Attacker Value

High

CVE-2021-30657 — Malicious applications may bypass Gatekeeper checks

Attacker Value

High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2021-30657 — Malicious applications may bypass Gatekeeper checks

Disclosure Date: September 08, 2021 •

CVE-2021-30657 CVSS v3 Base Score: 5.5

Exploited in the Wild

Reported by space-r7 and 2 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

User Execution: Malicious File

Validated

Privilege Escalation

Techniques

Validation

Abuse Elevation Control Mechanism

Validated

Metasploit Module

exploit/osx/browser/osx_gatekeeper_bypass

Easy to weaponize Unauthenticated Vulnerable in default configuration Requires user interaction

Description

macOS versions prior to 11.3 contain a vulnerability in an unspecified component of System Preferences which, when exploited, results in privilege escalation and the ability to bypass Gatekeeper — the macOS built-in malware detection and prevention service.

Add Assessment

space-r7 (143)

April 28, 2021 8:19pm UTC (2 years ago)•

Ratings

Attacker Value

High

Exploitability

High

Easy to weaponize Unauthenticated Vulnerable in default configuration Requires user interaction

Technical Analysis

Rating this vulnerability as high since it bypasses all of the checks that MacOS performs on downloaded files. It was reportedly introduced in MacOS version 10.15, and the fix is in version 11.3. This vulnerability has also been reported as being exploited in the wild.

An unsigned, unnotarized binary downloaded from the Internet is typically blocked from execution; however a script-based app with no Info.plist file bypasses those checks. To read about how that exactly happens, see the objective-see blog post here. This does require user interaction for success, but all it takes is a download and a double click. Additionally, an exploit is quite trivial to make, as all it really needs is a valid app without the Info.plist file bundled with it. As always, install your updates.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

Vendors

Apple

Products

macOS,
macOS

Metasploit Modules

exploit/osx/browser/osx_gatekeeper_bypass (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/browser/osx_gatekeeper_bypass.rb)

Exploited in the Wild

Reported by:

space-r7 indicated source as News Article or Blog (https://objective-see.com/blog/blog_0x64.html)

Reported: April 28, 2021 6:50pm UTC (2 years ago) • Edited 2 years ago

hrbrmstr indicated source as News Article or Blog (https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/)

Reported: April 30, 2021 1:53pm UTC (2 years ago)

gwillcox-r7 indicated source as News Article or Blog (https://threatpost.com/apple-patches-macos-bug-bypass-defenses/165611/)

Reported: April 30, 2021 2:25pm UTC (2 years ago)

References

Canonical

CVE-2021-30657 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657)

Miscellaneous

https://support.apple.com/en-us/HT212325

https://support.apple.com/en-us/HT212326

Rapid7

High