Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4265
APPLE-SA-2021-12-15-4 Security Update 2021-008 Catalina
16 December 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: macOS Catalina
Publisher: Apple
Operating System: macOS
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Permissions -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30995 CVE-2021-30990 CVE-2021-30982
CVE-2021-30981 CVE-2021-30980 CVE-2021-30979
CVE-2021-30977 CVE-2021-30976 CVE-2021-30975
CVE-2021-30973 CVE-2021-30971 CVE-2021-30969
CVE-2021-30968 CVE-2021-30965 CVE-2021-30963
CVE-2021-30961 CVE-2021-30959 CVE-2021-30958
CVE-2021-30950 CVE-2021-30949 CVE-2021-30945
CVE-2021-30942 CVE-2021-30941 CVE-2021-30940
CVE-2021-30939 CVE-2021-30938 CVE-2021-30937
CVE-2021-30935 CVE-2021-30931 CVE-2021-30929
CVE-2021-30927 CVE-2021-30767
Reference: ESB-2021.4260
ESB-2021.4262
Original Bulletin:
https://support.apple.com/HT212981
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-12-15-4 Security Update 2021-008 Catalina
Security Update 2021-008 Catalina addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212981.
Archive Utility
Available for: macOS Catalina
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30950: @gorelics
Bluetooth
Available for: macOS Catalina
Impact: A malicious application may be able to disclose kernel memory
Description: A logic issue was addressed with improved validation.
CVE-2021-30931: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC
Riverside, and Yu Wang of Didi Research America
Bluetooth
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved validation.
CVE-2021-30935: an anonymous researcher
ColorSync
Available for: macOS Catalina
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue in the processing of ICC
profiles was addressed with improved input validation.
CVE-2021-30942: Mateusz Jurczyk of Google Project Zero
CoreAudio
Available for: macOS Catalina
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: macOS Catalina
Impact: Parsing a maliciously crafted audio file may lead to
disclosure of user information
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30959: JunDong Xie of Ant Security Light-Year Lab
CVE-2021-30961: an anonymous researcher
CVE-2021-30963: JunDong Xie of Ant Security Light-Year Lab
Crash Reporter
Available for: macOS Catalina
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
Graphics Drivers
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-30977: Jack Dates of RET2 Systems, Inc.
Help Viewer
Available for: macOS Catalina
Impact: Processing a maliciously crafted URL may cause unexpected
JavaScript execution from a file on disk
Description: A path handling issue was addressed with improved
validation.
CVE-2021-30969: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
ImageIO
Available for: macOS Catalina
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab, Mickey Jin (@patch1t) of Trend Micro
Intel Graphics Driver
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-30981: an anonymous researcher, Liu Long of Ant Security
Light-Year Lab
IOUSBHostFamily
Available for: macOS Catalina
Impact: A remote attacker may be able to cause unexpected application
termination or heap corruption
Description: A race condition was addressed with improved locking.
CVE-2021-30982: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC
Riverside, and Yu Wang of Didi Research America
Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30927: Xinru Chi of Pangu Lab
CVE-2021-30980: Xinru Chi of Pangu Lab
Kernel
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2021-30937: Sergei Glazunov of Google Project Zero
Kernel
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30949: Ian Beer of Google Project Zero
LaunchServices
Available for: macOS Catalina
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved validation.
CVE-2021-30990: Ron Masas of BreakPoint.sh
LaunchServices
Available for: macOS Catalina
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30976: chenyuwang (@mzzzz__) and Kirin (@Pwnrin) of Tencent
Security Xuanwu Lab
Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30929: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30979: Mickey Jin (@patch1t) of Trend Micro
Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30940: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
CVE-2021-30941: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted file may disclose user
information
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30973: Ye Zhang (@co0py_Cat) of Baidu Security
Model I/O
Available for: macOS Catalina
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30971: Ye Zhang (@co0py_Cat) of Baidu Security
Preferences
Available for: macOS Catalina
Impact: A malicious application may be able to elevate privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin
(@patch1t)
Sandbox
Available for: macOS Catalina
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A validation issue related to hard link behavior was
addressed with improved sandbox restrictions.
CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security
Script Editor
Available for: macOS Catalina
Impact: A malicious OSAX scripting addition may bypass Gatekeeper
checks and circumvent sandbox restrictions
Description: This issue was addressed by disabling execution of
JavaScript when viewing a scripting dictionary.
CVE-2021-30975: Ryan Pickren (ryanpickren.com)
TCC
Available for: macOS Catalina
Impact: A local user may be able to modify protected parts of the
file system
Description: A logic issue was addressed with improved state
management.
