The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a high-severity flaw to its Known Exploited Vulnerabilities (KEV) catalog, affecting a spectrum of Apple devices, including iOS, iPadOS, macOS, tvOS, and watchOS.
CVE-2022-48618: Technical Overview
Tracked as CVE-2022-48618 with a CVSS score of 7.8, the vulnerability centers around a kernel component bug, posing a serious threat.
Apple acknowledged the gravity of the situation, stating that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. According to Apple’s advisory, the flaw might have been exploited in versions of iOS predating 15.7.1.
To counter this, Apple swiftly implemented enhanced checks to address the issue. However, the specifics of how the vulnerability is being exploited in real-world scenarios remain undisclosed, adding an element of mystery to the situation.
Interestingly, patches for CVE-2022-48618 were discreetly released on December 13, 2022, alongside the launch of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2. Surprisingly, the public disclosure of this flaw only came to light more than a year later on January 9, 2024.
This incident echoes a prior resolution by Apple in July 2022 when a similar flaw (CVE-2022-32844, CVSS score: 6.3) in the kernel was addressed with the release of iOS 15.6 and iPadOS 15.6. The company clarified that “An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication,” and this was rectified through improved state management.
In response to the active exploitation of CVE-2022-48618, CISA is urgently recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024. The sense of urgency underscores the potential risks associated with the vulnerability.
Adding to the complexity of the situation, Apple addressed an actively exploited flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8), ensuring comprehensive coverage. This fix has been expanded to encompass the Apple Vision Pro headset, available in visionOS 1.0.2.