CVE-2021-31010
Published: 24 August 2021
Summary
CVE-2021-31010 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apple Mac Os X. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A deserialization issue tracked as CVE-2021-31010 and assigned CWE-502 was present in multiple Apple operating systems. The flaw stems from insufficient validation during deserialization and could allow improper handling of serialized data. It affected iOS, iPadOS, macOS Catalina, macOS Big Sur, and watchOS prior to the releases that addressed it.
An attacker could exploit the vulnerability over a network without authentication or user interaction to enable a sandboxed process to bypass sandbox restrictions, resulting in unauthorized modification of data as reflected in the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
The issue is resolved in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2, as detailed in the corresponding Apple security advisories.
Apple stated that it was aware of reporting indicating the vulnerability may have been actively exploited in the wild at the time the fixes were released.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17927
Vulnerability details
A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions.…
more
Apple was aware of a report that this issue may have been actively exploited at the time of release..
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient input validation during deserialization that enabled the sandbox bypass in CVE-2021-31010.
Enforces the sandbox access restrictions that the deserialization flaw was exploited to circumvent.
Provides the process isolation mechanism whose boundaries were violated by the unauthenticated deserialization attack.