How to Mitigate macOS CVE-2021-30657 with BeyondTrust Privilege Management for Mac

Discovered by security researcher Cedric Owens and privately reported to Apple in March 2021, CVE-2021-30657 is a logic issue that allowed attackers to craft a macOS payload that is not checked by Gatekeeper (the macOS security feature that verifies downloaded applications before allowing them to run) and bypasses File Quarantine and Application Notarization protections as well. Since at least January, Shlayer malware had been exploiting this zero-day vulnerability in macOS devices.

Recently, Apple has patched this vulnerability under CVE-2021-30657. You can check out a more detailed analysis of the CVE here.

In the remainder of this blog, we will take a look at how the BeyondTrust Privilege Management for Mac product protects macOS endpoints against such threats.

How to block this attack vector with Privilege Management for Mac

Link copied

The specific attack vector that can exploit this Mac vulnerability is an application bundle whose main "executable" is really a script.

To block this type of application from running, edit your application control policy and find an Application Group that is already set to be blocked. If your policy is based on the Privilege Management for Mac Quick Start policy, then a good candidate for this would be the Application group "Block - Applications", which applies to All Users.

In this group, insert a new application of Script type and set the matching criteria as depicted in the screenshot below.

This regular expression will apply to any running script and will match if the script name matches the preceding .app folder name.

For example, the following will all match the above regular expression:

MyMalware.app/Contents/MacOS/MyMalware

SillyApp.app/Contents/MacOS/SillyApp

AttemptedHijack.app/Contents/MacOS/AttemptedHijack

What about legitimate applications with a script as their main binary?

Link copied

It is true that an application bundle on macOS can legitimately have a script as its main application binary. By following best practices and applying application allow-listing- based policy (rather than attempting to explicitly deny-list known malware), you can pre-approve known applications that use this structure in your policy before the generic rule to block applications of this type is enforced on your endpoints.

BeyondTrust Privilege Management for Mac is the most robust solution for controlling endpoint privileges for macOS. The software pairs powerful least privilege management and application control capabilities, delivering fast, unmatched risk-reduction potential. With Privilege Management for Mac, you can grant the right privilege to the right user or application, only when needed, and create a single audit trail. The product’s QuickStart feature and cloud deployment option enable organizations to make leaps in risk reduction and start achieving ROI in hours, or days. The product part of

Privilege Management for Mac is part of BeyondTrust Endpoint Privilege Management, the leading solution for privilege elevation and delegation management and pragmatic application control across all types of endpoints (Unix, Linux, Windows, Mac, network devices, etc.)

Learn more about how BeyondTrust Privilege Management for Mac by requesting a demo.