Apple Patches Everything

Published: 2022-05-16
Last Updated: 2022-05-16 19:53:10 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple today release updates for tvOS, Xcode, macOS (Bug Sur, Monterery and Cataline), iOS, iPadOS and WatchOS. In addition to new features, the updates patch a total of 86 vulnerabilities. One of the vulnerabilities, a privilege escalation vulnerability, is already actively exploited (CVE-2022-222675). 

Apple does not assign ratings to the vulnerabilities. Below ratings are assigned by us, and follow roughly this scale:
- critical: code execution issues
- important: privilege escalation issues, DoS
- moderate: information disclosure, unless the information can be used for privilege escalation.

Some vulnerabilities are rated as "other" if we didn't get around to assigning them yet, or if they are not described well enough.

Catalina BigSur Monterey tvOS iOS/iPadOS watchOS
CVE-2022-26702 [important] AppleAVD
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
      x x x
CVE-2022-22675 [important] AppleAVD
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
  x   x   x
CVE-2022-26724 [important] AuthKit
An authentication issue was addressed with improved state management.
A local user may be able to enable iCloud Photos without authentication
      x    
CVE-2022-26736 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26737 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26738 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26739 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26740 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26763 [important] DriverKit
An out-of-bounds access issue was addressed with improved bounds checking.
A malicious application may be able to execute arbitrary code with system privileges
x x x x x x
CVE-2022-26711 [critical] ImageIO
An integer overflow was addressed with improved input validation.
A remote attacker may be able to cause unexpected application termination or arbitrary code execution
    x x x x
CVE-2022-26701 [important] IOKit
A race condition was addressed with improved locking.
An application may be able to execute arbitrary code with kernel privileges
    x x x  
CVE-2022-26768 [important] IOMobileFrameBuffer
A memory corruption issue was addressed with improved state management.
An application may be able to execute arbitrary code with kernel privileges
  x x x x x
CVE-2022-26771 [important] IOSurfaceAccelerator
A memory corruption issue was addressed with improved state management.
A malicious application may be able to execute arbitrary code with kernel privileges
      x x x
CVE-2022-26714 [important] Kernel
A memory corruption issue was addressed with improved validation.
An application may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-26757 [important] Kernel
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-26764 [important] Kernel
A memory corruption issue was addressed with improved validation.
An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
    x x x x
CVE-2022-26765 [important] Kernel
A race condition was addressed with improved state handling.
A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
    x x x x
CVE-2022-26706 [moderate] LaunchServices
An access issue was addressed with additional sandbox restrictions on third-party applications.
A sandboxed process may be able to circumvent sandbox restrictions
  x x x x x
CVE-2022-23308 [critical] libxml2
A use after free issue was addressed with improved memory management.
A remote attacker may be able to cause unexpected application termination or arbitrary code execution
x x x x x x
CVE-2022-26766 [important] Security
A certificate parsing issue was addressed with improved checks.
A malicious app may be able to bypass signature validation
x x x x x x
WebKit Bugzilla [critical] WebKit
A memory corruption issue was addressed with improved state management.
Processing maliciously crafted web content may lead to arbitrary code execution
    x x x x
CVE-2022-26745 [moderate] Wi-Fi
A memory corruption issue was addressed with improved validation.
A malicious application may disclose restricted memory
  x x x x x
CVE-2021-44224 [other] apache
Multiple issues were addressed by updating apache to version 2.4.53.
Multiple issues in apache
x x x      
CVE-2021-44790 [other] apache
Multiple issues were addressed by updating apache to version 2.4.53.
Multiple issues in apache
x x x      
CVE-2022-22719 [other] apache
Multiple issues were addressed by updating apache to version 2.4.53.
Multiple issues in apache
x x x      
CVE-2022-22720 [other] apache
Multiple issues were addressed by updating apache to version 2.4.53.
Multiple issues in apache
x x x      
CVE-2022-22721 [other] apache
Multiple issues were addressed by updating apache to version 2.4.53.
Multiple issues in apache
x x x      
CVE-2022-22665 [important] AppKit
A logic issue was addressed with improved validation.
A malicious application may be able to gain root privileges
x x        
CVE-2022-26751 [critical] AppleGraphicsControl
A memory corruption issue was addressed with improved input validation.
Processing a maliciously crafted image may lead to arbitrary code execution
x x x   x  
CVE-2022-26697 [important] AppleScript
An out-of-bounds read issue was addressed with improved input validation.
Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
x x x      
CVE-2022-26698 [important] AppleScript
An out-of-bounds read issue was addressed with improved bounds checking.
Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
x x x      
CVE-2022-22663 [moderate] CoreTypes
This issue was addressed with improved checks to prevent unauthorized actions.
A malicious application may bypass Gatekeeper checks
x x        
CVE-2022-26721 [important] CVMS
A memory initialization issue was addressed.
A malicious application may be able to gain root privileges
x x x      
CVE-2022-26722 [important] CVMS
A memory initialization issue was addressed.
A malicious application may be able to gain root privileges
x x x      
CVE-2022-22674 [moderate] Graphics Drivers
An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
A local user may be able to read kernel memory
x x        
CVE-2022-26720 [important] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved bounds checking.
A malicious application may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-26770 [important] Intel Graphics Driver
An out-of-bounds read issue was addressed with improved input validation.
A malicious application may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-26756 [important] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved input validation.
An application may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-26769 [important] Intel Graphics Driver
A memory corruption issue was addressed with improved input validation.
