Apple Security Advisory 2021-12-15-1 - iOS 15.2 and iPadOS 15.2 addresses buffer overflow, bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
6c38fa3489f9bbd4ca8ebf0319e37798e0be437a126d76e4a131f8a53307d3cc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-12-15-1 iOS 15.2 and iPadOS 15.2
iOS 15.2 and iPadOS 15.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212976.
Audio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Parsing a maliciously crafted audio file may lead to
disclosure of user information
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30960: JunDong Xie of Ant Security Light-Year Lab
CFNetwork Proxies
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: User traffic might unexpectedly be leaked to a proxy server
despite PAC configurations
Description: A logic issue was addressed with improved state
management.
CVE-2021-30966: Michal Rajcan of Jamf, Matt Vlasach of Jamf (Wandera)
ColorSync
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue in the processing of ICC
profiles was addressed with improved input validation.
CVE-2021-30926: Jeremy Brown
CVE-2021-30942: Mateusz Jurczyk of Google Project Zero
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30957: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab
Crash Reporter
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)
FaceTime
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A user in a FaceTime call may unexpectedly leak sensitive
user information through Live Photos metadata
Description: This issue was addressed with improved handling of file
metadata.
CVE-2021-30992: Aaron Raimist
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab, Mickey Jin (@patch1t) of Trend Micro
IOMobileFrameBuffer
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30996: Saar Amar (@AmarSaar)
IOMobileFrameBuffer
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30983: Pangu
IOMobileFrameBuffer
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30985: Tielei Wang of Pangu Lab
IOMobileFrameBuffer
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30991: Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2021-30937: Sergei Glazunov of Google Project Zero
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30927: Xinru Chi of Pangu Lab
CVE-2021-30980: Xinru Chi of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30949: Ian Beer of Google Project Zero
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30993: OSS-Fuzz, Ned Williamson of Google Project Zero
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30955: Zweig of Kunlun Lab
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30971: Ye Zhang (@co0py_Cat) of Baidu Security
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted file may disclose user
information
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30973: Ye Zhang (@co0py_Cat) of Baidu Security
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30929: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30979: Mickey Jin (@patch1t) of Trend Micro
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30940: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
CVE-2021-30941: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
NetworkExtension
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local attacker may be able to read sensitive information
Description: A permissions issue was addressed with improved
validation.
CVE-2021-30967: Denis Tokarev (@illusionofcha0s)
NetworkExtension
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to identify what other
applications a user has installed
Description: A permissions issue was addressed with improved
validation.
CVE-2021-30988: Denis Tokarev (@illusionofcha0s)
Notes
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to
access contacts from the lock screen
Description: The issue was addressed with improved permissions logic.
CVE-2021-30932: Kevin Böttcher
Password Manager
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to
access stored passwords without authentication
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2021-30948: Patrick Glogner
Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to elevate privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin
(@patch1t)
Sandbox
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A validation issue related to hard link behavior was
addressed with improved sandbox restrictions.
CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security
Sandbox
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30946: @gorelics
Sandbox
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: An application may be able to access a user's files
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2021-30947: Csaba Fitzl (@theevilbit) of Offensive Security
TCC
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A local user may be able to modify protected parts of the
file system
Description: A logic issue was addressed with improved state
management.
CVE-2021-30767: @gorelics
TCC
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An inherited permissions issue was addressed with
additional restrictions.
CVE-2021-30964: Andy Grant of Zoom Video Communications
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30934: Dani Biro
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30936: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
CVE-2021-30951: Pangu
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2021-30952: WeBin
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A race condition was addressed with improved state
handling.
CVE-2021-30984: Kunlun Lab
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30953: VRIJ
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2021-30954: Kunlun Lab
Additional recognition
Bluetooth
We would like to acknowledge Haram Park, Korea University for their
assistance.
CloudKit
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their
assistance.
ColorSync
We would like to acknowledge Mateusz Jurczyk of Google Project Zero
for their assistance.
Contacts
We would like to acknowledge Minchan Park (03stin) for their
assistance.
CoreText
We would like to acknowledge Yuto Sakata of Osaka Institute of
Technology, an anonymous researcher for their assistance.
Kernel
We would like to acknowledge Amit Klein of Bar-Ilan University's
Center for Research in Applied Cryptography and Cyber Security for
their assistance.
Model I/O
We would like to acknowledge Rui Yang and Xingwei Lin of Ant Security
Light-Year Lab for their assistance.
WebKit
We would like to acknowledge Peter Snyder of Brave and Soroush Karami
for their assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About
* The version after applying this update will be "15.2"
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmG6UlcACgkQeC9qKD1p
rhiG7Q//QAlwYO3POlhNzv+lp++7j1r5DklzW3HpKgiSZ/6BEIK3mrUlfL5uzLL6
Z802CRYyVw1cbZT789t9NX3Ai4XrLDAv2cSRdim7TEID4ElM3+bJP+UcSwsIO822
M093OFzR4VmYhMoKbWYb6VPxUl9kLqgrD/k7ps6qbZJJVlLHblS1xS/MEyh3go/G
pey2+qSOuEiuODaUWnUpEicfI3pCMDqoALJPqYNq6EOhDDcTc3XztOkIRBOY3AU3
VdqLn+FkTXn5WxGqUNDBOQEJzu0v5ZBw4H+7dz+SNvq0v7xWuLpPQm5WeDv4u3gy
9KBCu5YFDYaix4K4pA6N4oZ3D3A+ildx8D5PtfGK0gpRUbnsjf7fhvQwjG58TO7G
yoBKMFWCbyDvBqT6wNXYkb9CTNwxs3KzpRAVuww6+tFkBIVeg/2d5IK5d/oVQGNW
QbATKirLNYq5kHRNKtv506QGCazeEk7dhxlVB31fDavr4cmf533zrrlLNrIdYREA
y2yYuCOsQZTEC2R74ljTf4BJ9zDlaAE/NVFtvZrSNOpYfoJ7ps6VdSCS7Z/4+GvS
2cF8IIscQ24Ovlfd6YTP7V5jL3JYuI/4W4Wx7/FLFpHbAt0+2CcaVf+V6rQrlyLr
0WJNv9KTxKL9JbqJ04bMVu/qcxcRShGHKeSeBD804FlPjoaN9Vw=
=eZuK
-----END PGP SIGNATURE-----