SB2021092021 - Multiple vulnerabilities in Apple iOS and iPadOS

Description

This security bulletin contains information about 36 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2021-30837)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Accessory Manager. A local application can trigger excessive memory consumption and execute arbitrary code with kernel privileges.

2) UNIX symbolic link following (CVE-ID: CVE-2021-30855)

The vulnerability allows a local application to gain access to otherwise restricted functionality.

The vulnerability exists due to a symlink following issue in Preferences. A local application can create a specially crafted symbolic link to a critical file on the system and  access restricted files.

3) Improper Authorization (CVE-ID: CVE-2021-30810)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists within the Wi-Fi subsystem. A remote attacker with physical proximity to device can force a user onto a malicious Wi-Fi network during device setup.

4) Memory corruption (CVE-ID: CVE-2021-30851)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Memory corruption (CVE-ID: CVE-2021-30849)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Memory corruption (CVE-ID: CVE-2021-30848)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Memory corruption (CVE-ID: CVE-2021-30846)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) Missing Encryption of Sensitive Data (CVE-ID: CVE-2021-30826)

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to a logic issue within the Telephony subsystem, as in certain situations, the baseband fails to enable integrity and ciphering protection. A remote attacker can perform a MitM attack and intercept sensitive information.

9) Improper Authorization (CVE-ID: CVE-2021-30815)

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to improper implementation of the lock screen in Siri. A local attacker can view contacts from the lock screen.

10) Sandbox restrictions bypass (CVE-ID: CVE-2021-30854)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to sandbox restrictions bypass in Preferences. A local application can circumvent sandbox restrictions and gain access to otherwise restricted functionality.

11) Out-of-bounds read (CVE-ID: CVE-2021-30819)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing USD images within the Model I/O subsystem. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

12) Information disclosure (CVE-ID: CVE-2021-30811)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error within AppleMobileFileIntegrity. A local application can gain unauthorized access to sensitive information on the system.

13) Race condition (CVE-ID: CVE-2021-30857)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition with the OS kernel component. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

14) Buffer overflow (CVE-ID: CVE-2021-30847)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing images within ImageIO. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

15) Buffer overflow (CVE-ID: CVE-2021-30835)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing images within ImageIO. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

16) Buffer overflow (CVE-ID: CVE-2021-30843)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing font files within FontParser. A remote attacker can create a specially crafted document or a web page with a malicious font, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) Buffer overflow (CVE-ID: CVE-2021-30842)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing font files within FontParser. A remote attacker can create a specially crafted document or a web page with a malicious font, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

18) Buffer overflow (CVE-ID: CVE-2021-30841)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing font files within FontParser. A remote attacker can create a specially crafted document or a web page with a malicious font, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

19) Improper Authentication (CVE-ID: CVE-2021-30863)

The vulnerability allows a local attacker to bypass Face ID authentication process.

The vulnerability exists due to an error in the Face ID authentication process. An attacker can construct a 3D model to look like the enrolled user and bypass Face ID authentication process

20) Buffer overflow (CVE-ID: CVE-2021-30825)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within CoreML. A local application can trigger denial of service and execute arbitrary code.

21) Buffer overflow (CVE-ID: CVE-2021-30838)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Accessory Manager. A local application can trigger memory corruption and execute arbitrary code with system privileges on devices with an Apple Neural Engine

22) Resource exhaustion (CVE-ID: CVE-2013-0340)

The vulnerability allows remote attackers to cause a denial of service attack.

The vulnerability exists due to insufficient validation of user-supplied input within the expat library, when processing XML files. A remote attacker can pass specially crafted XML content to the affected library and perform a denial of service (DoS) attack.

23) Type Confusion (CVE-ID: CVE-2021-30818)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

24) Information disclosure (CVE-ID: CVE-2021-30870)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due in the Quick Look feature when previewing an html file attached to a note. The application can contact a remote server and reveal information about users, their IP address, etc.

25) Improper Authorization (CVE-ID: CVE-2021-30874)

The vulnerability allows a local application to bypass implemented security restrictions.

The vulnerability exists in NetworkExtension subsystem due to missing permissions checks. A local application can install a VPN configuration without having necessary permissions.

26) Buffer overflow (CVE-ID: CVE-2021-30814)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing images within the ImageIO subsystem. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

27) Improper Authorization (CVE-ID: CVE-2021-30867)

The vulnerability allows a local application to gain access to restricted functionality.

The vulnerability exists due to improper authorization checks in iCloud Photo Library. A local application without permissions to access photos can access photo metadata.

28) Type Confusion (CVE-ID: CVE-2021-30852)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in the Foundation subsystem. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

29) Buffer overflow (CVE-ID: CVE-2021-30840)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing fonts in the FontParser subsystem. A remote attacker can create a specially crafted document or web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

30) Out-of-bounds read (CVE-ID: CVE-2021-30831)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the FontParser subsystem. A remote attacker can trick the victim to open a specially crafted website or document, trigger an out-of-bounds read error and read contents of memory on the system.

31) Information disclosure (CVE-ID: CVE-2021-30882)

The vulnerability allows a local application to eavesdrop on phone calls.

The vulnerability exists due to a logic issue in FaceTime. A local applications with microphone permission can access microphone input during a FaceTime call.

32) Information disclosure (CVE-ID: CVE-2021-30816)

The vulnerability allows an attacker to gain access to private information.

The vulnerability exists due to a logic error in FaceTime application. An attacker with physical access to device can see private contact information.

33) Use-after-free (CVE-ID: CVE-2021-30809)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

34) Out-of-bounds read (CVE-ID: CVE-2021-30836)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

35) Security features bypass (CVE-ID: CVE-2021-30808)

The vulnerability allows a local application to bypass implemented security restrictions.

The vulnerability exists in Sandbox implementation. A local application can bypass sandbox restrictions and modify protected parts of the file system.

36) Information disclosure (CVE-ID: CVE-2021-30884)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the WebKit component when processing CSS files. A remote attacker can trick the victim to open a specially crafted website and obtain user's browsing history.

Remediation

Install update from vendor's website.

References

• https://support.apple.com/en-us/HT212814
• https://www.zerodayinitiative.com/advisories/ZDI-22-354/