CVE-2021-30657 Overview
CVE-2021-30657 is a logic flaw in macOS that allows a malicious application to bypass Gatekeeper, the operating system's primary code-signing and notarization enforcement layer. Apple addressed the issue with improved state management in macOS Big Sur 11.3 and Security Update 2021-002 for Catalina. Apple acknowledged reports that the flaw was actively exploited in the wild before the patch shipped, and CISA has since added it to the Known Exploited Vulnerabilities (KEV) catalog. The weakness maps to [CWE-862] (Missing Authorization) and enables user-assisted execution of unsigned or unnotarized payloads with the integrity of the macOS trust model effectively neutralized.
Critical Impact
A crafted application bundle can execute on macOS without triggering Gatekeeper prompts, notarization checks, or quarantine warnings, exposing endpoints to malware delivered through routine user actions.
Affected Products
- Apple macOS Big Sur prior to 11.3
- Apple macOS Catalina prior to Security Update 2021-002
- Apple macOS 10.15.6 and 10.15.7 (including supplemental and security updates 2020 through 2020-007)
Discovery Timeline
- 2021-09-08 - CVE-2021-30657 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2021-30657
Vulnerability Analysis
The vulnerability resides in macOS logic that evaluates application bundles before execution. Gatekeeper normally validates code signatures, notarization tickets, and quarantine attributes before allowing user-launched applications to run. A state-management defect in this evaluation path allowed specially crafted bundles to be treated as trusted, skipping the policy checks that should have blocked them. The flaw classifies as a business logic and authorization weakness rather than memory corruption, which is why it carries a local attack vector with user interaction but high integrity impact.
Exploitation is user-assisted: a victim must launch the malicious application. However, because the bundle bypasses Gatekeeper, the user receives none of the standard warnings, prompts, or notarization errors that typically accompany unsigned code. From the user's perspective, the application appears legitimate.
Root Cause
The underlying defect is improper state management in the policy decision logic that determines whether an application bundle is subject to Gatekeeper enforcement. Specific bundle structures caused macOS to misclassify the executable, omitting calls to the assessment subsystem responsible for code signing and notarization validation. Apple's fix tightens state tracking so all qualifying bundles are routed through the assessment policy regardless of structural variations.
Attack Vector
Attack delivery typically relies on social engineering. Operators distribute a malformed application bundle through phishing links, watering-hole sites, or trojanized software pages. Once the user opens the bundle from Finder or via a LaunchServices invocation, the malicious payload executes without quarantine prompts. The Shlayer adware family was publicly reported to weaponize this flaw to install second-stage malware on unpatched macOS systems.
No verified public proof-of-concept code is referenced in the available advisories. See Apple Security Advisory HT212325 and Apple Security Advisory HT212326 for vendor technical detail.
Detection Methods for CVE-2021-30657
Indicators of Compromise
- Application bundles executing from ~/Downloads, /tmp, or /private/tmp without an associated com.apple.quarantine extended attribute
- spctl --assess returning success on binaries that lack valid Developer ID signatures or notarization tickets
- Child processes spawning from applications that were never registered with LaunchServices through normal install flows
- Known Shlayer payload artifacts dropped under ~/Library/LaunchAgents or ~/Library/Application Support
Detection Strategies
- Monitor xattr activity for the absence or stripping of com.apple.quarantine on freshly downloaded executables
- Alert on syspolicyd and XprotectService log entries indicating bypassed or skipped assessments
- Correlate browser or mail-client downloads with subsequent exec events of unsigned Mach-O binaries
- Hunt for application bundles whose Info.plist or directory layout deviates from standard Apple bundle conventions
Monitoring Recommendations
- Centralize macOS Unified Logs (log collect) and forward syspolicyd, amfid, and kext telemetry to your SIEM
- Track macOS build versions across the fleet and flag endpoints still running Big Sur below 11.3 or Catalina without Security Update 2021-002
- Baseline approved code-signing identities and alert on first-seen Team IDs executing from user-writable directories
How to Mitigate CVE-2021-30657
Immediate Actions Required
- Upgrade all macOS Big Sur endpoints to 11.3 or later and apply Security Update 2021-002 to macOS Catalina hosts
- Audit endpoints for execution of unsigned binaries from user directories during the exposure window
- Restrict installation privileges so standard users cannot launch arbitrary downloaded application bundles
- Validate that EDR and management tooling enforce macOS patch SLAs given CISA KEV listing
Patch Information
Apple released fixes in macOS Big Sur 11.3 and Security Update 2021-002 Catalina. Refer to Apple Security Advisory HT212325 for Big Sur and Apple Security Advisory HT212326 for Catalina. CISA tracking is available in the CISA Known Exploited Vulnerabilities catalog entry for CVE-2021-30657.
Workarounds
- No vendor-supplied workaround exists; patching is the only supported remediation
- Enforce application allowlisting through MDM configuration profiles to limit execution to known Developer IDs
- Disable user override of Gatekeeper via spctl and require administrator approval for non-App Store applications
# Verify patched macOS version and Gatekeeper assessment state
sw_vers -productVersion
spctl --status
spctl --assess --verbose=4 /Applications/Suspect.app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
