The Cybersecurity and Infrastructure Security Agency has identified a security flaw in Apple operating systems, particularly iOS and macOS. It has been added to the agency’s Known Exploited Vulnerabilities catalog. The vulnerability can allow attackers to bypass Pointer Authentication and gain unauthorized read and write access to the system.
Critical Apple Operating Systems Vulnerabilities Exploited
The U.S. CISA has added to the agency’s Known Exploited Vulnerabilities catalog a critical vulnerability in Apple’s iOS and macOS, discovered by Apple’s security team. The flaw has been designated CVE-2022-48618 and has a rather high severity rating of CVSS 7.8. Upon successful exploitation, attackers could potentially bypass security measures and gain unauthorized access to sensitive information. CISA is urging all users to take immediate action to secure their devices.
Apple has not revealed much information about CVE-2022-48618 and its active exploitation in the wild. However, the Cybersecurity and Infrastructure Security Agency has directed all U.S. federal agencies to fix this flaw by February 21, per the binding operational directive (BOD 22-01) issued in November 2021.
CVE-2022-48618 Vulnerability Impact
Discovered within the kernel component of Apple’s software, this vulnerability threatens the integrity of devices by enabling adversaries to manipulate memory functions and execute arbitrary code. Successful exploitation leads to compromising personal data and undermining critical infrastructure security that relies on these technologies.
This flaw is being actively exploited and affects a wide range of devices, including older and newer models such as iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Additionally, it impacts Macs running macOS Ventura, Apple TV 4K, Apple TV 4K (2nd generation and later), Apple TV HD, and Apple Watch Series 4 and later. Thus, the systems affected by CVE-2022-48618 are:
macOS Ventura | up to version 13.1 |
watchOS | before version 9.2 |
iOS and iPadOS | before version 16.2 |
tvOS | before version 16.2 |
Apple’s Response
In response to the discovery, Apple has promptly issued patches to rectify the vulnerability, embedding enhanced security checks within the latest software updates. These updates, which include iOS 16.2 and macOS Ventura 13.1, aim to fortify devices against potential exploits. However, the delayed disclosure of the vulnerability raises questions about the timing and transparency of security communications. Though, that is more of an “industry standard” than just Apple’s omission.
Apple has fixed a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which were shipped on July 20, 2022. The flaw allowed an app with arbitrary kernel read and write capability to bypass Pointer Authentication. However, Apple addressed the issue with improved state management due to a logic issue.