CVE-2021-30752
📋 TL;DR
This vulnerability allows arbitrary code execution when processing malicious images due to an out-of-bounds read. It affects Apple devices running vulnerable versions of macOS, iOS, iPadOS, watchOS, and tvOS. Attackers can exploit this by tricking users into opening crafted image files.
💻 Affected Systems
- macOS
- iOS
- iPadOS
- watchOS
- tvOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the device, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Limited code execution in the context of the image processing application, potentially allowing data exfiltration or further privilege escalation.
If Mitigated
No impact if devices are patched or if image processing is restricted to trusted sources only.
🎯 Exploit Status
Exploitation requires user interaction to open malicious images, but no authentication is needed once the image is processed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Big Sur 11.3, iOS 14.5, iPadOS 14.5, watchOS 7.4, tvOS 14.5
Vendor Advisory: https://support.apple.com/en-us/HT212317
Restart Required: Yes
Instructions:
1. Go to Settings > General > Software Update on iOS/iPadOS/watchOS/tvOS or System Preferences > Software Update on macOS. 2. Download and install the available update. 3. Restart the device when prompted.
🔧 Temporary Workarounds
Restrict image sources
allOnly open images from trusted sources and avoid downloading/opening images from unknown or untrusted websites/emails.
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized applications.
- Use network segmentation to isolate vulnerable devices from critical systems.
🔍 How to Verify
Check if Vulnerable:
Check the operating system version against the vulnerable versions listed in the affected systems section.Check Version:
On macOS: sw_vers -productVersion. On iOS/iPadOS: Settings > General > About > Version. On watchOS: Watch app > General > About > Version. On tvOS: Settings > General > About > Version.Verify Fix Applied:
Verify the device is running macOS 11.3+, iOS 14.5+, iPadOS 14.5+, watchOS 7.4+, or tvOS 14.5+.📡 Detection & Monitoring
Log Indicators:
- Unusual process crashes in image processing applications
- Suspicious file access patterns to image files
Network Indicators:
- Unexpected outbound connections from devices after image processing
SIEM Query:
Process creation events from image viewers/editors followed by network connections or file access anomalies.🔗 References
- https://support.apple.com/en-us/HT212317
- https://support.apple.com/en-us/HT212323
- https://support.apple.com/en-us/HT212324
- https://support.apple.com/en-us/HT212325
- https://support.apple.com/en-us/HT212317
- https://support.apple.com/en-us/HT212323
- https://support.apple.com/en-us/HT212324
- https://support.apple.com/en-us/HT212325
