CVE-2022-32857

Vulnerability

CVE-2022-32857 is a privacy vulnerability in Apple operating systems where certain network communications were not sent over HTTPS, allowing a user in a privileged network position to track a user’s activity. The issue affects macOS Monterey before 12.5 [1], macOS Big Sur before 11.6.8 [3], macOS Catalina before Security Update 2022-005 [4], iOS before 15.6 and iPadOS before 15.6 [2], tvOS before 15.6, and watchOS before 8.7. The fix ensures that information is sent using HTTPS.

Exploitation

An attacker with a privileged network position (e.g., on the same local network or able to intercept traffic) can passively monitor unencrypted network requests to track the user's activity. No authentication or user interaction is required beyond the user performing normal network operations. The attacker can observe the unencrypted data to infer browsing habits, app usage, or other behavioral patterns.

Impact

Successful exploitation allows the attacker to track the user's activity, leading to a privacy violation. The impact is limited to information disclosure of user behavior; no code execution or privilege escalation is involved.

Mitigation

Apple addressed the issue by switching to HTTPS for the affected network communications. The fix is included in macOS Monterey 12.5 [1], macOS Big Sur 11.6.8 [3], Security Update 2022-005 for Catalina [4], iOS 15.6 and iPadOS 15.6 [2], tvOS 15.6, and watchOS 8.7. Users should update to the latest available versions. No workarounds are documented.