CISA Incorporates Apple Zero-Days Exploited by Pegasus Spyware into its Catalog of Known Exploited Vulnerabilities

September 11, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included two new Apple zero-day vulnerabilities in its Known Exploited Vulnerabilities Catalog. The vulnerabilities, identified as CVE-2023-41064 and CVE-2023-41061, were exploited in the zero-click iMessage exploit known as BLASTPASS to install the Pegasus spyware developed by NSO Group on iPhones.

The vulnerabilities are located in the Image I/O and Wallet frameworks of Apple devices. CVE-2023-41064 is a buffer overflow issue that was identified by researchers from Citizen Lab and was addressed by Apple through enhanced memory handling. The advisory stated, “Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

The second vulnerability, CVE-2023-41061, is a validation issue discovered by Apple. The company addressed this flaw with improved logic. The advisory for this vulnerability read, “A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

Apple has issued fixes for these vulnerabilities in the release of macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Citizen Lab researchers reported that these actively exploited zero-day flaws are being used to infect devices with the Pegasus spyware.

According to the researchers, the two vulnerabilities were chained as part of the BLASTPASS exploit used in attacks on iPhones running iOS 16.6. Citizen Lab discovered that the exploit was used to install Pegasus Spyware on a device belonging to an individual working for a Washington DC-based civil society organization with international offices. The exploit involved PassKit attachments with malicious images sent from an attacker's iMessage account.

The researchers plan to publish technical details about the BLASTPASS exploit chain in the future. Citizen Lab advised iPhone users to update their devices immediately, highlighting that civil society is a frequent target of threat actors using advanced exploits and spyware.

As per the Binding Operational Directive (BOD) 22-01, federal agencies are required to address these identified vulnerabilities by October 2nd, 2023, to safeguard their networks against attacks exploiting these flaws. Experts also suggest that private organizations review the Catalog and address the vulnerabilities in their infrastructure. In 2023, Apple has already patched 13 actively exploited zero-day vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.