A malicious application may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-26748 [critical] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved input validation.
Processing maliciously crafted web content may lead to arbitrary code execution
x x x      
CVE-2022-26775 [critical] libresolv
An integer overflow was addressed with improved input validation.
An attacker may be able to cause unexpected application termination or arbitrary code execution
x   x      
CVE-2022-0778 [moderate] OpenSSL
This issue was addressed with improved checks.
Processing a maliciously crafted certificate may lead to a denial of service
x x x      
CVE-2022-26727 [important] PackageKit
This issue was addressed with improved entitlements.
A malicious application may be able to modify protected parts of the file system
x   x      
CVE-2022-26746 [moderate] Printing
This issue was addressed by removing the vulnerable code.
A malicious application may be able to bypass Privacy preferences
x x x      
CVE-2022-26715 [important] SMB
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to gain elevated privileges
x x x      
CVE-2022-26728 [important] SoftwareUpdate
This issue was addressed with improved entitlements.
A malicious application may be able to access restricted files
x x x      
CVE-2022-26726 [other] TCC
This issue was addressed with improved checks.
An app may be able to capture a user's screen
x x x     x
CVE-2022-26755 [other] Tcl
This issue was addressed with improved environment sanitization.
A malicious application may be able to break out of its sandbox
x x x      
CVE-2022-22589 [other] WebKit
A validation issue was addressed with improved input sanitization.
Processing a maliciously crafted mail message may lead to running arbitrary javascript
x x        
CVE-2022-26761 [important] Wi-Fi
A memory corruption issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-0530 [other] zip
A denial of service issue was addressed with improved state handling.
Processing a maliciously crafted file may lead to a denial of service
x x x      
CVE-2018-25032 [critical] zlib
A memory corruption issue was addressed with improved input validation.
An attacker may be able to cause unexpected application termination or arbitrary code execution
x x x      
CVE-2021-45444 [other] zsh
This issue was addressed by updating to zsh version 5.8.1.
A remote attacker may be able to cause arbitrary code execution
x x x      
CVE-2022-26767 [moderate] LaunchServices
The issue was addressed with additional permissions checks.
A malicious application may be able to bypass Privacy preferences
  x x      
CVE-2022-26776 [critical] libresolv
This issue was addressed with improved checks.
An attacker may be able to cause unexpected application termination or arbitrary code execution
  x x      
CVE-2022-26712 [important] PackageKit
This issue was addressed by removing the vulnerable code.
A malicious application may be able to modify protected parts of the file system
  x x      
CVE-2022-26718 [important] SMB
An out-of-bounds read issue was addressed with improved input validation.
An application may be able to gain elevated privileges
  x x      
CVE-2022-26723 [critical] SMB
A memory corruption issue was addressed with improved input validation.
Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
  x x      
CVE-2021-4136 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-4166 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-4173 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-4187 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-4192 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-4193 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2021-46059 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2022-0128 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2022-26772 [important] AMD
A memory corruption issue was addressed with improved state management.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26741 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26742 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26749 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26750 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26752 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26753 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26754 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An application may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-26694 [important] Contacts
This issue was addressed with improved checks.
A plug-in may be able to inherit the application's permissions and access user data
    x      
CVE-2022-26725 [other] ImageIO
A logic issue was addressed with improved state management.
Photo location information may persist after it is removed with Preview Inspector
    x      
CVE-2022-26743 [other] Kernel
An out-of-bounds write issue was addressed with improved bounds checking.
An attacker that has already achieved code execution in macOS Recovery may be able to escalate to kernel privileges
    x      
CVE-2022-26708 [critical] libresolv
This issue was addressed with improved checks.
An attacker may be able to cause unexpected application termination or arbitrary code execution
    x      
CVE-2022-26693 [important] Preview
This issue was addressed with improved checks.
A plug-in may be able to inherit the application's permissions and access user data
    x      
CVE-2022-26731 [other] Safari Private Browsing
A logic issue was addressed with improved state management.
A malicious website may be able to track users in Safari private browsing mode
    x   x  
CVE-2022-26704 [other] Spotlight
A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks.
An app may be able to gain elevated privileges
    x      
CVE-2022-26762 [important] Wi-Fi
A memory corruption issue was addressed with improved memory handling.
A malicious application may be able to execute arbitrary code with system privileges
    x   x  
CVE-2022-26744 [important] GPU Drivers
A memory corruption issue was addressed with improved state management.
An application may be able to execute arbitrary code with kernel privileges
        x  
CVE-2022-22673 [important] Notes
This issue was addressed with improved checks.
Processing a large input may lead to a denial of service
        x  
CVE-2022-26703 [important] Shortcuts
An authorization issue was addressed with improved state management.
A person with physical access to an iOS device may be able to access photos from the lock screen
        x  
CVE-2022-26760 [important] Wi-Fi
A memory corruption issue was addressed with improved state management.
A malicious application may be able to elevate privileges
        x  
CVE-2015-4142 [other] Wi-Fi
This issue was addressed with improved checks.
A remote attacker may be able to cause a denial of service
        x  

