what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 2021-05-25-3

Apple Security Advisory 2021-05-25-3
Posted May 26, 2021
Authored by Apple | Site apple.com

Apple Security Advisory 2021-05-25-3 - Security Update 2021-004 Mojave addresses bypass, code execution, denial of service, heap corruption, information leakage, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution
systems | apple
advisories | CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-1883, CVE-2021-1884, CVE-2021-30669, CVE-2021-30676, CVE-2021-30678, CVE-2021-30679, CVE-2021-30681, CVE-2021-30683, CVE-2021-30687, CVE-2021-30690, CVE-2021-30691, CVE-2021-30692, CVE-2021-30693, CVE-2021-30694, CVE-2021-30695, CVE-2021-30697
SHA-256 | 776008bfbdb46c0bcd65cacb835a4914ca1905855f39711dfc2b2c16dd497aa5

Apple Security Advisory 2021-05-25-3

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-05-25-3 Security Update 2021-004 Mojave

Security Update 2021-004 Mojave addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212531.

AMD
Available for: macOS Mojave
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: A logic issue was addressed with improved state
management.
CVE-2021-30676: shrek_wzw

AMD
Available for: macOS Mojave
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2021-30678: Yu Wang of Didi Research America

apache
Available for: macOS Mojave
Impact: Multiple issues in apache
Description: Multiple issues in apache were addressed by updating
apache to version 2.4.46.
CVE-2021-30690: an anonymous researcher

AppleScript
Available for: macOS Mojave
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30669: Yair Hoffmann

Core Services
Available for: macOS Mojave
Impact: A malicious application may be able to gain root privileges
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2021-30681: Zhongcheng Li (CK01)

CVMS
Available for: macOS Mojave
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30724: Mickey Jin (@patch1t) of Trend Micro

Heimdal
Available for: macOS Mojave
Impact: A malicious application may cause a denial of service or
potentially disclose memory contents
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30710: Gabe Kirkpatrick (@gabe_k)

Heimdal
Available for: macOS Mojave
Impact: A remote attacker may be able to cause a denial of service
Description: A race condition was addressed with improved locking.
CVE-2021-1884: Gabe Kirkpatrick (@gabe_k)

Heimdal
Available for: macOS Mojave
Impact: Processing maliciously crafted server messages may lead to
heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1883: Gabe Kirkpatrick (@gabe_k)

Heimdal
Available for: macOS Mojave
Impact: A local user may be able to leak sensitive user information
Description: A logic issue was addressed with improved state
management.
CVE-2021-30697: Gabe Kirkpatrick (@gabe_k)

Heimdal
Available for: macOS Mojave
Impact: A malicious application could execute arbitrary code leading
to compromise of user information
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30683: Gabe Kirkpatrick (@gabe_k)

ImageIO
Available for: macOS Mojave
Impact: Processing a maliciously crafted image may lead to disclosure
of user information
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30687: Hou JingYi (@hjy79425575) of Qihoo 360

ImageIO
Available for: macOS Mojave
Impact: Processing a maliciously crafted ASTC file may disclose
memory contents
Description: This issue was addressed with improved checks.
CVE-2021-30705: Ye Zhang of Baidu Security

Intel Graphics Driver
Available for: macOS Mojave
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30728: Liu Long of Ant Security Light-Year Lab

Kernel
Available for: macOS Mojave
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-30704: an anonymous researcher

Login Window
Available for: macOS Mojave
Impact: A person with physical access to a Mac may be able to bypass
Login Window
Description: A logic issue was addressed with improved state
management.
CVE-2021-30702: Jewel Lambert of Original Spin, LLC.

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An information disclosure issue was addressed with
improved state management.
CVE-2021-30723: Mickey Jin (@patch1t) of Trend Micro
CVE-2021-30691: Mickey Jin (@patch1t) of Trend Micro
CVE-2021-30694: Mickey Jin (@patch1t) of Trend Micro
CVE-2021-30692: Mickey Jin (@patch1t) of Trend Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30746: Mickey Jin (@patch1t) of Trend Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A validation issue was addressed with improved logic.
CVE-2021-30693: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend
Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30695: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend
Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30708: Mickey Jin (@patch1t) & Junzhi Lu (@pwn0rz) of Trend
Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: This issue was addressed with improved checks.
CVE-2021-30709: Mickey Jin (@patch1t) of Trend Micro

Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30725: Mickey Jin (@patch1t) of Trend Micro

NSOpenPanel
Available for: macOS Mojave
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed by removing the vulnerable
code.
CVE-2021-30679: Gabe Kirkpatrick (@gabe_k)

OpenLDAP
Available for: macOS Mojave
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-36226
CVE-2020-36229
CVE-2020-36225
CVE-2020-36224
CVE-2020-36223
CVE-2020-36227
CVE-2020-36228
CVE-2020-36221
CVE-2020-36222
CVE-2020-36230

smbx
Available for: macOS Mojave
Impact: An attacker in a privileged network position may be able to
perform denial of service
Description: A logic issue was addressed with improved state
management.
CVE-2021-30716: Aleksandar Nikolic of Cisco Talos

smbx
Available for: macOS Mojave
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30717: Aleksandar Nikolic of Cisco Talos

smbx
Available for: macOS Mojave
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2021-30712: Aleksandar Nikolic of Cisco Talos

smbx
Available for: macOS Mojave
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: A path handling issue was addressed with improved
validation.
CVE-2021-30721: Aleksandar Nikolic of Cisco Talos

smbx
Available for: macOS Mojave
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: An information disclosure issue was addressed with
improved state management.
CVE-2021-30722: Aleksandar Nikolic of Cisco Talos

Additional recognition

CFString
We would like to acknowledge an anonymous researcher for their
assistance.

CoreCapture
We would like to acknowledge Zuozhi Fan (@pattern_F_) of Ant-
financial TianQiong Security Lab for their assistance.

Installation note:

This update may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCtU9EACgkQZcsbuWJ6
jjCFWg//YnTAv0f31A5ILv6tAFsMOLCqe5qfpGEqQDktx5kNmnZVQxck0yAEPVH4
SghKtTTE0t6KXne94QcnEntdgoMG+EgsvBqBzCxpJtjxArwxQHqL/slnfIKKTSg7
8+PIQALwJDOLrtxzf6X0VY0fT3tElYcq8qrrYrqQgXCn8C3bKvO/42wwdVCDOTmD
kft0PhZkHa1GyJ+RuPAv+Y9KVrTy2dYX6hGMbiFpJ2il0My+CgdvJc4QO4P7kObk
nProKc8zdsNAXTMHX1s0tfR8MFwnNquJT6/KV/FHeby1rbT3CK4zd6x64dIq4KVi
j4Spubs5/TT4ji926R3xm5W3MkOegJiB9S2Rjy5LU/JMyV+BM9VBEZ6upK0y4+l6
tHCdhf90Kwt82zQYBE1o3nCBAPhWz9rk91kuPl1YstvLzBrdujmXRtLgcQVW2F+e
NLCtyx1/WUUi2WR5VWiz9AMBl8QjBWXuGvmR+ToBK/m6T8km4lp6V74mbCj1OyKg
0wHf0oh0KNZRCrtR2PoIvBZnC+KxcdH4QVqKPePYzr+CYnWnA6TDV5yXWITVYLQA
x74LPPpDML/yc9TLgWxNTTMuEflG+riGTO3Oet3iB1SFsobbAqWlfZqIklBHgyQe
f62TlXzjqJWuFBzlhQ0weK8EbgDQWoRiJM3xnpO2HnM2nRQvWfs=t1cR
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close