Flagged by researchers Erye Hernandez and Clément Lecigne of Google’s Threat Analysis Group and Ian Beer of Google Project Zero, the vulnerability is a type confusion issue found in XNU, the kernel of Apple’s macOS and iOS operating systems.
As usual, Apple did not share any details about the flaw, and said only that it allows a malicious application to execute arbitrary code with kernel privileges.
Another Google TAG threat analyst shared that CVE-2021-30869 is being exploited in conjunction with a previously known WebKit vulnerabilities, and said that more details will be released after 30 days.
We saw this used in conjunction with a N-day remote code execution targeting webkit.
Thanks to Apple for getting patch out so quickly.
— Shane Huntley (@ShaneHuntley) September 23, 2021
The iOS 12.5.5 security update also contains fixes for CVE-2021-30860 – the “zero-click” iMessage vulnerability exploited to deliver spyware that was patched in newer versions of iOS ten days ago – and CVE-2021-30858 – an actively exploited RCE in WebKit.
UPDATE (November 12, 2021, 06:58 a.m. PT):
Google’s Threat Analysis Group has shared details about the attacks leveraging CVE-2021-30869.
They were watering hole attacks and the targets were visitors of Hong Kong websites for a media outlet and a pro-democracy labor and political group.
Two iframes inserted into the websites served exploits chains for macOS and iOS. The former combined an RCE in WebKit (CVE-2021-1789) patched on Jan 5, and CVE-2021-30869. The final payload was a previously unknown backdoor.
The macOS exploit chain did not work on macOS Big Sur (11.4), because apparently “Apple added generic protections in Big Sur which rendered this exploit useless.”