Details of VAR-202104-0591

ID

VAR-202104-0591

CVE

CVE-2021-1806

TITLE

Apple macOS process_token_BindQueryStoreRegisterToMemoryList Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability

Trust: 1.4

sources: ZDI: ZDI-21-200 // ZDI: ZDI-21-198

DESCRIPTION

A race condition was addressed with additional validation. This issue is fixed in macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, macOS Mojave 10.14.6 Security Update 2021-002. An application may be able to execute arbitrary code with kernel privileges. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the AppleIntelKBLGraphics kext. The issue results from the lack of proper locking when performing operations on an object. There is a security vulnerability in the Intel Graphics Driver. Please keep an eye on CNNVD or the manufacturer's announcement. The specific flaw exists within the AppleIntelKBLGraphics kext. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-04-26-4 Security Update 2021-003 Mojave Security Update 2021-003 Mojave addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212327. APFS Available for: macOS Mojave Impact: A local user may be able to read arbitrary files Description: The issue was addressed with improved permissions logic. CVE-2021-1797: Thomas Tempelmann Audio Available for: macOS Mojave Impact: An application may be able to read restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab CFNetwork Available for: macOS Mojave Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A memory initialization issue was addressed with improved memory handling. CVE-2021-1857: an anonymous researcher CoreAudio Available for: macOS Mojave Impact: A malicious application may be able to read restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab CoreGraphics Available for: macOS Mojave Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2021-1847: Xuwei Liu of Purdue University CoreText Available for: macOS Mojave Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: A logic issue was addressed with improved state management. CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab curl Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: A buffer overflow was addressed with improved input validation. CVE-2020-8285: xnynx curl Available for: macOS Mojave Impact: An attacker may provide a fraudulent OCSP response that would appear valid Description: This issue was addressed with improved checks. CVE-2020-8286: an anonymous researcher DiskArbitration Available for: macOS Mojave Impact: A malicious application may be able to modify protected parts of the file system Description: A permissions issue existed in DiskArbitration. CVE-2021-1784: Csaba Fitzl (@theevilbit) of Offensive Security, an anonymous researcher, and Mikko Kenttälä (@Turmio_) of SensorFu FontParser Available for: macOS Mojave Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-1881: Hou JingYi (@hjy79425575) of Qihoo 360, an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin of Trend Micro FontParser Available for: macOS Mojave Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-27942: an anonymous researcher Foundation Available for: macOS Mojave Impact: A malicious application may be able to gain root privileges Description: A validation issue was addressed with improved logic. CVE-2021-1813: Cees Elzinga ImageIO Available for: macOS Mojave Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-1843: Ye Zhang of Baidu Security Intel Graphics Driver Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write was addressed with improved input validation. CVE-2021-1805: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Intel Graphics Driver Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2021-1806: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Intel Graphics Driver Available for: macOS Mojave Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-1834: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Kernel Available for: macOS Mojave Impact: A malicious application may be able to disclose kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2021-1851: @0xalsr Kernel Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: A memory corruption issue was addressed with improved validation. CVE-2021-1840: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab libxpc Available for: macOS Mojave Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2021-30652: James Hutchins libxslt Available for: macOS Mojave Impact: Processing a maliciously crafted file may lead to heap corruption Description: A double free issue was addressed with improved memory management. CVE-2021-1875: Found by OSS-Fuzz NSRemoteView Available for: macOS Mojave Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-1876: Matthew Denton of Google Chrome Preferences Available for: macOS Mojave Impact: A local user may be able to modify protected parts of the file system Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com) smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An integer overflow was addressed with improved input validation. CVE-2021-1878: Aleksandar Nikolic of Cisco Talos (talosintelligence.com) Tailspin Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: A logic issue was addressed with improved state management. CVE-2021-1868: Tim Michaud of Zoom Communications tcpdump Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-8037: an anonymous researcher Time Machine Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: The issue was addressed with improved permissions logic. CVE-2021-1839: Tim Michaud(@TimGMichaud) of Zoom Video Communications and Gary Nield of ECSC Group plc Wi-Fi Available for: macOS Mojave Impact: An application may be able to cause unexpected system termination or write kernel memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1828: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab wifivelocityd Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with system privileges Description: The issue was addressed with improved permissions logic. CVE-2020-3838: Dayton Pidhirney (@_watbulb) Windows Server Available for: macOS Mojave Impact: A malicious application may be able to unexpectedly leak a user's credentials from secure text fields Description: An API issue in Accessibility TCC permissions was addressed with improved state management. CVE-2021-1873: an anonymous researcher Installation note: This update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCHO2EACgkQZcsbuWJ6 jjBHBhAAmHYbcREaaxOXQwrb56He+ool1GyXUCGknHRnEO6Ik0nyE/GeUPuv8Y/Q /ywr188mv3ehtjFlXWpHtqwOn0KoNlAlcE+jy9r3QGTxNmBM2z30FeC0wiYYEi7s I5xWkZIcnO1jq2CMGVHHfbLhyLnkWblwWvCOWriCRzbTocEWgEqwrh/uguTVRWB4 oVo8+uHcdiS2gqS0LIMbbvP6SGkfPwVlL8Mr/e96xdditiRbZX01GkAm0l5ezYHt xrs8378fmQK3su4dHrkHpFpTmT3Yib8Jtotat8cgu6lWxLGEFR5kOye4QIjFCl/a UhnR52nlMyYlh4anbqUs7PAh2QDVa3scaRfGTdAogPfaZIAhaaiuj8qXUOsAxEhk rf0TOXmgCDfhuaA08Ys43sgUgunPLOa2+jMT4VspLZxDTkWLDrGFjlM4P5643WrT ITAKLoqq8SOhce6gd3VECvG+EK/fBWrdwzsVDzfxU3yW3kSCKxX25KcRePwJZAAu s1ZZpIZdY7rmi1DwafNSig2dncjUZJy6AhiI5w6cpQzBOQVioU8oac2JDi1X2Rn1 k/D3VQfmYas7HGqUSwx3MUx+yybktm+8Ogo+vtcRKCzUF5t13bwpyAda0mJ62c6L I/ISWomRdC4XX3AQL5EJLzO9slpOBqWsbQb0cULdt+mb4H+nLDE= =NZ77 -----END PGP SIGNATURE-----

