CVE-2021-30713
Published: 08 September 2021
Summary
CVE-2021-30713 is a high-severity Missing Authorization (CWE-862) vulnerability in Apple Mac Os X. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 23.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
A permissions issue stemming from insufficient validation was present in macOS Big Sur prior to version 11.4. The flaw, tracked as CVE-2021-30713 and assigned CWE-862, resides in the system's handling of application permissions and allows a malicious application to bypass Privacy preferences that would otherwise restrict access to sensitive user data or system resources.
An attacker with the ability to execute a malicious application on an affected system can exploit the vulnerability locally without user interaction. Successful exploitation grants the application elevated access equivalent to bypassing intended privacy controls, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 7.8 score.
Apple addressed the issue in the macOS Big Sur 11.4 update released on 24 May 2021. The vendor's security advisory (HT212529) and related disclosures explicitly recommend installing the update to remediate the permissions validation weakness.
Apple has stated it is aware of reports indicating the vulnerability may have been actively exploited in the wild prior to patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17630
Vulnerability details
A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively…
more
exploited..
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access decisions for privacy preferences that the CVE's insufficient validation allowed a malicious app to bypass.
Requires timely installation of the macOS 11.4 update that remediates the permissions-validation flaw.
Addresses the root cause of inadequate validation when the system processes application permission requests.