CVE-2021-1782
Published: 02 April 2021
Summary
CVE-2021-1782 is a high-severity Improper Locking (CWE-667) vulnerability in Apple Mac Os X. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
A race condition vulnerability stemming from improper locking, tracked as CVE-2021-1782 and assigned CWE-667, affects multiple Apple operating systems including macOS Big Sur, Catalina, and Mojave along with iOS 14, iPadOS 14, tvOS 14, and watchOS 7. The flaw permits a malicious application to elevate privileges on the affected platform, as confirmed by its CVSS 3.1 vector indicating local attack with high complexity but full impact on confidentiality, integrity, and availability.
An attacker with the ability to run code as a low-privileged local user can exploit the race condition to gain elevated rights. Because the issue requires only local access and no user interaction, it can be triggered from within a sandboxed or third-party application that an end user has already installed.
Apple has released fixes in macOS Big Sur 11.2, Security Update 2021-001 for Catalina and Mojave, iOS 14.4 and iPadOS 14.4, tvOS 14.4, and watchOS 7.3; the corresponding security advisories direct administrators to apply these updates to address the locking deficiency.
Apple has stated that it is aware of reports indicating the vulnerability may have been actively exploited in the wild prior to patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7246
Vulnerability details
A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able…
more
to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access rights so that the race condition in locking cannot be exploited to obtain unauthorized elevation.
Requires prompt application of the vendor patches that correct the improper locking and eliminate the exploitable race.
Process isolation limits the ability of a malicious application to influence kernel or other-process locking primitives used in the race.