569 reads

CVE-2022-42856: Adjoining Splittail Vulnerability Report

by James BoreDecember 19th, 2022

Too Long; Didn't Read

Apple have reported a vulnerability in WebKit that allows for arbitrary code execution on a client. Exploitation is through maliciously crafted web content. This has been reported as suffering active exploitation against versions of iOS prior to 15.1.

featured image - CVE-2022-42856: Adjoining Splittail Vulnerability Report

Warning: Apple have reported this as a vulnerability with known exploitation in the wild against verssions of iOS prior to 15.1.

Adjoining Splittail was announced by Apple as a vulnerability in WebKit with an update released on 2022-11-30. The vulnerability was credited to Clément Lecigne of Google’s Threat Analysis Group.

Exploitation is through maliciously crafted web content which allows for arbitrary code execution on a client.

Vulnonym: Adjoining Splittail

CVE Number: CVE-2022-42856

CWE Number: CWE-704

What is the scope of the vulnerability?

Minor versions prior to

iOS 16.1.2
iOS and iPadOS 15.7.2
macOS Ventura 13.1
tvOS 16.2
Safari 16.2

What’s the impact?

As this is a vulnerability in WebKit, visiting a site or service with maliciously crafted content can allow the execution of code by the attacker on the client device. Potential impacts of this, depending on details and setup, could lead to full device compromise.

What’s the threat?

Details are limited, however, this has been reported as suffering active exploitation against versions of iOS prior to 15.1 and the threat should be considered severe.

What’s the mitigation?

Proxy servers designed to block access to sites based current threat intelligence may reduce the risk of users being exposed to maliciously crafted content before updates can be applied.

What’s the fix?

Apply the latest Apple security updates.

What’s the weakness?

CWE-704 is the common weakness where software has not been designed to correctly convert an object from one type to another. This occurs when code uses an object without checking it is as expected. This can lead to the wrong pointers or data being fed into a function, which can allow for code execution from data provided as the object.

As type confusion can allow for direct execution of arbitrary code at a privileged level, it is an important weakness to check for. Prevention is best through ensuring that developers apply appropriate type checking whenever accepting input and safely discard any inputs which do not match the expected types correctly.

The Details

Due to reports of active exploitation, remediation activity falls under CISA’s BOD 22-01 meaning that applying remediation is required by federal agencies within 60 days of patch release.