Details of VAR-202109-1339

ID

VAR-202109-1339

CVE

CVE-2021-30724

TITLE

Apple macOS CVMServer Integer Overflow Privilege Escalation Vulnerability

Trust: 0.7

sources: ZDI: ZDI-21-794

DESCRIPTION

This issue was addressed with improved checks. This issue is fixed in tvOS 14.6, Security Update 2021-004 Mojave, iOS 14.6 and iPadOS 14.6, Security Update 2021-003 Catalina, macOS Big Sur 11.4, watchOS 7.5. A local attacker may be able to elevate their privileges. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the CVMServer daemon. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Apple tvOS is a smart TV operating system developed by Apple (Apple). Apple tvOS has a permissions and access control issue vulnerability, which stems from the application not properly applying security restrictions in CVMS. The following products and versions are affected: tvOS: 14.0 18J386, 14.0.1 18J400, 14.0.2 18J411, 14.2 18K57, 14.3 18K561, 14.4 18K802, 14.5 18L204. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-05-25-7 tvOS 14.6 tvOS 14.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212532. Audio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30707: hjy79425575 working with Trend Micro Zero Day Initiative Audio Available for: Apple TV 4K and Apple TV HD Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2021-30685: Mickey Jin (@patch1t) of Trend Micro CoreAudio Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted audio file may disclose restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30686: Mickey Jin of Trend Micro Crash Reporter Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2021-30727: Cees Elzinga CVMS Available for: Apple TV 4K and Apple TV HD Impact: A local attacker may be able to elevate their privileges Description: This issue was addressed with improved checks. CVE-2021-30724: Mickey Jin (@patch1t) of Trend Micro Heimdal Available for: Apple TV 4K and Apple TV HD Impact: A local user may be able to leak sensitive user information Description: A logic issue was addressed with improved state management. CVE-2021-30697: Gabe Kirkpatrick (@gabe_k) Heimdal Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may cause a denial of service or potentially disclose memory contents Description: A memory corruption issue was addressed with improved state management. CVE-2021-30710: Gabe Kirkpatrick (@gabe_k) ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted image may lead to disclosure of user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30687: Hou JingYi (@hjy79425575) of Qihoo 360 ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted image may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2021-30700: Ye Zhang(@co0py_Cat) of Baidu Security ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30701: Mickey Jin (@patch1t) of Trend Micro and Ye Zhang of Baidu Security ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted ASTC file may disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30705: Ye Zhang of Baidu Security Kernel Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved validation. CVE-2021-30740: Linus Henze (pinauten.de) Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved state management. CVE-2021-30704: an anonymous researcher Kernel Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted message may lead to a denial of service Description: A logic issue was addressed with improved state management. CVE-2021-30715: The UK's National Cyber Security Centre (NCSC) Kernel Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2021-30736: Ian Beer of Google Project Zero LaunchServices Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to break out of its sandbox Description: This issue was addressed with improved environment sanitization. CVE-2021-30677: Ron Waisberg (@epsilan) Security Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code. CVE-2021-30737: xerub WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30665: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. CVE-2021-30744: Dan Hite of jsontop WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-21779: Marcin Towalski of Cisco Talos WebKit Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to leak sensitive user information Description: A logic issue was addressed with improved restrictions. CVE-2021-30682: an anonymous researcher and 1lastBr3ath WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2021-30689: an anonymous researcher WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2021-30749: an anonymous researcher and mipu94 of SEFCOM lab, ASU. working with Trend Micro Zero Day Initiative CVE-2021-30734: Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative WebKit Available for: Apple TV 4K and Apple TV HD Impact: A malicious website may be able to access restricted ports on arbitrary servers Description: A logic issue was addressed with improved restrictions. CVE-2021-30720: David Schütz (@xdavidhu) WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30663: an anonymous researcher Additional recognition ImageIO We would like to acknowledge Jzhu working with Trend Micro Zero Day Initiative and an anonymous researcher for their assistance. WebKit We would like to acknowledge Chris Salls (@salls) of Makai Security for their assistance. Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCtU9MACgkQZcsbuWJ6 jjBzuhAAmXJik2L+PmRMzs6dd1QcCSwHYi0KLG0ERapHKJsFcm5+xpv87a4AFO4p 3E6+5w9wQSWVEsQG1PIvuyV3M81xuu8xY88tAD1ce1qGA4Dny4E7RU08Y0l43j/x d1RemCf0TjwYpvX34/GaOspxFQYnRo1gWsU1v7bieF8vMHZmUOlgiNep0UEG3Kuq 7IAAsfzWS43a+nkefSDWEujMNwbg1SZKua/+BXgZC7AOXdAHItqyNBFIerUc2uSf ReHLZ5BNBKw9OsL9qoJsiLCmwxKrpUTzpQahu2gybZf65nza6QPOTohqqWq79EOD mIqOW4SQ5mVSrzMh+GB9EovMY+l5YgyHwObTUjRW+4znLU7fqNXBgwzgWoIpJdF0 rpkjP3phOGXZWwiBhRmm5iYI08HFoBfF+EoPFN5Ucl7ZWz2uF0bQlbp3yqRoGRaO ZWY2LzPIdP5zSq7rqXDaVnNFuKF93J4ouZZwVMXA4yf5wmQ3silIeJlvxxphlet8 oXv2pkewq9A81RGMlgMDZMvawQvPGkOVgeBm1coajN1swNY8esW7N6J1+rtDL0mI sulaGZCeSM9ndg5VRU2lpClFdGEUZXT2hZ8NoMV6jj48c0gZBW3M82snGD4zeRqM dcezqg6o22ZxpogRJuRf41Y87ktE5o73wgj0xu72MQoxK86+Ek0= =BeQR -----END PGP SIGNATURE-----

