The Cybersecurity and Infrastructure Security Agency (CISA) added three Apple flaws identified as part of the Coruna exploit kit to its Known Exploited Vulnerabilities (KEV) catalog Thursday.Google Threat Intelligence Group (GTIG) and iVerify both published reports about the iOS exploit kit on Tuesday, with the latter saying the kit represents “the first time that mass exploitation against iOS devices has been observed in the public.”Coruna works by exploiting a total of 23 iOS vulnerabilities and contains a total of five full exploit chains from initial access to payload delivery. Of the 23 flaws Coruna uses, 12 have assigned CVEs, and all of the flaws have been patched. Only iOS versions 13 through 17.2.1 have unpatched Coruna flaws.The flaws added to the KEV this week are tracked as CVE-2021-30952, CVE-2023-41974 and CVE-2023-43000.CVE-2021-30952, codenamed “buffout” in the Coruna kit, is an integer overflow vulnerability that was fixed with improved input validation in iOS version 15.2. This flaw could lead to arbitrary code execution via crafted web content.CVE-2023-41974, codenamed “Parallax” by Coruna, is a use-after-free flaw that was fixed in iOS 17. Exploiting this flaw enabled arbitrary code execution with kernel privileges.CVE-2023-43000, codenamed “terrorbird,” is also a use-after-free issue and was fixed in iOS version 16.6. An attacker could exploit this flaw to trigger memory corruption through crafted web content.Federal Civilian Executive Branch (FCEB) agencies are required to patch these flaws by March 26, 2026, under Binding Operational Directive (BOD) 22-01. The other nine CVEs known to be a part of Coruna have already been added to the KEV in the past.GTIG has observed the use of Coruna by a surveillance vendor customer, a suspected Russian espionage group tracked as UNC6353 and a financially motivated China-based threat actor tracked as UNC6691. “Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,” wrote iVerify.iVerify also stated in a press release that Coruna shows “similarities to previous frameworks developed by threat actors affiliated with the US government,” suggesting the exploit kit could be a leaked government framework mirroring similar cases of government-developed exploits like EternalBlue.Also added to the KEV Thursday was a Hikvision improper authentication flaw tracked as CVE-2017-7921 affecting multiple surveillance camera models and a Rockwell Automation flaw affecting multiple products, tracked as CVE-2021-22681, that involves the insufficient protection of credentials.Check Point researchers reported this week that the Hikvision flaw was being used by Iran-nexus threat actors to compromise surveillance cameras in multiple countries including Israel, the United Arab Emirates and Qatar, following recent U.S. and Israeli strikes on Iran.
Vulnerability Management, Patch/Configuration Management, Threat Management, Threat Intelligence, Government security
3 Apple flaws from Coruna exploit kit added to CISA vulnerability list
(Credit: MysteryShot – stock.adobe.com)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds