CVE-2021-1789
Published: 02 April 2021
Summary
CVE-2021-1789 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 47.9th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
A type confusion vulnerability, tracked as CWE-843, was present in WebKit and addressed through improved state handling. The flaw affects multiple Apple platforms prior to the listed updates, including macOS versions before Big Sur 11.2, Catalina, and Mojave, iOS and iPadOS before 14.4, tvOS before 14.4, watchOS before 7.3, and Safari before 14.0.3. The CVSS 3.1 base score of 8.8 reflects network attack vector, low attack complexity, and no required privileges.
An unauthenticated remote attacker can exploit the issue by supplying maliciously crafted web content that a user processes in a vulnerable browser or application. Successful exploitation grants arbitrary code execution with full impact on confidentiality, integrity, and availability of the affected device.
Apple security updates for the affected platforms and Safari 14.0.3 resolve the vulnerability. Related packages were also addressed in distributions such as Fedora and Gentoo that incorporate WebKit components. No information on in-the-wild exploitation is provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7253
Vulnerability details
A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. Processing maliciously…
more
crafted web content may lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 04 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor security updates that remediate the WebKit type-confusion flaw before malicious web content can be processed.
Restricts or disables execution of mobile code (JavaScript, WebAssembly, etc.) delivered via untrusted web content, limiting the attack vector that triggers the type confusion.
Deploys malicious-code detection mechanisms at the browser or host level that can block or alert on crafted web payloads attempting to exploit the WebKit vulnerability.