
:::warning
Warning: Apple have reported this as a vulnerability with known exploitation in the wild against verssions of iOS prior to 15.1.

:::

Adjoining Splittail was announced by Apple as a vulnerability in WebKit with an [update](https://support.apple.com/en-us/HT213516) released on 2022-11-30. The vulnerability was credited to [Clément Lecigne](https://twitter.com/_clem1) of Google’s [Threat Analysis Group](https://blog.google/threat-analysis-group/).

\
Exploitation is through maliciously crafted web content which allows for arbitrary code execution on a client.


---

**Vulnonym:** [Adjoining Splittail](https://twitter.com/vulnonym/status/1603538219441836034?s=20&t=Hc2yQxSVEnGdSjJxh3bvpw)

**CVE Number:** [CVE-2022-42856](https://nvd.nist.gov/vuln/detail/CVE-2022-42856)

**CWE Number:** [CWE-704](https://cwe.mitre.org/data/definitions/704.html)

## What is the scope of the vulnerability?

Minor versions prior to

* iOS 16.1.2
* iOS and iPadOS 15.7.2
* macOS Ventura 13.1
* tvOS 16.2
* Safari 16.2

## What’s the impact?

As this is a vulnerability in WebKit, visiting a site or service with maliciously crafted content can allow the execution of code by the attacker on the client device. Potential impacts of this, depending on details and setup, could lead to full device compromise.

## What’s the threat?

Details are limited, however, this has been reported as suffering active exploitation against versions of iOS prior to 15.1 and the threat should be considered severe.

## What’s the mitigation?

Proxy servers designed to block access to sites based current threat intelligence may reduce the risk of users being exposed to maliciously crafted content before updates can be applied.

## What’s the fix?

Apply the latest Apple [security updates](https://support.apple.com/en-gb/HT201222).

## What’s the weakness?

[CWE-704](https://cwe.mitre.org/data/definitions/704.html) is the common weakness where software has not been designed to correctly convert an object from one type to another. This occurs when code uses an object without checking it is as expected. This can lead to the wrong pointers or data being fed into a function, which can allow for code execution from data provided as the object.

\
As type confusion can allow for direct execution of arbitrary code at a privileged level, it is an important weakness to check for. Prevention is best through ensuring that developers apply appropriate type checking whenever accepting input and safely discard any inputs which do not match the expected types correctly.


---

## The Details

Due to reports of active exploitation, remediation activity falls under CISA’s [BOD 22-01](https://www.cisa.gov/binding-operational-directive-22-01) meaning that applying remediation is required by federal agencies within 60 days of patch release.

Read My Stories

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

CVE-2022-42856: Adjoining Splittail Vulnerability Report

Too Long; Didn't Read

@jamesbores

RELATED STORIES