Attacker Value

High

CVE-2021-30657 — Malicious applications may bypass Gatekeeper checks

Attacker Value

High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2021-30657 — Malicious applications may bypass Gatekeeper checks

Disclosure Date: September 08, 2021 •

CVE-2021-30657 CVSS v3 Base Score: 5.5

Exploited in the Wild

Reported by space-r7 and 3 more...
View Source Details

Description

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..

Add Assessment

space-r7 (143)

April 28, 2021 8:19pm UTC (3 years ago)•

Ratings

Attacker Value

High

Exploitability

High

Easy to weaponize Unauthenticated Vulnerable in default configuration Requires user interaction

Technical Analysis

Rating this vulnerability as high since it bypasses all of the checks that MacOS performs on downloaded files. It was reportedly introduced in MacOS version 10.15, and the fix is in version 11.3. This vulnerability has also been reported as being exploited in the wild.

An unsigned, unnotarized binary downloaded from the Internet is typically blocked from execution; however a script-based app with no Info.plist file bypasses those checks. To read about how that exactly happens, see the objective-see blog post here. This does require user interaction for success, but all it takes is a download and a double click. Additionally, an exploit is quite trivial to make, as all it really needs is a valid app without the Info.plist file bundled with it. As always, install your updates.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

Vendors

apple

Products

mac os x,
mac os x 10.15.6,
mac os x 10.15.7,
macos

Metasploit Modules

exploit/osx/browser/osx_gatekeeper_bypass (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/browser/osx_gatekeeper_bypass.rb)

Exploited in the Wild

Reported by:

space-r7 indicated source as News Article or Blog (https://objective-see.com/blog/blog_0x64.html)

Reported: April 28, 2021 6:50pm UTC (3 years ago) • Edited 3 years ago

hrbrmstr indicated source as News Article or Blog (https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/)

Reported: April 30, 2021 1:53pm UTC (3 years ago)

gwillcox-r7 indicated source as News Article or Blog (https://threatpost.com/apple-patches-macos-bug-bypass-defenses/165611/)

Reported: April 30, 2021 2:25pm UTC (3 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:13am UTC (2 weeks ago)

References

Canonical

CVE-2021-30657 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657)

Miscellaneous

https://support.apple.com/en-us/HT212325

https://support.apple.com/en-us/HT212326

Rapid7

High