ID

VAR-202203-0135


CVE

CVE-2022-22648


TITLE

Apple macOS SCPT File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Trust: 1.4

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713

DESCRIPTION

This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to read restricted memory. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the AppleScript framework. Crafted data in a SCPT file can trigger a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Information about the security content is also available at https://support.apple.com/HT213184. Accelerate Framework Available for: macOS Big Sur Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2022-22633: an anonymous researcher AppleGraphicsControl Available for: macOS Big Sur Impact: An application may be able to gain elevated privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-22631: an anonymous researcher AppleScript Available for: macOS Big Sur Impact: An application may be able to read restricted memory Description: This issue was addressed with improved checks. CVE-2022-22648: an anonymous researcher AppleScript Available for: macOS Big Sur Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro AppleScript Available for: macOS Big Sur Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro AppleScript Available for: macOS Big Sur Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro BOM Available for: macOS Big Sur Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks Description: This issue was addressed with improved checks. CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t) Intel Graphics Driver Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved state handling. CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-22613: Alex, an anonymous researcher Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-22615: an anonymous researcher CVE-2022-22614: an anonymous researcher Kernel Available for: macOS Big Sur Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A null pointer dereference was addressed with improved validation. CVE-2022-22638: derrek (@derrekr6) Kernel Available for: macOS Big Sur Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved state management. CVE-2022-22632: Keegan Saunders Login Window Available for: macOS Big Sur Impact: A person with access to a Mac may be able to bypass Login Window Description: This issue was addressed with improved checks. CVE-2022-22647: an anonymous researcher LoginWindow Available for: macOS Big Sur Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen Description: An authentication issue was addressed with improved state management. CVE-2022-22656 PackageKit Available for: macOS Big Sur Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2022-22617: Mickey Jin (@patch1t) QuickTime Player Available for: macOS Big Sur Impact: A plug-in may be able to inherit the application's permissions and access user data Description: This issue was addressed with improved checks. CVE-2022-22650: Wojciech Reguła (@_r3ggi) of SecuRing Siri Available for: macOS Big Sur Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen Description: A permissions issue was addressed with improved validation. CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/) WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cookie management issue was addressed with improved state management. WebKit Bugzilla: 232748 CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix xar Available for: macOS Big Sur Impact: A local user may be able to write arbitrary files Description: A validation issue existed in the handling of symlinks. CVE-2022-22582: Richard Warren of NCC Group Additional recognition Intel Graphics Driver We would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1) for their assistance. syslog We would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for their assistance. TCC We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. macOS Big Sur 11.6.5 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIv0MkACgkQeC9qKD1p rhjeyBAAwbocibmTCpZ1T8MzPHJGuJryh7RDG8+nMJxmntI+3gA0SeFAxuNuXf2Z xh+NhEwjm60gzLAdckjfT5iF1YAPxUDWnk0FRVxhqZ4g8FvdmTxgAn5rwWWUuBBC VpW5XONija+SY3yNX3blklg95FyO8ITlqwyy5/Fqr0OFTvnA8TKRXrZRmA/gypnA pEqR0WaQdL8ITFEbv9+INAV2geFBbEWPvifycbYSvrDWo9JPq05Ur0hz7o2kJYfk M5PZachAGeCOR3E2ixfIczW0QNbDsoyKqLBjRzFovqWhcOwQ+17yVeuj/mDFXOkA X8FSxnad7C76xH+LcnZE/WV+qcv5G3QufpK5kZULWoQTLdKuB7yQZYF19T4+8H4X 6qDl5ZYL81h9rfIHYwbGZp0aRmqsu6pmleQ970qrkFzn/ZHf0KdAwms0+BOR8jZ7 l1w71ADm7uLJCs+nZ/lxv3wLYEva+TfGfIGnFULcL4dVPqbDOC6hH3Xm8VelVF0p 1/0Bfbfg4ou3vP1LqTY/ODdRnAhVCCGiv9PFcAFJriOoQgYYcVYQYwa2dA5Xdijc 6KVOzadvxCt1Ewj8nNYRJrfe/H6pjj2cFbWbKevqtRlQeeca7j17srbOnt9mmJMV x/d73AkuCyfOdeX8fac83TWMhhBaCg5JwsO7cO7eXwIOsiSDZXU= =nZ2X -----END PGP SIGNATURE-----

Trust: 3.24

sources: NVD: CVE-2022-22648 // JVNDB: JVNDB-2022-009149 // ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // VULHUB: VHN-411276 // VULMON: CVE-2022-22648 // PACKETSTORM: 166315 // PACKETSTORM: 166312

AFFECTED PRODUCTS

vendor:applemodel:macosscope: - version: -

Trust: 1.4

vendor:applemodel:macosscope:ltversion:11.6.5

Trust: 1.0

vendor:applemodel:mac os xscope:gteversion:10.15

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.6

Trust: 1.0

vendor:applemodel:macosscope:ltversion:12.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.15.7

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.15.7

Trust: 1.0

vendor:applemodel:macosscope:eqversion:10.15.7

Trust: 1.0

vendor:applemodel:macosscope:gteversion:12.0

Trust: 1.0

vendor:アップルmodel:macosscope: - version: -

Trust: 0.8

vendor:アップルmodel:apple mac os xscope: - version: -

Trust: 0.8

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // JVNDB: JVNDB-2022-009149 // NVD: CVE-2022-22648

