CVE-2021-1782
published 2021-04-02CVE-2021-1782: A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001…
PriorityP180high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
2.22%
80.5th percentile
A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_14.4_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 14.4 | 14.4 |
| apple | ipados | < 14.4 | 14.4 |
| apple | iphone_os | < 14.4 | 14.4 |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | >= 10.14 < 10.14.6 | 10.14.6 |
| apple | mac_os_x | >= 10.15 < 10.15.7 | 10.15.7 |
| apple | macos | >= 11.0 < 11.2 | 11.2 |
| apple | macos | >= unspecified < 11.2 | 11.2 |
| apple | macos | >= unspecified < 7.3 | 7.3 |
| apple | macos | >= unspecified < 14.4 | 14.4 |
| apple | macos_big_sur_11.2_security_update_2021-001_catalina_security_update_2021-001_mo | — | — |
| apple | tvos | < 14.4 | 14.4 |
| apple | watchos | < 7.3 | 7.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is a kernel-level race condition (locking flaw) exploited via a malicious local application to elevate privileges on Apple platforms (iOS, iPadOS, macOS, watchOS, tvOS) ↗
- →Exploitation vector is a locally installed malicious application triggering a kernel race condition to gain elevated privileges — hunt for unexpected privilege escalation from user-space apps on Apple devices ↗
- →Confirmed in-the-wild exploitation; treat any unpatched Apple device (iOS < 14.4, macOS < Big Sur 11.2 / Catalina Security Update 2021-001 / Mojave Security Update 2021-001, watchOS < 7.3, tvOS < 14.4) as high-risk for privilege-escalation attacks via malicious apps ↗
- ·No public proof-of-concept or exploit code with concrete IOCs (hashes, domains, IPs, signatures) was present in the provided sources; all exploitation details remain undisclosed by Apple ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.0HIGH
cisa7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple Multiple Products Race Condition Vulnerability
cisa·2021-11-03·CVSS 7.0
CVE-2021-1782 [HIGH] CWE-362 Apple Multiple Products Race Condition Vulnerability
Vulnerability: Apple Multiple Products Race Condition Vulnerability
Affected: Apple Multiple Products
Apple iOS, iPadOs, macOS, watchOS, and tvOS contain a race condition vulnerability that may allow a malicious application to elevate privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-1782
Remediation Due Date: 2021-11-17
Apple
CVE-2021-1782: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
vendor_apple·2021-02-01·CVSS 7.0
CVE-2021-1782 [HIGH] CVE-2021-1782: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
Apple Security Update: About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
Product: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave
CVE: CVE-2021-1782
Component: Kernel
Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A race condition was addressed with improved locking.
Apple
CVE-2021-1782: iOS 14.4 and iPadOS 14.4
vendor_apple·2021-01-26·CVSS 7.0
CVE-2021-1782 [HIGH] CVE-2021-1782: iOS 14.4 and iPadOS 14.4
Apple Security Update: About the security content of iOS 14.4 and iPadOS 14.4
Product: iOS 14.4 and iPadOS
Version: 14.4
CVE: CVE-2021-1782
Component: Kernel
Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A race condition was addressed with improved locking.
GHSA
GHSA-22jf-974v-hf7j: A race condition was addressed with improved locking
ghsa_unreviewed·2022-05-24
CVE-2021-1782 [HIGH] CWE-269 GHSA-22jf-974v-hf7j: A race condition was addressed with improved locking
A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..
Project0
CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers - Project Zero
project_zero·2022-04-01·CVSS 7.0
CVE-2021-1782 [HIGH] CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers - Project Zero
Posted by Ian Beer, Google Project Zero
This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability.
CVE-2021-1782 was fixed in iOS 14.4, as noted by @s1guza on twitter:
This vulnerability was fixed on January 26th 2021, and Apple updated the iOS 14.4 release notes on May 28th 2021 to indicate that the issue may have been actively exploited:
## Vouchers
What
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
VulnCheck
Apple Multiple Products Race Condition Vulnerability
vulncheck·2021·CVSS 7.0
CVE-2021-1782 [HIGH] CWE-362 Apple Multiple Products Race Condition Vulnerability
Apple Multiple Products Race Condition Vulnerability
Apple iOS, iPadOs, macOS, watchOS, and tvOS contain a race condition vulnerability that may allow a malicious application to elevate privileges.
Affected: Apple Multiple Products
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT212146; https://support.apple.com/kb/HT212148; https://support.apple.com/kb/HT212149; https://support.apple.com/kb/HT212147; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/5d442d6d99aa
Remediation Due: 2021-11-17
No detection rules found.
No public exploits indexed.
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices
blogs_qualys·2021-10-18·CVSS 7.0
[HIGH] Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices
Apple recently released iOS and iPadOS 15.0.2 as an emergency security update that addresses 1 critical zero-day vulnerabilities, which is exploited in wild. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version. “ Apple is aware of a report that this issue may have been actively exploited ,” the company said in security advisories .
This year, Apple has released multiple emergency releases to fix the actively exploited vulnerabilities which Apple is aware of a report that this issue may have been actively exploited . Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges, and spyware like Pegasus can be easily deployed on affect devices, and exploiting other vul
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys
blogs_qualys·2021-10-18·CVSS 7.0
[HIGH] Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys
Apple recently released iOS and iPadOS 15.0.2 as an emergency security update that addresses 1 critical zero-day vulnerabilities, which is exploited in wild. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version. “Apple is aware of a report that this issue may have been actively exploited,” the company said in security advisories.
This year, Apple has released multiple emergency releases to fix the actively exploited vulnerabilities which Apple is aware of a report that this issue may have been actively exploited. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges, and spyware like Pegasus can be easily deployed on affect devices, and exploiting other vulnera
CWE
Improper Synchronization
mitre_cwe
CWE-662 Improper Synchronization
CWE-662: Improper Synchronization
The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary w
CWE
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
mitre_cwe
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties
CWE
Improper Locking
mitre_cwe
CWE-667 Improper Locking
CWE-667: Improper Locking
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Locking is a type of synchronization behavior that ensures that multiple independently-operating processes or threads do not interfere with each other when accessing the same resource. All processes/threads are expected to follow the same steps for locking. If these steps are not followed precisely - or if no locking is done at all - then another process/thread could modify the shared resource in a way that is not visible or predictable to the original process. This can lead to data or memory corruption, denial of service, etc.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: A
https://support.apple.com/en-us/HT212146https://support.apple.com/en-us/HT212147https://support.apple.com/en-us/HT212148https://support.apple.com/en-us/HT212149https://support.apple.com/en-us/HT212146https://support.apple.com/en-us/HT212147https://support.apple.com/en-us/HT212148https://support.apple.com/en-us/HT212149https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1782
2021-04-02
Published
2021-11-03
Added to CISA KEV
Exploited in the wild