Trust: 3.78

sources: NVD: CVE-2021-1806 // ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197 // VULHUB: VHN-376466 // VULMON: CVE-2021-1806 // PACKETSTORM: 162362 // PACKETSTORM: 161398

AFFECTED PRODUCTS

vendor:	apple	model:	macos	scope:	-	version:	-	Trust: 2.8
vendor:	apple	model:	mac os x	scope:	gte	version:	10.15	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.15.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.14.6	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.2.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.15.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.14.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.14	Trust: 1.0

sources: ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197 // NVD: CVE-2021-1806

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2021-1806
value:	HIGH
Trust: 2.8
nvd@nist.gov:	CVE-2021-1806
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202102-809
value:	HIGH
Trust: 0.6
VULHUB:	VHN-376466
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1806
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1806
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-376466
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ZDI:	CVE-2021-1806
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.1
impactScore:	6.0
version:	3.0
Trust: 2.8
nvd@nist.gov:	CVE-2021-1806
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197 // VULHUB: VHN-376466 // VULMON: CVE-2021-1806 // CNNVD: CNNVD-202102-809 // NVD: CVE-2021-1806

PROBLEMTYPE DATA

problemtype:

CWE-362

Trust: 1.1

sources: VULHUB: VHN-376466 // NVD: CVE-2021-1806

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202102-809

TYPE

competition condition problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-809

PATCH

title:	Apple has issued an update to correct this vulnerability.	url:	https://support.apple.com/HT212177	Trust: 2.8
title:	Apple: macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002	url:	https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=7ddd0bfc954a0c128a5cda953ad458f8	Trust: 0.1

sources: ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197 // VULMON: CVE-2021-1806

