The macOS operating system was recently patched for a security vulnerability that could be exploited by a threat actor to bypass “myriad foundational macOS security mechanisms” and run arbitrary code.
Patrick Wardle described the discovery in a series of tweets on Thursday. According to CVE-2021-30853 (CVSS 5.5), the issue involves a scenario where a rogue macOS app can circumvent Gatekeeper checks, ensuring that only trusted apps can be run and have been notarized.
As part of macOS 11.6 updates officially released on September 20, 2021, Apple said it addressed the vulnerability through improved checks that Gordon Long of Box reported.
In a technical report on the vulnerability, Wardle said the flaw allows adware and malware to sidestep macOS security mechanisms, …mechanisms that would otherwise thwart infection attempts.
In particular, the bug evades not only Gatekeeper but also File Quarantine and macOS’s notarization requirements, effectively allowing an innocuous PDF file to compromise the entire system by simply being opened. Wardle explains that the problem stems from the fact that unsigned, non-notarized script-based applications cannot explicitly specify an interpreter, resulting in a total bypass.
It should be noted that a shebang interpreter directive — such as #!/bin/sh and #!/bin/bash — is typically used to parse and interpret shell programs. However, in this edge-case attack, an adversary can craft an application to incorporate a shebang line without providing an interpreter (e.g., #!) and still get the operating system to execute the script without raising an alert.
“MacOS attempts (again) to run the failed “interpreter-less” script-based app via the shell (‘/bin/sh’)” after the initial failure, Wardle explained.
As a result, threat actors can exploit this flaw by tricking their targets into installing a rogue app masquerading as Adobe Flash Player or trojanized versions of legitimate apps like Microsoft Office. These rogue apps are then delivered via a method called search poisoning, in which attackers artificially increase the search engine rankings of websites hosting their malware.
The Gatekeeper process has been found to have flaws before. This April, Apple patched a zero-day vulnerability (CVE-2021-30657) that had been actively exploited, allowing unapproved software to run on Macs.
Microsoft disclosed a vulnerability dubbed “Shrootless” (CVE-2021-30892) in October, which could be exploited to perform arbitrary operations, elevate privileges to root, and install rootkits on compromised devices. In its October 26 security update, Apple said it addressed the problem with additional restrictions.