The Cupertino giant has addressed a severe Gatekeeper bypass vulnerability affecting macOS devices. Exploiting the flaw could allow attackers to deploy malicious apps even on fully-patched systems.
macOS Gatekeeper Bypass Flaw
Elaborating on the vulnerability in a blog post, Patrick Wardle highlighted how the Gatekeeper bypass flaw risked macOS security.
Gatekeeper is a security check feature in macOS that validates app notarization and developer signature for incoming apps. These security measures ensure keeping malicious apps and malware away from macOS.
As described, the vulnerability, CVE-2021-30853, first caught the attention of Gordon Long. Briefly, this bug could allow an unsigned, un-notarized app to run on a target device.
While Wardle has explained the bug and the PoC exploit in detail in his post, summarizing the issue, he stated,
-When a script-based application with no specified interpreter is launched, execution initially fails with ENOEXEC. This causes the script to be (re)executed via
/bin/sh
.
-As/bin/sh
is a Mach-O (not a script), no script labels are set. Thus the script is never evaluated (nor blocked) bysyspolicyd
.
The policy engine just sees/bin/sh
(a trusted platform binary), and thus allows it to execute. Of course/bin/sh
then executes the PoC script.
That’s the exact vulnerability – the unsigned PoC gets executed despite lacking notarization.
Apple Patched The Vulnerability
The researchers confirmed that Apple had patched the vulnerability with macOS Big Sur 11.6. Mentioning this bug’s impact in the advisory, Apple stated,
A malicious application may bypass Gatekeeper checks.
The tech giant confirmed to have fixed the flaw “with improved checks.”
Since the update rolled out in September 2021, most users would have received the fix already. Nonetheless, those who haven’t updated their devices yet should now rush to receive the updates, especially considering that the PoC for this serious exploit is now public.
Let us know your thoughts in the comments.