CVE-2021-30665
Published: 08 September 2021
Summary
CVE-2021-30665 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 40.6th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A memory corruption vulnerability, identified as CWE-787, affects multiple Apple platforms and stems from improper state management during the processing of web content. Impacted software includes watchOS prior to 7.4.1, iOS and iPadOS prior to 14.5.1, tvOS prior to 14.6, iOS 12.x prior to 12.5.3, and macOS Big Sur prior to 11.3.1. The flaw carries a CVSS score of 8.8 and enables out-of-bounds write operations when handling untrusted input.
An unauthenticated remote attacker can exploit the issue by supplying maliciously crafted web content that a user is tricked into processing, such as through a web browser or other web-rendering component. Successful exploitation grants arbitrary code execution with full read, write, and execution impact on the affected device.
Apple security advisories for the listed updates state that the vulnerability is resolved by applying the respective patches, which improve state management to prevent the memory corruption. The references detail the fixed versions for each platform and urge immediate installation to address the exposure.
Apple has noted reports indicating that this vulnerability may have been actively exploited in the wild prior to patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17582
Vulnerability details
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code…
more
execution. Apple is aware of a report that this issue may have been actively exploited..
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the out-of-bounds write (CWE-787) memory corruption by enforcing memory protection mechanisms during web-content processing.
Requires timely application of the vendor patches that improve state management and close the actively exploited flaw in the listed Apple platforms.
Provides malicious-code detection and blocking for untrusted web content that triggers the remote code-execution path.