Apple fixes iOS zero-day exploited in the wild (CVE-2021-30883)

With the newest iOS and iPad updates, Apple has fixed another vulnerability (CVE-2021-30883) that is being actively exploited by attackers.

About CVE-2021-30883

CVE-2021-30883 is a memory corruption issue in IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer.

The vulnerability may be exploited by an application to execute arbitrary code with kernel privileges, Apple explained.

As per usual, Apple did not share more details about the flaw or the attack(s) exploiting it, and the researcher who discovered it remains unnamed.

But, thanks to security researcher Saar Amar, who analyzed Apple’s patch, we know that the flaw is “a classic integer overflow.”

The IOMobileFrameBuffer/AppleCLCD is, he says, a highly interesting attack surface “because it’s accessible from the app sandbox (so it’s great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains (WebContent, etc.).”

His write-up will be interesting for other researchers, as it details his thought process as he went through the analysis and worked on a stable POC for triggering a crash that will provide “a good panic“.

He confirmed that the POC works on iOS 15.0 and iOS 14.7.1 and says it will probably work on earlier versions of the OS.

“Unlike the previous in-the-wild vulnerability in IOMFB/AppleCLCD, no special entitlements are required. You can just create an iOS app with my POC, run it on the device and trigger the bug,” he added.

He did not release a full exploit.

Update your iDevice

The released iOS and iPadOS updates (both v15.0.2) that fix CVE-2021-30883 are available from iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the 7th generation of iPod touch.

We don’t know the nature of the attacks exploiting the vulnerability, but users are advised to update their mobile iDevices to plug the hole as soon as possible.