CVE-2021-30661
Published: 08 September 2021
Summary
CVE-2021-30661 is a high-severity Use After Free (CWE-416) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 16.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability, tracked as CVE-2021-30661 and assigned CWE-416, affects WebKit components in multiple Apple products. It is present in versions of Safari prior to 14.1, iOS prior to 12.5.3 and 14.5, iPadOS prior to 14.5, watchOS prior to 7.4, tvOS prior to 14.5, and macOS Big Sur prior to 11.3. The flaw stems from improper memory management when handling web content and carries a CVSS 3.1 base score of 8.8.
An attacker can exploit the issue by serving maliciously crafted web content to a victim. Successful exploitation grants arbitrary code execution in the context of the affected process, requiring only that the user interact with the content (network vector, no privileges needed, user interaction required).
Apple security advisories HT212317, HT212318, HT212323, HT212324, and HT212325 state that the vulnerability is resolved by improved memory management in the versions listed above and recommend that users install the corresponding updates.
Apple has stated that it is aware of reports indicating the issue may have been actively exploited in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17578
Vulnerability details
A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead…
more
to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the use-after-free flaw in WebKit before exploitation occurs.
Mandates memory-protection mechanisms that address the root cause of use-after-free conditions leading to arbitrary code execution.
Requires malicious-code protections on endpoints that can block or sandbox the malicious web content used to trigger the WebKit vulnerability.