Apple Arbitrary Code Injection Vulnerability (CVE-2021-30869)

Apple provided security fixes to address a zero-day vulnerability on Thursday. The attackers have used it in the wild to break into iPhones and Macs running older versions of iOS and macOS. Apple has also provided patches for a previously patched security flaw exploited by NSO Group’s Pegasus surveillance tool to target iPhone users. 

CVE-2021-30869 is a zero-day vulnerability. This is a type-confusion hole in Apple’s kernel component XNU. This vulnerability allows a malicious program to run arbitrary code with root capabilities. The Cupertino-based tech behemoth says it fixed the flaw by improving state management. 

CVE-2021-30858 and CVE-2021-30860 are two other issues that Apple fixed earlier this month after University of Toronto’s Citizen Lab revealed a previously undisclosed attack named “FORCEDENTRY” (aka Megalodon) that could infect Apple devices without even requiring a click. 

It uses iMessage as an entry point to send malicious code that installed Pegasus spyware on victims’ devices and exfiltrated sensitive data without alerting them.  

Affected versions: 

  • Macs with Security Update 2021-006 Catalina 
  • iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini-2, iPad mini-3, and iPod touch (6th generation) running iOS 12.5.5 

Recent related exploits: 

  • An iOS zero-day (CVE-2021-1879) has also been actively exploited. 
  • CVE-2021-1870CVE-2021-1871, CVE-2021-1872 exploited in the wild and reported by anonymous researchers. 
  • macOS zero-day (CVE-2021-30713) was abused by XCSSET malware to bypass Apple’s TCC privacy protection. 
  • A zero-day in iOS (CVE-2021-30661) and another one in macOS (CVE-2021-30657) exploited by Shlayer malware.
  • Two iOS zero-day bugs (CVE-2021-30761 and CVE-2021-30762) have been actively exploited to hack into older iPhone, iPad, and iPod devices. 
  • Three other iOS zero-days (CVE-2021-30663CVE-2021-30665, and CVE-2021-30666) allowed for arbitrary remote code execution (RCE) simply by visiting malicious websites. 

Mitigation 

Apple does not reveal, discuss, or confirm security problems until an investigation has been completed and patches or releases are ready for their customers’ protection. 

For more information on these vulnerabilities, refer to CVE-ID. To report any vulnerability in the iOS software, visit the Apple Product Security page.

Qualys Detection 

Qualys customers can scan their devices with QIDs 610369 and 375882 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. 

References 

https://www.bleepingcomputer.com/news/apple/apple-patches-new-zero-day-bug-used-to-hack-iphones-and-macs/  

https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30869  

https://nvd.nist.gov/vuln/detail/CVE-2021-30869  

https://support.apple.com/en-us/HT212825  

https://support.apple.com/en-us/HT212824  

https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-used-to-deploy-nso-spyware/  

https://www.bleepingcomputer.com/news/security/apple-fixes-a-ios-zero-day-vulnerability-actively-used-in-attacks/  

https://support.apple.com/en-us/HT212146  

https://www.bleepingcomputer.com/news/security/apple-fixes-macos-zero-day-bug-exploited-by-shlayer-malware/  

https://www.bleepingcomputer.com/news/apple/apple-fixes-2-ios-zero-day-vulnerabilities-actively-used-in-attacks/  

https://www.bleepingcomputer.com/news/security/apple-fixes-three-zero-days-one-abused-by-xcsset-macos-malware/ 

https://www.bleepingcomputer.com/news/security/apple-fixes-ninth-zero-day-bug-exploited-in-the-wild-this-year/  

Leave a Reply

Your email address will not be published.