iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices
Last updated on: October 17, 2022
Apple recently released iOS and iPadOS 14.7 and 14.7.1 which include a security update that addresses almost 38 vulnerabilities, among them several critical RCE and privilege escalation vulnerabilities. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version.
The vulnerabilities affect iOS and iPadOS components including ImageIO, Kernel, Preferences, Model I/O, Image Processing, WebKit, FontParser, and others. Apple has for the third time released a minor release (14.7.1) after a major release (14.7) to fix a critical vulnerability (CVE-2021-30807) that has been actively exploited. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges. Spyware like Pegasus might exploit this vulnerability to get access to a device.
IOMobileFrame Buffer Overflow Vulnerability
CVE-2021-30807
This buffer overflow critical vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching, as successful exploitation of the vulnerability allows a remote attacker to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited; this makes it critical. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
ImageIO Arbitrary Code Execution Vulnerability
CVE-2021-30785
This arbitrary code execution critical vulnerability has a CVSSv3 base score of 8.8 and should be prioritized for patching as successful exploitation of the vulnerability allows a remote attacker to execute arbitrary code on the target system. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Image Processing Arbitrary Code Execution Vulnerability
CVE-2021-30802
This arbitrary code execution critical vulnerability has a CVSSv3 base score of 8.8 and should be prioritized for patching as successful exploitation of the vulnerability allows a remote attacker to compromise a vulnerable system. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Multiple Vulnerabilities of Libwebp
CVE-2018-25010, CVE-2018-25011, CVE-2018-25014, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331
Most of these critical vulnerabilities have a CVSSv3 base score of 8.8 and should be prioritized for patching as successful exploitation of the vulnerabilities allows a remote attacker to compromise the affected system. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Multiple Privileges Escalation Vulnerabilities
CVE-2021-30774, CVE-2021-30780
These privilege escalation vulnerabilities have a CVSSv3 base score of 7.8 and should be prioritized for patching as successful exploitation of the vulnerabilities may allow a malicious application to gain root privileges. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Additional Vulnerabilities
Apple fixed 15 arbitrary code execution including one that leads to Kernel privileges, two that lead to root privileges, one that may lead to a denial-of-service, and two kernel level vulnerabilities.
Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices
Discover Assets Missing the Latest Android Security Patch
The first step in managing these critical vulnerabilities and reducing risk is to identify the assets. Qualys VMDR for Mobile Devices makes it easy to identify the iOS and iPadOS assets not updated to the latest version iOS 14.7.1 and iPadOS 14.7.1. To get comprehensive visibility of your mobile devices, install Qualys Cloud Agent for Android or iOS/iPadOS on all devices. The device on-boarding process is easy, and inventory of mobile devices is free.
Query: vulnerabilities.vulnerability.title:iOS 14.7
Once you get the list of assets missing the latest security patches, navigate to the Vulnerability tab. Enter the QQL: vulnerabilities.vulnerability.title:iOS 14.7
and apply the Group By “Vulnerabilities” to get the list of the CVEs that Apple fixes in iOS and iPadOS 14.7 and 14.7.1 releases. Qualys VMDR for Mobile Devices helps you understand what kind of risk you are taking by allowing the unpatched device to hold corporate data and connect to your corporate network.
Also, you can apply the Group By “CVE Ids” to get only the list of CVEs fixed by Apple in iOS and iPadOS 14.7 and 14.7.1 releases.
QID 610348 and 610349 are available in signature version SEM VULNSIGS-1.0.0.43, and there is no dependency on any specific Qualys Cloud Agent version.
With the VMDR for Mobile Devices dashboard, you can track the status of the assets missing the latest security update. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for iOS/iPadOS devices.
Remote Response Action
You can perform the “Send Message” action to inform the end-user to update the devices to the latest OS version. Also, you may provide step-by-step details to update the security patch.
We recommend updating to the latest iOS and iPadOS version for the assets where vulnerabilities are detected as “Confirmed”.
Qualys VMDR for Mobile Devices is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. To see for yourself, get a free 30-day trial of VMDR for Mobile Devices.
great post. many thanks!