Details of VAR-202201-1613

ID

VAR-202201-1613

CVE

CVE-2022-22588

TITLE

iOS and iPadOS Resource exhaustion vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-008342

DESCRIPTION

A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 15.2.1 and iPadOS 15.2.1. Processing a maliciously crafted HomeKit accessory name may cause a denial of service. iOS and iPadOS Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 iOS 15.2.1 and iPadOS 15.2.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213043. HomeKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted HomeKit accessory name may cause a denial of service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2022-22588: Trevor Spiniolas (@TrevorSpiniolas) Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About * The version after applying this update will be “15.2.1" Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHfE9AACgkQeC9qKD1p rhhj/Q/8DR6CzP7GPavXxSxdAA7WPqQqcWDHFChGWftw8sNJlpNSJEgMY1ueUMiv sIbY9z7X0QpC81fJWYqEgE7Y4CDnyfabtOQDgdhK6QcpEl+qNPiWbLnga6+rptFj ZLneWJ4kqneyav4ZAlKu8wTLYr8O/yvwYBfsLXXtE7gixFEdbsLjOr4DEs8UzZhG upo9rNw4UFMcxjItKtqjmOgt2hLlFi6RmCKDUUi0j6BbpPSMqTLVpTrUCakePm+u wUI8sbjvRYMDrL+Q5KsryU1M3x1RmCdXxKtwfOsaEHPhExnmUruItypXRybFwUKy PL2RCwDPKoCk9I5ueJ7zXN80d5zn5cZ2Mgxz8u9hYDqYECxD4P/6uaMhXi4Nt96t q6UNiyNVKGpLL2CAJ6tdzfiqEVnCSkDoi6XykQ0OCq2va0Daouhd0b3TBKFXB8Be XVEDbgvts4klZ2bY7IDdJ/ZcWnywpmgROksRbIC7O17sfyaZA47/5aASpljKkxX+ w1KwP7bJOXZr0V9R3hmR+S59XqRN9yqfo64loJDlmSFEjUv6CLzLa8eYHXizZ1Hd RUB4V8F9qtsGx+fF8vLmrpOA0g6AUvmwcFIcC8AP4XHDG5B8mA/UZoenbibitHE+ zqxj+H8ViEMw0/Tbxac7AqYzNifRfvaSCj4g4vys6H1NBYVSbn0= =OflK -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2022-22588 // JVNDB: JVNDB-2022-008342 // VULHUB: VHN-411216 // VULMON: CVE-2022-22588 // PACKETSTORM: 165537

AFFECTED PRODUCTS

vendor:	apple	model:	ipados	scope:	lt	version:	15.2.1	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	15.2.1	Trust: 1.0
vendor:	アップル	model:	ios	scope:	-	version:	-	Trust: 0.8
vendor:	アップル	model:	ipados	scope:	eq	version:	15.2.1	Trust: 0.8

sources: JVNDB: JVNDB-2022-008342 // NVD: CVE-2022-22588

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22588
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-22588
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-951
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-411216
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22588
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22588
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-411216
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22588
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-22588
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-411216 // VULMON: CVE-2022-22588 // JVNDB: JVNDB-2022-008342 // CNNVD: CNNVD-202201-951 // NVD: CVE-2022-22588

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Resource exhaustion (CWE-400) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-400	Trust: 0.1

sources: VULHUB: VHN-411216 // JVNDB: JVNDB-2022-008342 // NVD: CVE-2022-22588

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202201-951

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202201-951

PATCH

title:	HT213043	url:	https://support.apple.com/en-us/HT213043	Trust: 0.8
title:	Apple iOS and iPadOS Remediation of resource management error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177747	Trust: 0.6
title:	PoC in GitHub	url:	https://github.com/soosmile/POC	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/manas3c/CVE-POC	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22588 // JVNDB: JVNDB-2022-008342 // CNNVD: CNNVD-202201-951

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22588	Trust: 3.5
db:	PACKETSTORM	id:	165537	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-008342	Trust: 0.8
db:	CS-HELP	id:	SB2022011215	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0162	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-951	Trust: 0.6
db:	VULHUB	id:	VHN-411216	Trust: 0.1
db:	VULMON	id:	CVE-2022-22588	Trust: 0.1

sources: VULHUB: VHN-411216 // VULMON: CVE-2022-22588 // JVNDB: JVNDB-2022-008342 // PACKETSTORM: 165537 // CNNVD: CNNVD-202201-951 // NVD: CVE-2022-22588

REFERENCES

url:	https://support.apple.com/en-us/ht213043	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22588	Trust: 0.9
url:	https://vigilance.fr/vulnerability/apple-ios-overload-via-homekit-accessory-name-37237	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022011215	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22588/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0162	Trust: 0.6
url:	https://packetstormsecurity.com/files/165537/apple-security-advisory-2022-01-12-1.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	http://seclists.org/fulldisclosure/2022/jan/32	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://www.apple.com/itunes/	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://support.apple.com/ht213043.	Trust: 0.1

sources: VULHUB: VHN-411216 // VULMON: CVE-2022-22588 // JVNDB: JVNDB-2022-008342 // PACKETSTORM: 165537 // CNNVD: CNNVD-202201-951 // NVD: CVE-2022-22588

CREDITS

Apple

Trust: 0.1

sources: PACKETSTORM: 165537

SOURCES

db:	VULHUB	id:	VHN-411216
db:	VULMON	id:	CVE-2022-22588
db:	JVNDB	id:	JVNDB-2022-008342
db:	PACKETSTORM	id:	165537
db:	CNNVD	id:	CNNVD-202201-951
db:	NVD	id:	CVE-2022-22588

LAST UPDATE DATE

2024-08-14T15:11:37.881000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-411216	date:	2022-03-24T00:00:00
db:	VULMON	id:	CVE-2022-22588	date:	2023-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2022-008342	date:	2023-07-26T06:43:00
db:	CNNVD	id:	CNNVD-202201-951	date:	2022-03-25T00:00:00
db:	NVD	id:	CVE-2022-22588	date:	2023-08-08T14:22:24.967

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-411216	date:	2022-03-18T00:00:00
db:	VULMON	id:	CVE-2022-22588	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-008342	date:	2023-07-26T00:00:00
db:	PACKETSTORM	id:	165537	date:	2022-01-13T16:15:08
db:	CNNVD	id:	CNNVD-202201-951	date:	2022-01-12T00:00:00
db:	NVD	id:	CVE-2022-22588	date:	2022-03-18T18:15:12.520