Active Exploitation of Apple Zero-Day Vulnerabilities

Summary

A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution and is being exploited by Shlayer malware.
Advisory Type  Vulnerability Intelligence
CVE ID CVE-2021-30657,30663, 30665, 30666
Vulnerability Type Remote Code Execution
Vulnerable Application Apple iPhone WebKit Engine 
Affected Platform iOS/macOS/watchOS
 

Executive Summary

Adversaries are actively targeting and exploiting zero-day vulnerabilities in iOS. Based on the security advisories posted by Apple, there are critical bugs present in the WebKit Engine, a browser rendering engine that is used in web browsers like Safari (iOS) and other applications that render HTML. The bugs that were publicly disclosed, when exploited, led to remote code execution on affected systems. A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution by bypassing Apple’s File Quarantine, Gatekeeper, and Notarization security checks. This bug is actively exploited in the wild by Shlayer Malware.   

Threat Vector

The bug is triggered when the victim visits a malicious website hosted by the threat actor.

CVE

Type

Description

CVE-2021-30663 Integer Overflow/RCE An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30665 Memory Corruption/RCE A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30666 Buffer Overflow/RCE A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
Active malware campaigns targeting apple 0-days

CVE

Type

Description

CVE-2021-30657 Security Bypass  Bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks
 
Shlayer Malware
Apple patched the zero-day, CVE-2021-30657, that was targeting MacOS and exploited in the wild by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks in order to download second-stage malicious payloads.  

Impact and Mitigation

Impact

Mitigation

  • RCE leads to unauthorized access to the target device’s OS and file systems, leading to user data compromise.
  • Attackers gain arbitrary code execution on the victim device leading to compromise of device control and security.
  • Security bypass vulnerabilities can lead to execution of malwares by bypassing the security features installed on the device.
For CVE-2021-30663/ CVE-2021-30665/ CVE-2021-30666:
  • The list of affected devices include:
    • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
    • macOS Big Sur
    • Apple Watch Series 3 and later
  • The bugs have been patched in recent updates including iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1
For CVE-2021-30657:
  • Apple has fixed the bug in macOS 11.3.

Table of Contents

Request an easy and customized demo for free