Apple released an emergency security release on September 13, 2021 to address two arbitrary code execution vulnerabilities, CVE-2021-30858 and CVE-2021-30860.
According to Apple, both vulnerabilities allow maliciously crafted documents to execute arbitrary code on vulnerable devices. Apple addressed the issue saying, “Apple is aware of a report that this issue may have been actively exploited.” The issue affects almost every iPhone, iPad, Mac and Apple Watch.
CVE-2021-30858 is a use-after-free vulnerability in the rendering engine of Safari (Webkit), that allows an attacker to create a maliciously crafted webpage. This allows arbitrary code execution on the device used to visit the webpage. Apple has stated that the vulnerability was disclosed by an anonymous researcher.
CVE-2021-30860 is an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics), which allows an attacker to create a maliciously crafted PDF that may lead to arbitrary code execution. The vulnerability was disclosed by Citizen Lab and the exploit of the vulnerability is named “FORCEDENTRY”.
The FORCEDENTRY vulnerability is a zero-day, zero-click exploit against iMessage that targets Apple’s image rendering library and is effective against Apple iOS, macOS and watchOS devices. Citizen Lab has stated that the FORCEDENTRY vulnerability can be used to install Pegasus spyware, developed by Israeli firm NSO Group. The researchers say that the exploit takes advantage of how Apple devices render images on the display and affects all Apple devices. The payload consists of PDF files containing a JBIG2-encoded stream that exploits Apple’s image rendering library via iMessage.
- All iPhones and iPads with iOS and iPadOS versions prior to 14.8.
- All Mac computers with operating system versions prior to OSX Big Sur 11.6 or Security Update 2021-005 Catalina.
- All Apple Watches prior to watchOS 7.6.2.
Apple has released iOS 14.8 and iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, Security Update 2021-005 Catalina and Safari 14.1.2 addressing the vulnerabilities. The release includes security fixes for both CVE-2021-30860 and CVE-2021-30858.
Qualys customers can scan their devices with QID 610367, 375855 and 375857 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.