CVE-2021-30966
📋 TL;DR
This CVE describes a logic flaw in Apple's proxy auto-configuration (PAC) implementation that could cause user traffic to be sent to unintended proxy servers despite configured PAC settings. It affects macOS, iOS, iPadOS, watchOS, and tvOS users. The vulnerability could lead to traffic interception or monitoring by unauthorized proxy servers.
💻 Affected Systems
- macOS
- iOS
- iPadOS
- watchOS
- tvOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
All user internet traffic could be intercepted, monitored, or modified by an attacker-controlled proxy server, potentially exposing sensitive data including credentials, financial information, and private communications.
Likely Case
Select user traffic could be leaked to unintended proxy servers, potentially exposing web browsing activity and unencrypted communications to monitoring or interception.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to potential exposure of non-sensitive traffic on affected segments.
🎯 Exploit Status
Exploitation requires ability to manipulate network proxy configurations or intercept network traffic. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Monterey 12.1, iOS 15.2, iPadOS 15.2, watchOS 8.3, tvOS 15.2
Vendor Advisory: https://support.apple.com/en-us/HT212975
Restart Required: Yes
Instructions:
1. Open System Settings/Preferences. 2. Navigate to Software Update. 3. Install the latest available update. 4. Restart the device when prompted.
🔧 Temporary Workarounds
Disable PAC Configuration
allTemporarily disable proxy auto-configuration until systems can be patched
Use Direct Network Connection
allConfigure devices to use direct internet connections without proxy servers
🧯 If You Can't Patch
- Implement network monitoring for unexpected proxy traffic
- Segment affected devices and restrict their network access
🔍 How to Verify
Check if Vulnerable:
Check system version: Settings > General > About on iOS/iPadOS, Apple menu > About This Mac on macOSCheck Version:
sw_vers (macOS), Settings > General > About > Version (iOS/iPadOS)Verify Fix Applied:
Verify system version is at or above: macOS 12.1, iOS 15.2, iPadOS 15.2, watchOS 8.3, tvOS 15.2📡 Detection & Monitoring
Log Indicators:
- Unexpected proxy server connections in network logs
- PAC file fetch errors or anomalies
Network Indicators:
- Traffic routing to unexpected proxy servers
- DNS queries for unexpected proxy domains
SIEM Query:
proxy_server != expected_proxy AND device_os_version < patched_version🔗 References
- https://support.apple.com/en-us/HT212975
- https://support.apple.com/en-us/HT212976
- https://support.apple.com/en-us/HT212978
- https://support.apple.com/en-us/HT212980
- https://support.apple.com/en-us/HT212975
- https://support.apple.com/en-us/HT212976
- https://support.apple.com/en-us/HT212978
- https://support.apple.com/en-us/HT212980
