CVE-2021-1810: Vulnerability in macOS allows bypassing Gatekeeper feature. Proof of concept available

Security researcher Rasmus Sten published a proof of concept (PoC) code to exploit a critical vulnerability in macOS Gatekeeper updated a few months ago by Apple. Tracked as CVE-2021-1810, the flaw would allow the evasion of three security mechanisms implemented by the company in order to prevent the download of malicious files.

The vulnerability resides in macOS Big Sur and Catalina, and can be exploited by threat actors using a specially crafted file. Successful exploitation would allow unsigned binaries to run on macOS devices, even with Gatekeeper, applying code signatures and without the user being able to notice malicious activity.

The researcher mentions that the flaw exists because of the way the Archive Utility manages file paths; for paths longer than 886 characters, the extended attribute com.apple.quarantine would no longer apply, resulting in Gatekeeper evasion for files entered into the system.

Sten found that some macOS components behave unexpectedly when the total length of the path reaches a certain limit. Eventually the researcher discovered that it was possible to create a file with a path long enough for Safari to call the Archive Utility for decompression and short enough to navigate using Finder and macOS could run the code on the file.

The PoC code posted by Sten, who also posted a demo video, creates the file with the path length needed for the exploitation of CVE-2021-1810, along with a symbolic link to make the malicious ZIP file look normal.

This flaw was addressed in the release of macOS Big Sur 11.3 and in Security Update 2021-002 for macOS Catalina, so users of affected deployments are advised to verify that their computer is running the secure version of the system.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.