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: apple patches
0 comment(s)

Why is my Honeypot a Russian Certificate Authority?

Published: 2022-05-16
Last Updated: 2022-05-16 13:34:59 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Last night, I noticed a lot of requests to one of our honeypots for "/ocsp.srf" and "/itcom2020/ocsp.srf". The requests all looked very similar:

GET /itcom2020/ocsp.srf HTTP/1.1
User-Agent: fasthttp
Host: service.itk23.ru

GET /ocsp/ocsp.srf HTTP/1.1
User-Agent: fasthttp
Host: uc.ktkt.ru

The same source IP also attempted CONNECT requests to these hostnames, indicating that they may be looking for a proxy.

So far, I am not sure what these scans are about. Is anybody else seeing this or know more about what may be happening? The combination of "CONNECT" requests and OCSP requests may suggest that someone is attempting to use my honeypot as a proxy or has it misconfigured as a proxy. But there is no payload to the OCSP requests.

OCSP, the "Online Certificate Status Protocol," is a more modern alternative to "CRL"s (Certificate Revocation Lists). A client connecting via TLS will receive an OCSP URL as part of the certificate. OCSP implements a web service that may be used to verify if the certificate is still "good." Alternatively, the TLS server may attach a recently created OCSP message with the certificate ("OCSP Stapling"). For Let's Encrypt, for example, the OCSP URL is http://r3.o.lencr.org. A typical OCSP request would include additional data on the URL.

Initially, I figured that they may be searching for private CAs. But the requests are repetitive to particular IP addresses—the "fasthttp" user-agent points to a client written in Go. 

Any ideas about what may be happening here?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: ocsp
0 comment(s)
ISC Stormcast For Monday, May 16th, 2022 https://isc.sans.edu/podcastdetail.html?id=8008

Comments


Diary Archives