exploitation of this vulnerability could potentially allow attackers to bypass security measures and gain unauthorized access to sensitive information. CISA is urging all users to take immediate action to secure their devices.
Apple has provided limited information regarding CVE-2022-48618 and its ongoing exploitation in the wild. Nevertheless, the Cybersecurity and Infrastructure Security Agency has mandated that all U.S. federal agencies address this flaw by February 21, following the guidelines outlined in the binding operational directive (BOD 22-01) issued in November 2021.
CVE-2022-48618 VULNERABILITY IMPACT
Uncovered within the kernel component of Apple’s software, this vulnerability poses a risk to device integrity, as it empowers adversaries to manipulate memory functions and execute arbitrary code. Exploiting this vulnerability successfully can compromise personal data and undermine the security of critical infrastructure that relies on these technologies.
CVE-2022-48618 is actively exploited and affects a broad spectrum of devices, including iPhone 8 and later, various iPad models, Macs running macOS Ventura, Apple TV models, and Apple Watch Series 4 and later.
|up to version 13.1
|before version 9.2
|iOS and iPadOS
|before version 16.2
|before version 16.2
In response to the discovery, Apple swiftly released patches to address the vulnerability, incorporating enhanced security checks in the latest software updates. The updates, including iOS 16.2 and macOS Ventura 13.1, are designed to strengthen devices against potential exploits. However, the delayed disclosure of the vulnerability raises questions about the timing and transparency of security communications—an issue that extends beyond Apple to the broader industry standards.
Apple addressed a comparable kernel flaw (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, released on July 20, 2022. The flaw permitted an app with arbitrary kernel read and write capability to bypass Pointer Authentication. However, Apple resolved the issue by enhancing state management, addressing a logic issue.