⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-1782Improper Locking in Apple IOS AND Ipados

CWE-667Improper LockingCWE-662Improper SynchronizationCWE-269Improper Privilege ManagementCWE-362Race Condition16 documents9 sources
Severity
7.0HIGHNVD
EPSS
5.9%
top 9.41%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Apple IOS AND IpadosApple MacosApple Ipados+4 more
Timeline
PublishedApr 2
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages8 packages

NVDapple/tvos< 14.4
CVEListV5apple/macosunspecified11.2+2
NVDapple/macos11.011.2
NVDapple/ipados< 14.4
NVDapple/watchos< 7.3

🔴Vulnerability Details

5
GHSA
GHSA-22jf-974v-hf7j: A race condition was addressed with improved locking2022-05-24
Project0
CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers - Project Zero2022-04-01
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
CVEList
CVE-2021-1782: A race condition was addressed with improved locking2021-04-02
VulnCheck
Apple Multiple Products Race Condition Vulnerability2021

📋Vendor Advisories

3
CISA
Apple Multiple Products Race Condition Vulnerability2021-11-03
Apple
CVE-2021-1782: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave2021-02-01
Apple
CVE-2021-1782: iOS 14.4 and iPadOS 14.42021-01-26

🕵️Threat Intelligence

4
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices2021-10-18
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys2021-10-18

📐Framework References

3
CWE
Improper Synchronization
CWE
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE
Improper Locking
CVE-2021-1782 — Improper Locking in Apple | cvebase