The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerability, tracked as CVE-2022-48618 (CVSS rating: 7.8), issues a bug within the kernel element.
“An attacker with arbitrary learn and write functionality could possibly bypass Pointer Authentication,” Apple stated in an advisory, including the problem “could have been exploited towards variations of iOS launched earlier than iOS 15.7.1.”
The iPhone maker stated the issue was addressed with improved checks. It is at present not identified how the vulnerability is being weaponized in real-world assaults.
Curiously, patches for the flaw have been launched on December 13, 2022 with the discharge of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, though it was solely publicly disclosed greater than a 12 months in a while January 9, 2024.
It is price noting that Apple did resolve an identical flaw within the kernel (CVE-2022-32844, CVSS rating: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.
“An app with arbitrary kernel learn and write functionality could possibly bypass Pointer Authentication,” the corporate stated on the time. “A logic challenge was addressed with improved state administration.”
In gentle of the energetic exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Government Department (FCEB) businesses apply the fixes by February 21, 2024.
The event additionally comes as Apple expanded patches for an actively exploited security flaw within the WebKit browser engine (CVE-2024-23222, CVSS rating: 8.8) to incorporate its Apple Imaginative and prescient Professional headset. The repair is offered in visionOS 1.0.2.
