The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerability, tracked as CVE-2022-48618 (CVSS rating: 7.8), issues a bug within the kernel element.
“An attacker with arbitrary learn and write functionality might be able to bypass Pointer Authentication,” Apple mentioned in an advisory, including the problem “might have been exploited in opposition to variations of iOS launched earlier than iOS 15.7.1.”
The iPhone maker mentioned the issue was addressed with improved checks. It is at the moment not identified how the vulnerability is being weaponized in real-world assaults.
Apparently, patches for the flaw had been launched on December 13, 2022 with the discharge of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, though it was solely publicly disclosed greater than a 12 months in a while January 9, 2024.
It is value noting that Apple did resolve an identical flaw within the kernel (CVE-2022-32844, CVSS rating: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.
“An app with arbitrary kernel learn and write functionality might be able to bypass Pointer Authentication,” the corporate mentioned on the time. “A logic problem was addressed with improved state administration.”
In mild of the lively exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Govt Department (FCEB) businesses apply the fixes by February 21, 2024.
The event additionally comes as Apple expanded patches for an actively exploited safety flaw within the WebKit browser engine (CVE-2024-23222, CVSS rating: 8.8) to incorporate its Apple Imaginative and prescient Professional headset. The repair is obtainable in visionOS 1.0.2.
