CVE-2021-30939: 
macOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2021-30939) was discovered in the DDS image parsing functionality of Apple's ImageIO library. The vulnerability affects multiple Apple operating systems including macOS Big Sur 11.6.2, tvOS 15.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, and watchOS 8.3. The issue was discovered by Mickey Jin of Trend Micro, Jaewon Min of Cisco Talos, and Rui Yang and Xingwei Lin of Ant Security Light-Year Lab (Apple Security).

The vulnerability exists in the DDS image parsing functionality of the ImageIO library. When processing a specially-crafted DDS file, an out-of-bounds read can occur due to improper bounds checking. The root cause is that decoding starts at file offset +0x80, but ImageIO checks against the entire image file size instead of the actual image data size (file size - 0x80). The vulnerability has a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD, Cisco Talos).

By exploiting this vulnerability, an attacker can disclose sensitive memory content which could aid in the exploitation of other vulnerabilities. The contents of the heap can be directly rendered as pixels, potentially leaking heap addresses and other sensitive information that could assist further exploitation if leaked data can be accessed in a vulnerable application context (Cisco Talos).

Apple has addressed this vulnerability by improving bounds checking in affected operating systems. The fix was released in December 2021 as part of multiple security updates including macOS Monterey 12.1, macOS Big Sur 11.6.2, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, tvOS 15.2, and watchOS 8.3 (Apple Security).