Trust: 2.43

sources: NVD: CVE-2021-30724 // ZDI: ZDI-21-794 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-390457 // VULMON: CVE-2021-30724 // PACKETSTORM: 162825 // PACKETSTORM: 162827

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	lte	version:	10.15.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.14.0	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	14.6	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.4	Trust: 1.0
vendor:	apple	model:	ipados	scope:	lt	version:	14.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lte	version:	10.14.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.14.6	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	7.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.15	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.15.7	Trust: 1.0
vendor:	apple	model:	macos	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-794 // NVD: CVE-2021-30724

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-30724
value:	HIGH
Trust: 1.0
ZDI:	CVE-2021-30724
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-202105-1545
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-390457
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-30724
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-390457
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-30724
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2021-30724
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-794 // VULHUB: VHN-390457 // CNNVD: CNNVD-202105-1545 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-30724

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2021-30724

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202105-1545

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202105-1545

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-390457

PATCH

title:	-	url:	https://support.apple.com/HT212529	Trust: 0.7
title:	Apple tvOS Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151730	Trust: 0.6
title:	Apple: iOS 14.6 and iPadOS 14.6	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=aebc753d2fbbe6784a52339b16fd5417	Trust: 0.1

sources: ZDI: ZDI-21-794 // VULMON: CVE-2021-30724 // CNNVD: CNNVD-202105-1545

EXTERNAL IDS

db:	NVD	id:	CVE-2021-30724	Trust: 2.7
db:	ZDI	id:	ZDI-21-794	Trust: 1.4
db:	PACKETSTORM	id:	162825	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-13345	Trust: 0.7
db:	CNNVD	id:	CNNVD-202105-1545	Trust: 0.7
db:	CS-HELP	id:	SB2021052503	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1794	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	PACKETSTORM	id:	162827	Trust: 0.2
db:	VULHUB	id:	VHN-390457	Trust: 0.1
db:	VULMON	id:	CVE-2021-30724	Trust: 0.1

sources: ZDI: ZDI-21-794 // VULHUB: VHN-390457 // VULMON: CVE-2021-30724 // PACKETSTORM: 162825 // PACKETSTORM: 162827 // CNNVD: CNNVD-202105-1545 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-30724

REFERENCES

url:	https://support.apple.com/en-us/ht212528	Trust: 1.7
url:	https://support.apple.com/en-us/ht212529	Trust: 1.7
url:	https://support.apple.com/en-us/ht212530	Trust: 1.7
url:	https://support.apple.com/en-us/ht212531	Trust: 1.7
url:	https://support.apple.com/en-us/ht212532	Trust: 1.7
url:	https://support.apple.com/en-us/ht212533	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30724	Trust: 0.8
url:	https://support.apple.com/ht212529	Trust: 0.7
url:	https://www.zerodayinitiative.com/advisories/zdi-21-794/	Trust: 0.7
url:	https://vigilance.fr/vulnerability/apple-ios-multiple-vulnerabilities-35513	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021052503	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1794	Trust: 0.6
url:	https://packetstormsecurity.com/files/162825/apple-security-advisory-2021-05-25-7.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30744	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-21779	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30689	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30715	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30749	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30740	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30705	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30710	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30697	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30685	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30737	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30704	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30736	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30707	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30720	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30686	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30687	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30677	Trust: 0.2
url:	https://support.apple.com/kb/ht201222	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30727	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30700	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30682	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30701	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30734	Trust: 0.2
url:	https://support.apple.com/kb/ht212528	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30663	Trust: 0.1
url:	https://support.apple.com/ht212532.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30665	Trust: 0.1
url:	https://support.apple.com/ht212533.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30681	Trust: 0.1

CREDITS

Mickey Jin (@patch1t) of Trend Micro

Trust: 1.3

sources: ZDI: ZDI-21-794 // CNNVD: CNNVD-202105-1545

SOURCES

db:	ZDI	id:	ZDI-21-794
db:	VULHUB	id:	VHN-390457
db:	VULMON	id:	CVE-2021-30724
db:	PACKETSTORM	id:	162825
db:	PACKETSTORM	id:	162827
db:	CNNVD	id:	CNNVD-202105-1545
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-30724

LAST UPDATE DATE

2024-08-14T13:15:01.002000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-794	date:	2021-07-13T00:00:00
db:	VULHUB	id:	VHN-390457	date:	2023-01-09T00:00:00
db:	CNNVD	id:	CNNVD-202105-1545	date:	2022-05-05T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-30724	date:	2023-01-09T16:41:59.350

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-794	date:	2021-07-13T00:00:00
db:	VULHUB	id:	VHN-390457	date:	2021-09-08T00:00:00
db:	PACKETSTORM	id:	162825	date:	2021-05-26T17:50:13
db:	PACKETSTORM	id:	162827	date:	2021-05-26T17:50:55
db:	CNNVD	id:	CNNVD-202105-1545	date:	2021-05-25T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-30724	date:	2021-09-08T14:15:08.787