Pierluigi Paganini March 07, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS and iPadOS memory corruption vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-23225 Apple iOS and iPadOS Memory Corruption Vulnerability
• CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability

This week, Apple released emergency security updates to address two iOS zero-day vulnerabilities, respectively tracked as CVE-2024-23225 and CVE-2024-23296, that were exploited in attacks against iPhone devices.

CVE-2024-23225 is a Kernel memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” reads the advisory.

CVE-2024-23296 is a RTKit memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” continues the advisory.

Apple confirmed both vulnerabilities are actively exploited.

“Apple is aware of a report that this issue may have been exploited,” states the company.

Impacted devices are iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

The IT giant addressed the two vulnerabilities with the release of iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.

iPhone vulnerabilities are usually exploited by commercial spyware vendors or nation-state actors, in many cases, the targets were dissidents and journalists.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 27, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, CISA)