NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

How to Mitigate macOS CVE-2021-30657 with BeyondTrust Privilege Management for Mac

May 18, 2021

  • Blog
  • Archive

Discovered by security researcher Cedric Owens and privately reported to Apple in March 2021, CVE-2021-30657 is a logic issue that allowed attackers to craft a macOS payload that is not checked by Gatekeeper (the macOS security feature that verifies downloaded applications before allowing them to run) and bypasses File Quarantine and Application Notarization protections as well. Since at least January, Shlayer malware had been exploiting this zero-day vulnerability in macOS devices.

Recently, Apple has patched this vulnerability under CVE-2021-30657. You can check out a more detailed analysis of the CVE here.

In the remainder of this blog, we will take a look at how the BeyondTrust Privilege Management for Mac product protects macOS endpoints against such threats.

How to block this attack vector with Privilege Management for Mac

The specific attack vector that can exploit this Mac vulnerability is an application bundle whose main "executable" is really a script.

To block this type of application from running, edit your application control policy and find an Application Group that is already set to be blocked. If your policy is based on the Privilege Management for Mac Quick Start policy, then a good candidate for this would be the Application group "Block - Applications", which applies to All Users.

In this group, insert a new application of Script type and set the matching criteria as depicted in the screenshot below.

Matching criteria to block script-based application bundles using BeyondTrust Privilege Management for Mac

This regular expression will apply to any running script and will match if the script name matches the preceding .app folder name.

For example, the following will all match the above regular expression:

MyMalware.app/Contents/MacOS/MyMalware

SillyApp.app/Contents/MacOS/SillyApp

AttemptedHijack.app/Contents/MacOS/AttemptedHijack

What about legitimate applications with a script as their main binary?

It is true that an application bundle on macOS can legitimately have a script as its main application binary. By following best practices and applying application allow-listing- based policy (rather than attempting to explicitly deny-list known malware), you can pre-approve known applications that use this structure in your policy before the generic rule to block applications of this type is enforced on your endpoints.

BeyondTrust Privilege Management for Mac is the most robust solution for controlling endpoint privileges for macOS. The software pairs powerful least privilege management and application control capabilities, delivering fast, unmatched risk-reduction potential. With Privilege Management for Mac, you can grant the right privilege to the right user or application, only when needed, and create a single audit trail. The product’s QuickStart feature and cloud deployment option enable organizations to make leaps in risk reduction and start achieving ROI in hours, or days. The product part of

Privilege Management for Mac is part of BeyondTrust Endpoint Privilege Management, the leading solution for privilege elevation and delegation management and pragmatic application control across all types of endpoints (Unix, Linux, Windows, Mac, network devices, etc.)

Learn more about how BeyondTrust Privilege Management for Mac by requesting a demo.

Related macOS security reading

macOS Security: Managing Privileged Access & Credentials (blog)

A Zero Trust Approach to Windows & Mac Endpoint Security (white paper)

Privilege Management for Windows & Mac (product page)


Photograph of Paul Thexton

Paul Thexton, Senior Software Engineer

Paul Thexton is a software & systems engineer with 20 years of experience. In that time he has worked with Linux desktop, Linux embedded, Windows, macOS, and real-time operating systems on embedded devices. He joined BeyondTrust (via Avecto) 7 years ago and contributed to the company's Windows Endpoint Privilege Management product before switching teams at the end of 2017 to work on our macOS Endpoint Privilege Management product.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From May 12, 2021:
Will DarkSide Pipeline Ransomware Attack Fuel Cybersecurity Upgrades for Critical Infrastructure?
From May 21, 2021:
Dispatches from Anywhere: Securing the Next Wave of Work

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Cybersecurity Survival Guide, 2022 Edition

Whitepapers

Azure PIM vs. BeyondTrust PAM

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.