CVE-2021-30949

Q: What is the severity of CVE-2021-30949?

CVE-2021-30949 has a CVSS score of 7.8 (HIGH). This CVE describes a memory corruption vulnerability in Apple's XNU kernel that allows a malicious application to execute arbitrary code with kernel privileges. It affects multiple Apple operating systems including macOS, iOS, iPadOS, tvOS, and watchOS. Attackers could gain complete control over affected devices.

7.8 HIGH

📋 TL;DR

This CVE describes a memory corruption vulnerability in Apple's XNU kernel that allows a malicious application to execute arbitrary code with kernel privileges. It affects multiple Apple operating systems including macOS, iOS, iPadOS, tvOS, and watchOS. Attackers could gain complete control over affected devices.

💻 Affected Systems

Products:

macOS
iOS
iPadOS
tvOS
watchOS

Versions: Versions prior to macOS Big Sur 11.6.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2, iPadOS 15.2, tvOS 15.2, watchOS 8.3

Operating Systems: Apple macOS, Apple iOS, Apple iPadOS, Apple tvOS, Apple watchOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Apple operating systems are vulnerable. The vulnerability exists in the XNU kernel's mach_msg component.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level privileges, allowing attackers to install persistent malware, bypass all security controls, access all data, and potentially create botnet nodes.

🟠

Likely Case

Malicious applications from untrusted sources exploiting the vulnerability to gain elevated privileges, install additional payloads, and maintain persistence on compromised devices.

🟢

If Mitigated

Limited impact with proper application sandboxing, code signing enforcement, and restricted app installation sources preventing malicious applications from reaching vulnerable systems.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious application to be installed and executed on the target device. The vulnerability involves a use-after-free condition in mach_msg that can be leveraged for privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.6.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2, iPadOS 15.2, tvOS 15.2, watchOS 8.3

Vendor Advisory: https://support.apple.com/en-us/HT212975

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update on macOS or Settings > General > Software Update on iOS/iPadOS. 2. Install the available security update. 3. Restart the device when prompted.

🔧 Temporary Workarounds

Restrict Application Sources

all

Only allow installation of applications from trusted sources like the App Store to prevent malicious apps from exploiting the vulnerability.

For macOS: System Preferences > Security & Privacy > General > Allow apps downloaded from: App Store
For iOS/iPadOS: Settings > General > Device Management > Verify trusted sources

🧯 If You Can't Patch

Implement strict application allowlisting to prevent unauthorized applications from executing
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the operating system version against the patched versions listed in the fix information.

Check Version:

For macOS: sw_vers, For iOS/iPadOS: Settings > General > About > Version, For tvOS: Settings > General > About > Version, For watchOS: Watch app on iPhone > General > About > Version

Verify Fix Applied:

Verify the installed version matches or exceeds the patched versions: macOS Big Sur 11.6.2+, macOS Monterey 12.1+, iOS 15.2+, iPadOS 15.2+, tvOS 15.2+, watchOS 8.3+

📡 Detection & Monitoring

Log Indicators:

Unexpected kernel extensions loading
Processes running with unexpected elevated privileges
System integrity protection (SIP) violations

Network Indicators:

Unusual outbound connections from system processes
Command and control traffic from kernel-level processes

SIEM Query:

process_creation where parent_process_name contains "kernel" and process_name not in (approved_kernel_processes)

📊 Metadata

CVE ID: CVE-2021-30949

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 24, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ipados by Apple

Iphone Os by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Macos by Apple

Macos by Apple

Watchos by Apple

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Application Sources

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities