CISA adds three Apple zero-days to KEV catalogue

Flaws under active use in attacks

CISA adds three zero-days affecting Apple devices to KEV catalogue

Image:

CISA adds three zero-days affecting Apple devices to KEV catalogue

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three zero-day vulnerabilities, affecting iPhones, Macs and iPads, to its known exploited vulnerabilities (KEV) catalogue.

The security vulnerabilities, identified as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, were discovered within the WebKit browser engine and have all since been patched.

US Federal Civilian Executive Branch (FCEB) agencies now have a deadline of 12th June to protect their Apple devices against these vulnerabilities.

In accordance with the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are obligated to identify and resolve all security vulnerabilities listed in CISA's KEV catalogue.

Although BOD 22-01 specifically applies to FCEB agencies, CISA advises all American enterprises do the same.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

In response to the discovery of the vulnerabilities impacting WebKit, an open-source web browser engine Apple uses for its device operating systems, the company has released iOS 16.5, macOS Ventura 13.4, and iPadOS 16.5.

According to Apple, CVE-2023-32409 is a sandbox escape vulnerability that allows remote attackers to bypass Web Content sandboxes.

CVE-2023-28204 is an out-of-bounds read vulnerability that enables attackers to potentially access sensitive information.

The third vulnerability, CVE-2023-32373, is a use-after-free issue that, when combined with the exploitation of malicious web pages, permits arbitrary code execution on compromised devices. Attackers can achieve this by tricking the targeted individuals into loading such malicious web pages.

The affected devices are:

iPhone 6s (all models)
iPhone 7 (all models)
iPhone SE (1st generation)
iPad Air 2, iPad mini (4th generation)
iPod touch (7th generation)
iPhone 8 and later
iPad Pro (all models)
iPad Air 3rd generation and later
iPad 5th generation and later
iPad mini 5th generation and later
Macs running macOS Big Sur, Monterey, and Ventura
Apple Watch Series 4 and later
Apple TV 4K (all models) and Apple TV HD

To address the zero-day vulnerabilities, Apple has patched the following software versions:

macOS Ventura 13.4
iOS and iPadOS 16.5
tvOS 16.5
watchOS 9.5
Safari 16.5

The updates include enhancements to bounds checks, input validation and memory management.

Apple acknowledged the role of Google's Threat Analysis Group and Amnesty International's Security Lab in discovering one of the vulnerabilities, CVE-2023-32409.

Additionally, the company said CVE-2023-28204 and CVE-2023-32373 were initially addressed through Rapid Security Response (RSR) patches issued on 1st May for iOS 16.4.1 and macOS 13.3.1.

Last month, Apple addressed two other zero-day vulnerabilities: CVE-2023-28206 and CVE-2023-28205. These vulnerabilities were actively exploited in the wild, targeting Android, iOS and Chrome platforms. Attackers used them to deploy commercial spyware on the devices of high-risk targets.

In February, Apple released a security update to address another WebKit zero-day vulnerability, CVE-2023-23529. Hackers used this vulnerability to achieve code execution on vulnerable iPhones, iPads and Macs.