APPLE-SA-2021-10-26-3 macOS Monterey 12.0.1

[Apple Product Security via Fulldisclosure <fulldisclosure () seclists org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-10-26-3 macOS Monterey 12.0.1

macOS Monterey 12.0.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212869.

AppKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-30873: Thijs Alkemade of Computest

AppleScript
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted AppleScript binary may
result in unexpected application termination or disclosure of process
memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30876: Jeremy Brown, hjy79425575
CVE-2021-30879: Jeremy Brown, hjy79425575
CVE-2021-30877: Jeremy Brown
CVE-2021-30880: Jeremy Brown

Audio
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to elevate privileges
Description: An integer overflow was addressed through improved input
validation.
CVE-2021-30907: Zweig of Kunlun Lab

Bluetooth
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30899: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC
Riverside, and Yu Wang of Didi Research America

ColorSync
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue existed in the processing of
ICC profiles. This issue was addressed with improved input
validation.
CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google
Project Zero

Continuity Camera
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30903: an anonymous researcher

CoreAudio
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may disclose user
information
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro

CoreGraphics
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted PDF may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2021-30919

FileProvider
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: An input validation issue was addressed with improved
memory handling.
CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab
of Qihoo 360

Game Center
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to access information
about a user's contacts
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30895: Denis Tokarev

Game Center
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to read user's gameplay
data
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30896: Denis Tokarev

iCloud
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30906: Cees Elzinga

Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30824: Antonio Zekic (@antoniozekic) of Diverto

Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple out-of-bounds write issues were addressed with
improved bounds checking.
CVE-2021-30901: Zuozhi Fan (@pattern_F_) of Ant Security TianQiong
Lab, Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab, Jack Dates of
RET2 Systems, Inc.

IOGraphics
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30821: Tim Michaud (@TimGMichaud) of Zoom Video
Communications

IOMobileFrameBuffer
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30883: an anonymous researcher

Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30886: @0xalsr

Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30909: Zweig of Kunlun Lab

Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2021-30916: Zweig of Kunlun Lab

LaunchServices
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved state
management.
CVE-2021-30864: Ron Hass (@ronhass7) of Perception Point

Login Window
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A person with access to a host Mac may be able to bypass the
Login Window in Remote Desktop for a locked instance of macOS
Description: This issue was addressed with improved checks.
CVE-2021-30813: Benjamin Berger of BBetterTech LLC, Peter Goedtkindt
of Informatique-MTF S.A., an anonymous researcher

Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may disclose user
information
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30910: Mickey Jin (@patch1t) of Trend Micro

Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30911: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab

Sandbox
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A local attacker may be able to read sensitive information
Description: A permissions issue was addressed with improved
validation.
CVE-2021-30920: Csaba Fitzl (@theevilbit) of Offensive Security

SMB
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2021-30868: Peter Nguyen Vu Hoang of STAR Labs

SoftwareUpdate
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may gain access to a user's Keychain
items
Description: The issue was addressed with improved permissions logic.
CVE-2021-30912: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent
Security Xuanwu Lab

SoftwareUpdate
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: An unprivileged application may be able to edit NVRAM
variables
Description: The issue was addressed with improved permissions logic.
CVE-2021-30913: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent
Security Xuanwu Lab

UIKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A person with physical access to an iOS device may be
determine characteristics of a user's password in a secure text entry
field
Description: A logic issue was addressed with improved state
management.
CVE-2021-30915: Kostas Angelopoulos

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: An attacker in a privileged network position may be able to
bypass HSTS
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30823: David Gullasch of Recurity Labs

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to
unexpectedly unenforced Content Security Policy
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30887: Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt.
Ltd.

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious website using Content Security Policy reports may
be able to leak information via redirect behavior 
Description: An information leakage issue was addressed.
CVE-2021-30888: Prakash (@1lastBr3ath)

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30889: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30861: Wojciech Reguła (@_r3ggi), Ryan Pickren
(ryanpickren.com)

WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2021-30890: an anonymous researcher

Windows Server
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A local attacker may be able to view the previous logged in
user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved
state management.
CVE-2021-30908: ASentientBot

xar
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may allow an attacker
to write arbitrary files
Description: This issue was addressed with improved checks.
CVE-2021-30833: Richard Warren of NCC Group

zsh
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and
later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and
later), iMac (Late 2015 and later), MacBook (Early 2016 and later),
iMac Pro (2017 and later)
Impact: A malicious application may be able to modify protected parts
of the file system
Description: An inherited permissions issue was addressed with
additional restrictions.
CVE-2021-30892: Jonathan Bar Or of Microsoft

Additional recognition

APFS
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc.
for their assistance.

App Support
We would like to acknowledge an anonymous researcher, 漂亮鼠 of 赛博回忆录
for their assistance.

Bluetooth
We would like to acknowledge say2 of ENKI for their assistance.

CUPS
We would like to acknowledge an anonymous researcher for their
assistance.

iCloud
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their
assistance.

Kernel
We would like to acknowledge Anthony Steinhauser of Google's Safeside
project for their assistance.

Mail
We would like to acknowledge Fabian Ising and Damian Poddebniak of
Münster University of Applied Sciences for their assistance.

Managed Configuration
We would like to acknowledge Michal Moravec of Logicworks, s.r.o. for
their assistance.

smbx
We would like to acknowledge Zhongcheng Li (CK01) for their
assistance.

WebKit
We would like to acknowledge Ivan Fratric of Google Project Zero,
Pavel Gromadchuk, an anonymous researcher for their assistance.

Installation note:
This update may be obtained from the Mac App Store

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmF4hpwACgkQeC9qKD1p
rhhm0Q//fIQiOk2S9w2qirXapPqEpyI9LNJnGX/RCrsZGN/iFkgvt27/RYLhHHQk
efqxE6nnXdUaj9HoIIHiG4rKxIhfkscw1dF9igvmYm6j+V2KMiRxp1Pev1zMzsBI
N6F7mJ4SiATHDTJATU8uCqIqHRQsvcIrHCjovblqGfuZxzvsjkvtRc0eXC0XAARf
xW0WRNbTBoCOEsMp92hNI45B/oK05b1aHm2pY529gE6GRBBl0ymVo30fQ7vmIoJY
Uajc6pDNeJ1MhSpo0k+Z+eVodSdBN2EutKZfU5+4t2GzqeW5nLZFa/oqXObXBhXk
i8bptOhceBu6qD9poSgkS5EdH4OdRQMcMjsQLIRJj3N/MwZBhGvsLQDlyGmtd+VG
a0s+pna/WoFwzw800CYRarmL0rRsZ4zZza0iuKArhrLlQCw+ee6XNL+1U50zvMaW
oT3gNkf3faCqQDxecIcQTj7xwt2tHV87p7uqELiuUZaCk5UoQBsWxGeGebFGxUq5
pJVQvnr4RVrDkpOQjbKj8w9mWoSZcvKlhRNL9J5kW75zd32vwnaVMlVkIG8vfvoK
sgq/VfKrOW+EV1IMAh4iuaMiLAPjwBzMiRfjvRZFeJmTaMaTOxDKHwkG5YwPNp5W
0FlhV1S2pAmGlQZgvTxkBthtU9A9giuH+oHSGJDjr70Q7de8lJ4=
=3Pcg
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/