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-22648
value: LOW

Trust: 1.4

nvd@nist.gov: CVE-2022-22648
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-22648
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-1249
value: MEDIUM

Trust: 0.6

VULHUB: VHN-411276
value: LOW

Trust: 0.1

VULMON: CVE-2022-22648
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-22648
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-411276
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ZDI: CVE-2022-22648
baseSeverity: LOW
baseScore: 3.3
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2022-22648
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-22648
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // VULHUB: VHN-411276 // VULMON: CVE-2022-22648 // JVNDB: JVNDB-2022-009149 // CNNVD: CNNVD-202203-1249 // NVD: CVE-2022-22648

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-009149 // NVD: CVE-2022-22648

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-1249

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202203-1249

PATCH

title:HT213185url:https://support.apple.com/en-us/HT213183

Trust: 2.2

title:Apple macOS Big Sur Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186767

Trust: 0.6

title:Apple: macOS Big Sur 11.6.5url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=4c90c4b83ae5b2687f4b5d9d71e49f12

Trust: 0.1

title:Apple: macOS Monterey 12.3url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=f1105c4a20da11497b610b14a1668180

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // VULMON: CVE-2022-22648 // JVNDB: JVNDB-2022-009149 // CNNVD: CNNVD-202203-1249

EXTERNAL IDS

db:NVDid:CVE-2022-22648

Trust: 5.0

db:PACKETSTORMid:166315

Trust: 0.8

db:JVNDBid:JVNDB-2022-009149

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16076

Trust: 0.7

db:ZDIid:ZDI-22-715

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16072

Trust: 0.7

db:ZDIid:ZDI-22-713

Trust: 0.7

db:CS-HELPid:SB2022031435

Trust: 0.6

db:CNNVDid:CNNVD-202203-1249

Trust: 0.6

db:PACKETSTORMid:166312

Trust: 0.2

db:VULHUBid:VHN-411276

Trust: 0.1

db:VULMONid:CVE-2022-22648

Trust: 0.1

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // VULHUB: VHN-411276 // VULMON: CVE-2022-22648 // JVNDB: JVNDB-2022-009149 // PACKETSTORM: 166315 // PACKETSTORM: 166312 // CNNVD: CNNVD-202203-1249 // NVD: CVE-2022-22648

REFERENCES

url:https://support.apple.com/en-us/ht213183

Trust: 3.2

url:https://support.apple.com/en-us/ht213184

Trust: 2.4

url:https://support.apple.com/en-us/ht213185

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22648

Trust: 1.0

url:https://packetstormsecurity.com/files/166315/apple-security-advisory-2022-03-14-5.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/apple-ios-macos-multiple-vulnerabilities-37800

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031435

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-22648/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-22625

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22616

Trust: 0.2

url:https://support.apple.com/en-us/ht201222.

Trust: 0.2

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22613

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22661

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22650

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22617

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22638

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22626

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22631

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22597

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22627

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22615

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22582

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22647

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22614

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22662

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22656

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://support.apple.com/kb/ht213184

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22633

Trust: 0.1

url:https://support.apple.com/ht213184.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22599

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22632

Trust: 0.1

url:https://support.apple.com/ht213185.

Trust: 0.1

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713 // VULHUB: VHN-411276 // VULMON: CVE-2022-22648 // JVNDB: JVNDB-2022-009149 // PACKETSTORM: 166315 // PACKETSTORM: 166312 // CNNVD: CNNVD-202203-1249 // NVD: CVE-2022-22648

CREDITS

Mickey Jin (@patch1t) of Trend Micro

Trust: 1.4

sources: ZDI: ZDI-22-715 // ZDI: ZDI-22-713

SOURCES

db:ZDIid:ZDI-22-715
db:ZDIid:ZDI-22-713
db:VULHUBid:VHN-411276
db:VULMONid:CVE-2022-22648
db:JVNDBid:JVNDB-2022-009149
db:PACKETSTORMid:166315
db:PACKETSTORMid:166312
db:CNNVDid:CNNVD-202203-1249
db:NVDid:CVE-2022-22648

LAST UPDATE DATE

2024-08-14T12:11:16.969000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-715date:2022-04-28T00:00:00
db:ZDIid:ZDI-22-713date:2022-04-28T00:00:00
db:VULHUBid:VHN-411276date:2022-11-02T00:00:00
db:VULMONid:CVE-2022-22648date:2022-11-02T00:00:00
db:JVNDBid:JVNDB-2022-009149date:2023-08-03T06:56:00
db:CNNVDid:CNNVD-202203-1249date:2022-03-25T00:00:00
db:NVDid:CVE-2022-22648date:2022-11-02T13:18:35.983

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-715date:2022-04-28T00:00:00
db:ZDIid:ZDI-22-713date:2022-04-28T00:00:00
db:VULHUBid:VHN-411276date:2022-03-18T00:00:00
db:VULMONid:CVE-2022-22648date:2022-03-18T00:00:00
db:JVNDBid:JVNDB-2022-009149date:2023-08-03T00:00:00
db:PACKETSTORMid:166315date:2022-03-15T15:46:38
db:PACKETSTORMid:166312date:2022-03-15T15:45:47
db:CNNVDid:CNNVD-202203-1249date:2022-03-14T00:00:00
db:NVDid:CVE-2022-22648date:2022-03-18T18:15:14.637