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1806	Trust: 4.8
db:	ZDI	id:	ZDI-21-200	Trust: 0.8
db:	PACKETSTORM	id:	162362	Trust: 0.8
db:	PACKETSTORM	id:	161398	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-11438	Trust: 0.7
db:	ZDI	id:	ZDI-21-201	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-11422	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-11420	Trust: 0.7
db:	ZDI	id:	ZDI-21-198	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-11419	Trust: 0.7
db:	ZDI	id:	ZDI-21-197	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.1417	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0467	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-809	Trust: 0.6
db:	VULHUB	id:	VHN-376466	Trust: 0.1
db:	VULMON	id:	CVE-2021-1806	Trust: 0.1

sources: ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197 // VULHUB: VHN-376466 // VULMON: CVE-2021-1806 // PACKETSTORM: 162362 // PACKETSTORM: 161398 // CNNVD: CNNVD-202102-809 // NVD: CVE-2021-1806

REFERENCES

url:	https://support.apple.com/ht212177	Trust: 2.8
url:	https://support.apple.com/en-us/ht212177	Trust: 2.4
url:	https://support.apple.com/kb/ht212327	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2021/apr/54	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1806	Trust: 0.8
url:	https://packetstormsecurity.com/files/161398/apple-security-advisory-2021-02-09-1.html	Trust: 0.6
url:	https://vigilance.fr/vulnerability/apple-macos-two-vulnerabilities-34539	Trust: 0.6
url:	https://packetstormsecurity.com/files/162362/apple-security-advisory-2021-04-26-4.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0467	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1417	Trust: 0.6
url:	https://support.apple.com/en-us/ht212327	Trust: 0.6
url:	https://support.apple.com/kb/ht201222	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1805	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/362.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://support.apple.com/kb/ht212177	Trust: 0.1
url:	https://www.zerodayinitiative.com/advisories/zdi-21-200/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1860	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1857	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1813	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1840	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1876	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1739	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1851	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1878	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1828	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1809	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1875	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8037	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1784	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1847	Trust: 0.1
url:	https://support.apple.com/downloads/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1843	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27942	Trust: 0.1
url:	https://support.apple.com/ht212327.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1811	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1839	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1797	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8285	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1834	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1873	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8286	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1808	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1868	Trust: 0.1
url:	https://support.apple.com/ht212177.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3156	Trust: 0.1

CREDITS

ABC Research s.r.o.

Trust: 2.8

sources: ZDI: ZDI-21-201 // ZDI: ZDI-21-200 // ZDI: ZDI-21-198 // ZDI: ZDI-21-197

SOURCES

db:	ZDI	id:	ZDI-21-201
db:	ZDI	id:	ZDI-21-200
db:	ZDI	id:	ZDI-21-198
db:	ZDI	id:	ZDI-21-197
db:	VULHUB	id:	VHN-376466
db:	VULMON	id:	CVE-2021-1806
db:	PACKETSTORM	id:	162362
db:	PACKETSTORM	id:	161398
db:	CNNVD	id:	CNNVD-202102-809
db:	NVD	id:	CVE-2021-1806

LAST UPDATE DATE

2024-11-23T19:52:06.869000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-201	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-200	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-198	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-197	date:	2021-02-24T00:00:00
db:	VULHUB	id:	VHN-376466	date:	2021-05-04T00:00:00
db:	VULMON	id:	CVE-2021-1806	date:	2021-05-04T00:00:00
db:	CNNVD	id:	CNNVD-202102-809	date:	2021-11-03T00:00:00
db:	NVD	id:	CVE-2021-1806	date:	2024-11-21T05:45:08.857

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-201	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-200	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-198	date:	2021-02-24T00:00:00
db:	ZDI	id:	ZDI-21-197	date:	2021-02-24T00:00:00
db:	VULHUB	id:	VHN-376466	date:	2021-04-02T00:00:00
db:	VULMON	id:	CVE-2021-1806	date:	2021-04-02T00:00:00
db:	PACKETSTORM	id:	162362	date:	2021-04-28T15:00:23
db:	PACKETSTORM	id:	161398	date:	2021-02-12T17:29:14
db:	CNNVD	id:	CNNVD-202102-809	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-1806	date:	2021-04-02T19:15:20.227