-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3153
                APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15
                             21 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iOS
                   iPadOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-30863 CVE-2021-30857 CVE-2021-30855
                   CVE-2021-30854 CVE-2021-30851 CVE-2021-30849
                   CVE-2021-30848 CVE-2021-30847 CVE-2021-30846
                   CVE-2021-30843 CVE-2021-30842 CVE-2021-30841
                   CVE-2021-30838 CVE-2021-30837 CVE-2021-30835
                   CVE-2021-30826 CVE-2021-30825 CVE-2021-30819
                   CVE-2021-30815 CVE-2021-30811 CVE-2021-30810
                   CVE-2013-0340  

Reference:         ESB-2019.2136
                   ESB-2018.0201

Original Bulletin: 
   https://support.apple.com/HT212814

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15

iOS 15 and iPadOS 15 addresses the following issues. Information
about the security content is also available at
https://support.apple.com/HT212814.

Accessory Manager
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2021-30837: Siddharth Aeri (@b1n4r1b01)

AppleMobileFileIntegrity
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local attacker may be able to read sensitive information
Description: This issue was addressed with improved checks.
CVE-2021-30811: an anonymous researcher working with Compartir

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone 8 and later,
iPad Pro (3rd generation) and later, iPad Air (3rd generation) and
later, and iPad mini (5th generation) 
Impact: A malicious application may be able to execute arbitrary code
with system privileges on devices with an Apple Neural Engine
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30838: proteas wang

CoreML
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30825: hjy79425575 working with Trend Micro Zero Day
Initiative

Face ID
Available for devices with Face ID: iPhone X, iPhone XR, iPhone XS
(all models), iPhone 11 (all models), iPhone 12 (all models), iPad
Pro (11-inch), and iPad Pro (3rd generation)
Impact: A 3D model constructed to look like the enrolled user may be
able to authenticate via Face ID
Description: This issue was addressed by improving Face ID anti-
spoofing models.
CVE-2021-30863: Wish Wu (å\x{144}´æ½\x{141}æµ  @wish_wu) of Ant-financial Light-Year
Security Lab

FontParser
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted dfont file may lead to
arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30841: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-30842: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-30843: Xingwei Lin of Ant Security Light-Year Lab

ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: This issue was addressed with improved checks.
CVE-2021-30835: Ye Zhang of Baidu Security
CVE-2021-30847: Mike Zhang of Pangu Lab

Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2021-30857: Zweig of Kunlun Lab

libexpat
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed by updating expat to version
2.4.1.
CVE-2013-0340: an anonymous researcher

Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30819: Apple

Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to access restricted files
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2021-30855: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved state
management.
CVE-2021-30854: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Siri
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local attacker may be able to view contacts from the lock
screen
Description: A lock screen issue allowed access to contacts on a
locked device. This issue was addressed with improved state
management.
CVE-2021-30815: an anonymous researcher

Telephony
Available for: iPhone SE (1st generation), iPad Pro 12.9-inch, iPad
Air 2, iPad (5th generation), and iPad mini 4
Impact: In certain situations, the baseband would fail to enable
integrity and ciphering protection
Description: A logic issue was addressed with improved state
management.
CVE-2021-30826: CheolJun Park, Sangwook Bae and BeomSeok Oh of KAIST
SysSec Lab

WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30846: Sergei Glazunov of Google Project Zero

WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30848: Sergei Glazunov of Google Project Zero

WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2021-30849: Sergei Glazunov of Google Project Zero

WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2021-30851: Samuel GroÃ\x{159} of Google Project Zero

Wi-Fi
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An attacker in physical proximity may be able to force a user
onto a malicious Wi-Fi network during device setup
Description: An authorization issue was addressed with improved state
management.
CVE-2021-30810: an anonymous researcher

Additional recognition

Assets
We would like to acknowledge Cees Elzinga for their assistance.

Bluetooth
We would like to acknowledge an anonymous researcher for their
assistance.

File System
We would like to acknowledge Siddharth Aeri (@b1n4r1b01) for their
assistance.

Sandbox
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.

UIKit
We would like to acknowledge an anonymous researcher for their
assistance.

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About
* The version after applying this update will be "15.0"

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmFI88sACgkQeC9qKD1p
rhjVNxAAx5mEiw7NE47t6rO8Y93xPrNSk+7xcqPeBHUCg+rLmqxtOhITRVUw0QLH
sBIwSVK1RxxRjasBfgwbh1jyMYg6EzfKNQOeZGnjLA4WRmIj728aGehJ56Z/ggpJ
awJNPvfzyoSdFgdwntj2FDih/d4oJmMwIyhNvqGrSwuybq9sznxJsTbpRbKWFhiz
y/phwVywo0A//XBiup3hrscl5SmxO44WBDlL+MAv4FnRPk7IGbBCfO8HnhO/9j1n
uSNoKtnJt2f6/06E0wMLStBSESKPSmKSz65AtR6h1oNytEuJtyHME8zOtz/Z9hlJ
fo5f6tN6uCgYgYs7dyonWk5qiL7cue3ow58dPjZuNmqxFeu5bCc/1G47LDcdwoAg
o0aU22MEs4wKdBWrtFI40BQ5LEmFrh3NM82GwFYDBz92x7B9SpXMau6F82pCvvyG
wNbRL5PzHUMa1/LfVcoOyWk0gZBeD8/GFzNmwBeZmBMlpoPRo5bkyjUn8/ABG+Ie
665EHgGYs5BIV20Gviax0g4bjGHqEndfxdjyDHzJ87d65iA5uYdOiw61WpHq9kwH
hK4e6BF0CahTrpz6UGVuOA/VMMDv3ZqhW+a95KBzDa7dHVnokpV+WiMJcmoEJ5gI
5ovpqig9qjf7zMv3+3Mlij0anQ24w7+MjEBk7WDG+2al83GCMAE=
=nkJd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYUk+HuNLKJtyKPYoAQj5Zw//ZWn4whrm+kwr9q9F6dgsC+CK0SMTCeJI
zx9V6bAADuK/tvqtG3u9QHGbodWQssW1P4bipNjkW+UhMmogJ4kS/kEeXOafme3P
tm+kiuSz9pLLKsnjT23V9Sa3jNiprjGBazzw81/RbKz7XISUmgeQr3hRbMWZq7XK
Gj1z7WJJG8AUjdZyMhjTXpcwUH93hnI1u8cH+h8yh9MG06FR7gq+wR1FdnGlBq66
cbvDpodl00nY3H6X9GWY0IfTV/86vpmV2/w9n3Dh0oNBr9PaKnCGLcsOX/sUpUdo
X+dGpLT03Q05j6yZ0hApYUzzOS90HVCfogYm7SlqbG9zOGoPML+GaZdCKaE6lpzu
slyVUw+4Gx5Iv4vRdLE+pUD+NNPN4IsvjHRudZm7hjG4GRwa6eZ8dCIZCVtvhev8
gqgADjIeXj9Ww4BH2HmYFELd8btugnbCJm7sitQIaDyMkujRDTl4GOoap9VQQVW4
6sBSVeOJfiuWsIqD9iQ7FJ66ZvLixTCC2yR2fKGgvwsC5iTYtmupat6ScUZUy2oe
a3OV+xLgq2VznJmzMnqAZjQJ8spkboA2cJETIln2nxo3anUdqFz+ZhY9tCVXUL1w
7MmKuQV1yt2bzhypUV+E41B4c0hDKVKWWDt7MnFIBH2dn9ZDmHUJTpfc6eda7xSm
n8+KxJfboaE=
=IqwD
-----END PGP SIGNATURE-----