Active Exploitation of Apple Zero-Day Vulnerabilities

Published 20 May 2021


  • Adversaries actively target and exploit zero-day vulnerabilities in iOS
  • The bugs that were publicly disclosed led to remote code execution on affected systems

Share this Threat Intel:

Advisory Type 
Vulnerability Intelligence
CVE ID
CVE-2021-30657,30663, 30665, 30666
Vulnerability Type
Remote Code Execution [RCE]
Vulnerable Application
Apple iPhone WebKit Engine 
Affected Platform
iOS/macOS/watchOS

Executive Summary

Adversaries are actively targeting and exploiting zero-day vulnerabilities in iOS. Based on the security advisories posted by Apple, critical bugs are present in the WebKit Engine, a browser rendering engine that is used in web browsers like Safari (iOS) and other applications that render HTML. The bugs that were publicly disclosed, when exploited, led to remote code execution on affected systems.

A recent 0-day, dubbed CVE-2021-30657, is responsible for client-side attack vectors involving malware execution by bypassing Apple’s File Quarantine, Gatekeeper, and Notarization security checks. This bug is actively exploited in the wild by Shlayer Malware. 

Threat Vector

The bug is triggered when the victim visits a malicious website hosted by the threat actor.

CVE
Type
Description
CVE-2021-30663 Integer Overflow/RCE An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30665 Memory Corruption/RCE A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution
CVE-2021-30666 Buffer Overflow/RCE A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution

 

Active malware campaigns targeting apple 0-days

CVE
Type
Description
CVE-2021-30657 Security Bypass  Bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks [mac OS]
Shlayer Malware

Apple patched the zero-day, CVE-2021-30657, that was targeting MacOS and exploited in the wild by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks in order to download second-stage malicious payloads.

Impact

  • RCE leads to unauthorized access to the target device’s OS and file systems, leading to user data compromise.
  • Attackers gain arbitrary code execution on the victim device leading to compromise of device control and security.
  • Security bypass vulnerabilities can lead to execution of malwares by bypassing the security features installed on the device.

Mitigations

For CVE-2021-30663/ CVE-2021-30665/ CVE-2021-30666

  • The list of affected devices include:
    • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
    • macOS Big Sur
    • Apple Watch Series 3 and later
  • The bugs have been patched in recent updates including iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1

For CVE-2021-30657

  • Apple has fixed the bug in macOS 11.3.

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.