Rewterz Threat Advisory – Multiple Apple iOS and iPadOS Vulnerability

Severity

High

Analysis Summary

CVE-2022-46702 CVSS:7.5

Apple iOS and iPadOS could allow a remote attacker to obtain sensitive information, caused by a flaw in the GPU Drivers. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain sensitive kernel memory information, and use this information to launch further attacks against the affected system.

CVE-2022-42850 CVSS:7.8

Apple iOS and iPadOS could allow a local attacker to gain elevated privileges on the system, caused by an issue in the Graphics Driver component. By using a specially-crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.

CVE-2022-46691 CVSS:8.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the WebKit component. By persuading a victim to open a specially-crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-46690 CVSS:7.8

Apple iOS and iPadOS could allow a local attacker to gain elevated privileges on the system, caused by an an out-of-bounds write in the IOMobileFrameBuffer component. By using a specially-crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.

CVE-2022-46692 CVSS:6.5

Apple iOS and iPadOS could allow a remote attacker to bypass security restrictions, caused by a logic issue in the WebKit component. By persuading a victim to visit a specially-crafted web content, an attacker could exploit this vulnerability to bypass Same Origin Policy.

CVE-2022-46701 CVSS:8.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Kernel component. By persuading a victim to connect to a specially-crafted NFS server, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.

CVE-2022-42846 CVSS:5.5

Apple iOS and iPadOS are vulnerable to a denial of service, caused by an issue in the Graphics Driver component. By persuading a victim to open a specially crafted video file, an attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-42844 CVSS:5.5

Apple iOS and iPadOS could allow a local attacker to bypass security restrictions, caused by an issue in the Kernel component. By using a specially-crafted application, an attacker could exploit this vulnerability to break out of its sandbox.

CVE-2022-46696 CVSS:8.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the WebKit component. By persuading a victim to open a specially-crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-46693 CVSS:7.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the ImageIO component. By persuading a victim to open a specially-crafted file , an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-42859 CVSS:5.5

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the ImageIO component. By persuading a victim to open a specially-crafted file , an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-42865 CVSS:5.5

Apple iOS and iPadOS could allow a local attacker to bypass security restrictions, caused by an issue in the AppleMobileFileIntegritycomponent. By using a specially-crafted application, an attacker could exploit this vulnerability to bypass Privacy preferences.

CVE-2022-42851 CVSS:5.5

Apple iOS and iPadOS could allow a remote attacker to obtain sensitive information, caused by an issue in the ImageIO component. By persuading a victim to open a specially crafted TIFF file, an attacker could exploit this vulnerability to obtain sensitive information.

CVE-2022-42848 CVSS:7.8

Apple iOS and iPadOS could allow a local attacker to gain elevated privileges on the system, caused by a logic issue in the AVEVideoEncoder component. By using a specially-crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.

CVE-2022-32943 CVSS:5.3

Apple iOS and iPadOS could allow a remote attacker to bypass security restrictions, caused by a flaw in the Photos component. By sending a specially-crafted request using Photos, an attacker could exploit this vulnerability to allow a deleted photo to be re-surfaced without authentication.

CVE-2022-42862 CVSS:7.5

Apple iOS and iPadOS could allow a remote attacker to bypass security restrictions, caused by a flaw in the Printing component. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass Privacy preferences.

CVE-2022-42866 CVSS:5.5

Apple iOS and iPadOS could allow a local attacker to obtain sensitive information, caused by an issue in the Weather component. By using a specially-crafted application, an attacker could exploit this vulnerability to read sensitive location information.

CVE-2022-46698 CVSS:6.5

Apple iOS and iPadOS could allow a remote attacker to obtain sensitive information, caused by logic issue in the WebKit comonent. By persuading a victim to visit a specially-crafted web content, an attacker could exploit this vulnerability to obtain sensitive user information, and use this information to launch further attacks against the affected system.

CVE-2022-42855 CVSS:7.5

Apple iOS and iPadOS could allow a remote attacker to bypass security restrictions, caused by a logic issue in the Preferences component. By executing a specially-crafted application, an attacker could exploit this vulnerability to use arbitrary entitlements.

CVE-2022-42863 CVSS:8.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the WebKit component. By persuading a victim to open a specially-crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-42843 CVSS:5.5

Apple iOS and iPadOS could allow a local attacker to obtain sensitive information, caused by an issue in the Accounts component. By using a specially-crafted application, an attacker could exploit this vulnerability to view sensitive user information.

CVE-2022-42849 CVSS:7.8

Apple iOS and iPadOS could allow a local attacker to gain elevated privileges on the system, caused by an access issue in the Software Update component. By using a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.

CVE-2022-46699 CVSS:8.8

Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the WebKit component. By persuading a victim to open a specially-crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

• Information Disclosure
• Privilege Escalation
• Code Execution
• Security Bypass
• Denial of Service

Indicators Of Compromise

CVE

• CVE-2022-46702
• CVE-2022-42850
• CVE-2022-46691
• CVE-2022-46690
• CVE-2022-46692
• CVE-2022-46701
• CVE-2022-42846
• CVE-2022-42844
• CVE-2022-46696
• CVE-2022-46693
• CVE-2022-42859
• CVE-2022-42865
• CVE-2022-42851
• CVE-2022-42848
• CVE-2022-32943
• CVE-2022-42862
• CVE-2022-42866
• CVE-2022-46698
• CVE-2022-42855
• CVE-2022-42863
• CVE-2022-42843
• CVE-2022-42849
• CVE-2022-46699

Affected Vendors

Apple

Affected Products

• Apple iOS 16.1
• Apple iPadOS 16.1

Remediation

Refer to Apple Security Advisory for patch, upgrade or suggested workaround information. 

Apple Security Advisory