Recent iOS Vulnerabilities

Summary

Apple recently released an iOS and iPadOS 15.6 update to patch two zero-day vulnerabilities, CVE-2022-32894 (Kernel) and CVE-2022-32893 (Webkit), which together form a full kill chain. Active exploitation can enable a system takeover by exploiting crafted content or applications to enter the system. Active exploits of these vulnerabilities have already been detected. CVEs affecting Apple iPhones, iPads, and iPod Touch models have been available for years, so anyone using one of these devices should update their device immediately by going to Settings, General, then Software Update.

After another recent iOS update at the end of July that patched over 35 vulnerabilities, this update comes hot on the heels of another one in August. These vulnerabilities could enable remote execution capabilities on an OS level, similar to the ones in 15.6.

Analysis

There are active exploits for both vulnerabilities in the wild. According to CISA guidelines, all government agencies must follow vendor guidelines of security updates. In cases where CISA determines something is critical enough to require patching, enterprise organizations should follow suit. Many cyber attacks often target businesses after first targeting the government, as seen in the past. A remote attacker could exploit these CVEs together to gain control over the device using MITRE mobile ATT&CK matrix techniques T1404 and T1456 (Exploit for Privilege Escalation and Drive-by Compromise).

Recommendations

• Roll out a communication plan on how to upgrade the OS version for BYOD users and enable the iOS update policy for Corporate (DEP) users

• Update your compliance policies to have minimum OS version to be 15.6.1

Supervised devices are devices that enroll through one of Apple's Automated Device Enrollment (ADE) options.

With policies for iOS software updates, you can:

• Choose to deploy the latest update that's available, or choose to deploy an older update, based on the update version number.

• Specify a schedule that determines when the update installs. Schedules can be as simple as installing updates the next time that the device checks in, or creating date and time ranges during which updates can install or are blocked from installing.

By default, devices check in with Intune about every 8 hours. If an update is available through an update policy, the device downloads the update. The device then installs the update upon next check-in within your schedule configuration.

How to configure the Policy

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Devices > Update policies for iOS/iPadOS > Create profile.

3. On the Basics tab, specify a name for this policy, specify a description (optional), and then select Next.

On the Assignments tab, choose + Select groups to include and then assign the update policy to one or more groups. Use + Select groups to exclude to fine-tune the assignment. When ready, select Next to continue.