CVE-2022-22579

Vulnerability

An information disclosure issue exists in the handling of STL (stereolithography) files across Apple operating systems. The vulnerability stems from improper state management during file parsing. Affected versions include iOS and iPadOS prior to 15.3, tvOS prior to 15.3, macOS Monterey prior to 12.2, macOS Big Sur prior to 11.6.3, and macOS Catalina prior to Security Update 2022-001 [1][2][3][4]. When an application processes a maliciously crafted STL file, the flaw may lead to unexpected application termination or arbitrary code execution.

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted STL file to a target user, for example via email, a malicious website, or file-sharing services. The victim must open the file in an application capable of parsing STL geometry, such as a 3D modeling tool or the macOS Quick Look preview. No additional authentication beyond normal file access is required. The attacker does not need a privileged network position, as the exploit can be triggered locally after the file is opened.

Impact

Successful exploitation can result in information disclosure, where sensitive data from memory may be exposed due to the state management error. Additionally, the vulnerability may allow arbitrary code execution within the context of the application processing the file. This could enable an attacker to run malicious code, potentially leading to further compromise of the affected device, including data theft or unauthorized actions.

Mitigation

Apple addressed CVE-2022-22579 in the following security updates released on January 26, 2022: iOS 15.3 and iPadOS 15.3, tvOS 15.3, macOS Monterey 12.2, macOS Big Sur 11.6.3, and Security Update 2022-001 for macOS Catalina [1][2][3][4]. Users should apply these updates promptly. No workarounds are available; updating to the fixed versions is the only mitigation.