CISA warned today that a patched kernel security flaw affecting Apple iPhones, Macs, TVs, and watches is now being actively exploited in attacks.
Tracked as CVE-2022-48618 and discovered by Apple’s security researchers, the bug was only disclosed on January 9th in an update to a security advisory published in December 2022.
The company has yet to reveal if the vulnerability was also silently patched more than two years ago when the advisory was first issued.
“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” the company revealed this month.
“Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1.”
This improper authentication security vulnerability enables attackers to bypass Pointer Authentication, a security feature designed to block attacks trying to exploit memory corruption bugs.
Apple addressed the flaw with improved checks on devices running iOS 16.2 or later, iPadOS 16.2 or later, macOS Ventura or newer, tvOS 16.2 or higher, and watchOS 9.2 or later.
The list of devices impacted by this actively exploited flaw is quite extensive and it affects both older and newer models, including:
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
- Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD
- and Apple Watch Series 4 and later
Federal agencies ordered to patch by February 21st
While Apple has yet to share more details on CVE-2022-48618 active exploitation in the wild, CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog.
It also ordered U.S. federal agencies to patch the bug by February 21st, as required by a binding operational directive (BOD 22-01) issued in November 2021.
Last week, Apple also released security updates to patch this year’s first zero-day bug (CVE-2024-23222) exploited in attacks, a WebKit confusion issue that attackers could exploit to gain code execution on vulnerable iPhones, Macs, and Apple TVs.
The same day, the company also backported patches to older iPhone and iPad models for two more WebKit zero-days tracked as CVE-2023-42916 and CVE-2023-42917 and patched in November for newer devices.