November 6, 2020
Only five days after Apple released iOS 14.7, fixing 37 flaws of varying importance, the tech firm is back with an emergency update that addresses a critical zero-day under active exploitation. Tracked as “CVE-2021-30807”, a privilege escalation buffer overflow bug allows a local application to escalate its rights on the system. The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem, potentially allowing a local app to trigger memory corruption and execute arbitrary code on the target device with kernel privileges.
It is important to note that for the exploitation of this bug, the attacker would need to have local access to the target device and the authentication credentials. Even with this prerequisite which rules out a wide spectrum of exploit possibilities, the flaw is still reported as actively exploited, so updating your Apple device is imperative. The versions that address the problem are iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. It is a small update, but it’s still important to apply as soon as possible, especially if your device is potentially accessible by other people.
According to a security researcher who has published a proof of concept exploit for CVE-2021-30807 on Twitter, this flaw could be useful for a jailbreak which is something that the owners of iPhones would do themselves, having local access and credentials.
Also, Saar Amar, a Microsoft researcher, claims to have discovered this vulnerability four months ago and now posted a detailed technical write-up on the flaw, so if you’re interested in diving deeper, you should have a look. The researcher has also promised to release a full exploit on the flaw, which he was planning to do next month, but it appears that Apple’s emergency fix caught him by surprise.
As for the NSO Pegasus zero-day that was rumored to be affecting fully-patched iPhones and which was somewhat expected to be addressed last week, this one doesn’t appear to be it. Local access privilege escalation doesn’t match the remote exploitation context that would typically characterize a Pegasus exploit, so this was either addressed in one of last week’s WebKit fixes or Apple’s security engineers need more time to develop a fix for it. That is, if it even exists.