Discovered by security researcher Cedric Owens and privately reported to Apple in March 2021, CVE-2021-30657 is a logic issue that allowed attackers to craft a macOS payload that is not checked by Gatekeeper (the macOS security feature that verifies downloaded applications before allowing them to run) and bypasses File Quarantine and Application Notarization protections as well. Since at least January, Shlayer malware had been exploiting this zero-day vulnerability in macOS devices.
Recently, Apple has patched this vulnerability under CVE-2021-30657. You can check out a more detailed analysis of the CVE here.
In the remainder of this blog, we will take a look at how the BeyondTrust Privilege Management for Mac product protects macOS endpoints against such threats.
How to block this attack vector with Privilege Management for Mac
The specific attack vector that can exploit this Mac vulnerability is an application bundle whose main "executable" is really a script.
To block this type of application from running, edit your application control policy and find an Application Group that is already set to be blocked. If your policy is based on the Privilege Management for Mac Quick Start policy, then a good candidate for this would be the Application group "Block - Applications", which applies to All Users.
In this group, insert a new application of Script type and set the matching criteria as depicted in the screenshot below.
This regular expression will apply to any running script and will match if the script name matches the preceding .app folder name.
For example, the following will all match the above regular expression:
MyMalware.app/Contents/MacOS/MyMalware
SillyApp.app/Contents/MacOS/SillyApp
AttemptedHijack.app/Contents/MacOS/AttemptedHijack
What about legitimate applications with a script as their main binary?
It is true that an application bundle on macOS can legitimately have a script as its main application binary. By following best practices and applying application allow-listing- based policy (rather than attempting to explicitly deny-list known malware), you can pre-approve known applications that use this structure in your policy before the generic rule to block applications of this type is enforced on your endpoints.
BeyondTrust Privilege Management for Mac is the most robust solution for controlling endpoint privileges for macOS. The software pairs powerful least privilege management and application control capabilities, delivering fast, unmatched risk-reduction potential. With Privilege Management for Mac, you can grant the right privilege to the right user or application, only when needed, and create a single audit trail. The product’s QuickStart feature and cloud deployment option enable organizations to make leaps in risk reduction and start achieving ROI in hours, or days. The product part of
Privilege Management for Mac is part of BeyondTrust Endpoint Privilege Management, the leading solution for privilege elevation and delegation management and pragmatic application control across all types of endpoints (Unix, Linux, Windows, Mac, network devices, etc.)
Learn more about how BeyondTrust Privilege Management for Mac by requesting a demo.
Paul Thexton, Senior Software Engineer
Paul Thexton is a software & systems engineer with 20 years of experience. In that time he has worked with Linux desktop, Linux embedded, Windows, macOS, and real-time operating systems on embedded devices. He joined BeyondTrust (via Avecto) 7 years ago and contributed to the company's Windows Endpoint Privilege Management product before switching teams at the end of 2017 to work on our macOS Endpoint Privilege Management product.
