CVE-2021-30952 Sumo Logic CSE · Sumo

Detect CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation in Sumo Logic CSE

Detects exploitation attempts of CVE-2021-30952, an integer overflow vulnerability in Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Integer overflow conditions in Apple platform components can lead to memory corruption, arbitrary code execution, or privilege escalation.

MITRE ATT&CK

Tactic
Execution Privilege Escalation Initial Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/macos OR _sourceCategory=crowdstrike/falcon
| json field=_raw "process_name", "parent_process_name", "process_path", "user", "hostname" nodrop
| where process_name in ("com.apple.WebKit.WebContent", "WebContent", "Safari", "MobileSafari") OR parent_process_name in ("com.apple.WebKit.WebContent", "WebContent")
| where !(process_path matches "/Applications/*") AND !(process_path matches "/System/*") AND !(process_path matches "/usr/*")
| where parent_process_name not in ("launchd", "softwareupdated", "mdmclient")
| eval risk = if(parent_process_name in ("sh", "bash", "zsh", "python3"), "HIGH", "MEDIUM")
| count by hostname, user, process_name, parent_process_name, process_path, risk
| sort by _count desc
high severity medium confidence

Sumo Logic query detecting anomalous WebKit and Safari process activity on Apple endpoints consistent with CVE-2021-30952 exploitation, focusing on processes executing from non-standard paths.

Data Sources

Sumo Logic macOS Endpoint SourceCrowdStrike Falcon Sumo Logic Integration

Required Tables

endpoint/macoscrowdstrike/falcon

False Positives & Tuning

  • macOS system integrity protection checks that temporarily spawn processes from cache locations
  • Legitimate third-party applications embedding WebKit that run from custom installation directories
  • IT automation scripts interacting with Safari for testing or configuration management

Other platforms for CVE-2021-30952

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate WebKit Process Spawning Shell from Non-Standard Path

    Expected signal: Process creation event showing /tmp/webkit-sim/WebContent spawning with process name matching WebContent but executing from /tmp path

  2. Test 2Create Persistence via LaunchAgent After Simulated WebKit Compromise

    Expected signal: File creation event for plist in ~/Library/LaunchAgents/ followed by launchctl process execution loading the new agent

  3. Test 3Simulate Integer Overflow Memory Pressure via Safari Crash Report Generation

    Expected signal: File creation event for .crash file in /tmp with WebContent prefix; potential file integrity monitoring alert

Last updated: 2026-06-19 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2021-30952 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege EscalationTA0001Initial Access

Related Techniques

T1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1190Exploit Public-Facing Application

Same Tactic: Execution

Popular Detections