CVE-2021-30767: @gorelics
TCC
Available for: macOS Catalina
Impact: A malicious application may be able to cause a denial of
service to Endpoint Security clients
Description: A logic issue was addressed with improved state
management.
CVE-2021-30965: Csaba Fitzl (@theevilbit) of Offensive Security
Wi-Fi
Available for: macOS Catalina
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: This issue was addressed with improved checks.
CVE-2021-30938: Xinru Chi of Pangu Lab
Additional recognition
Admin Framework
We would like to acknowledge Simon Andersen of Aarhus University and
Pico Mitchell for their assistance.
ColorSync
We would like to acknowledge Mateusz Jurczyk of Google Project Zero
for their assistance.
Contacts
We would like to acknowledge Minchan Park (03stin) for their
assistance.
Kernel
We would like to acknowledge Amit Klein of Bar-Ilan University's
Center for Research in Applied Cryptography and Cyber Security for
their assistance.
Model I/O
We would like to acknowledge Rui Yang and Xingwei Lin of Ant Security
Light-Year Lab for their assistance.
Installation note:
This update may be obtained from the Mac App Store
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmG6UncACgkQeC9qKD1p
rhjGSBAAoeUkEMVuTZr0ZVlGyC5t9WhyhwA61KTb175rNIYhcZcIXHrNyNZjoSem
+clW2k6Cjr4p9pc9aP7JLT47C+FKTQ1zh2FujC2OOsCXm2Wl8hJWS7FIYwpjEXrx
ZtklOX826rmYIXrQ4YJhpDgwiIjA8bL8oiRHIA3jz3ZcWsSIg8aFJos+8hkSE7zc
dvDnhKTBA02u9TkCMR5Wr+jTnWWT6qyKj99WYxdRlVPkNNOHQC0AldYSkItHCdtg
xEx5/3T4zTi1AqCikb1avzPhKSgFHQyZ9BSxVHkcGIo4bgK4Wxlmb6I2/qi9PB6E
dJMbwsXKtFxY25GzYbPMeTDeIXeF2wBWfgwUau6kkL77xUXrQZjxh3K2goxnkuid
ZRWMhmXZ38NcnkLgYVB8mN3db2/hcgi8+G682Z9EKyzUWpQz+szpZ8pxuIVGcTPV
visbanyF6jfLrWrIgrRPfPini/hph51BGZuo2+2aQis/ULgtfvMGTvbirIjP0fa/
AatIMHkYm9EgvjWLLoaFUWMEIAsbkC/YUe3SLVti9h+3Z+jQ+Wbu+6vQhgKHFdC/
cnqcvYCLL/Ltx1ukw4GJD/e+I8F2eY5aRpMxDd4FCjLW2BVxm+JJE+CXcG54HHXX
+TY9buDFMorLtIjGaCnQf/5cUo/K2ExhFT8689VkdkPUI8VCBAQ=
=EWN0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYbqSC+NLKJtyKPYoAQiDtA//TvZEF0bTK21KFsPx15bcMw7XHTGWI5h2
aUjy79rECL0t5E3RpcG2ZurFswnNMxvSweEep8Te4LLRUKIxDYyYLYiFcZUctz5x
DD5GlimhmaY7yT+kh4JITkbtTiCUuhYWSWz0VptCfCyizd9yBSrOPHKQMP4ptwso
Pqnd4y9EJbcKqpBgysdhpP0Zn/3USIMFPCK7BOstCMtqPQh2mPypyNCSQOl40t7R
ire2dMrmOqopiMw1ci7yIlgJTdPRbUenkMctrtZddYl3nVot82kG1o72KaqejHzb
iY1sqF1shvTzLnrYoA72Vw0qSfvDgTzMeAuzHXazhVEOkrH+6eDcM7zE/tmojauP
FiJS3ZMi7whKh4Ggarm07wnqIac6bTze+4uvRPoGEAx5jAQNXTdP9WWrOlwyMEEV
KcmfMR3QVxr9/fwHFrGC/V/sX+8uLJjPjgk+8sP3vFlHO2c+kEZ3OzgOUIsmXmVL
MEwnsX9b0MC9Q8AViMUAh3bVH+38JZcjWdVQGP8xbLpExH0jzbPil5XzcymjmvHx
beR7Ycv2Vhyi3yVghJqW2UGl9fsl7AmsyejERSZWQ1ZYLlpqJGtZ8xf5t5+YLyd7
Z2GBdQzlY0G6CF6wzAP/xk2qsIcPnKdB60uFts2He4rEhTKYIsZmMsV9EvETOODR
EPXZue3zQFU=
=s8/E
-----END PGP SIGNATURE-----