CVE-2021-30657

What is macOS Gatekeeper?

macOS Gatekeeper is a security mechanism that enforces code signing and verification requirements for applications downloaded from the internet. When a user downloads and attempts to open an application not from the Mac App Store, Gatekeeper checks that the application is signed by a recognized developer (notarization) and has not been modified. Applications that fail Gatekeeper checks display a warning or are blocked from execution entirely. Gatekeeper is a primary defense against macOS malware distribution — most macOS malware delivery relies on convincing users to open unsigned or maliciously signed applications, and bypassing Gatekeeper allows malware to execute without triggering Apple's notarization-based controls, reducing friction in malware installation and reducing user-visible security warnings.

Overview

CVE-2021-30657 is a logic issue in macOS System Preferences that allows a malicious application to bypass Gatekeeper checks. By exploiting the logic flaw, a malicious app can execute without triggering the normal Gatekeeper security dialogs — allowing malware to run on macOS without the user seeing Apple's "This application is from an unidentified developer" warning or being blocked. This vulnerability was exploited by the Shlayer macOS malware family (a prolific adware dropper) before Apple patched it in macOS Big Sur 11.3 (April 26, 2021). Discovered by Jamf security researchers. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Logic issue in macOS System Preferences — a flaw in how macOS evaluates applications (possibly related to how certain bundle types, script applications, or app wrapper structures are assessed by Gatekeeper) allows a malicious application to appear valid or to be treated differently than standard .app bundles, bypassing the Gatekeeper quarantine check
• Gatekeeper bypass mechanism: Applications downloaded from the internet receive a quarantine extended attribute (com.apple.quarantine) that triggers Gatekeeper evaluation on launch; the CVE-2021-30657 logic issue allows certain application bundle types to bypass this evaluation — possibly by exploiting how macOS handles applications delivered as script apps, shell applications, or bundles with non-standard structures
• UI:R - user must launch the application: The bypass requires a user to attempt to open the malicious application; the vulnerability removes the Gatekeeper warning and blocking that would normally occur, making the user-launch step transparent and indistinguishable from opening legitimate software
• I:H (Integrity impact): Gatekeeper bypass allows arbitrary unauthorized code to execute on the macOS system — bypassing a key security control that restricts what software can run; the integrity impact reflects that the attacker's code executes as if it were trusted software
• Shlayer exploitation: Shlayer is macOS's most prevalent malware family, delivering adware, browser hijackers, and potentially more dangerous payloads; it used CVE-2021-30657 to silently install on macOS systems without triggering Gatekeeper warnings, significantly increasing its delivery success rate

Discovery

Discovered by Jamf Threat Labs researchers (Jaron Bradley) while analyzing Shlayer malware samples. Jamf published their findings on April 3, 2021, coordinated with Apple's patch release. Apple patched CVE-2021-30657 in macOS Big Sur 11.3 (April 26, 2021) — 23 days after the Jamf report, reflecting Apple's relatively rapid response to the disclosed zero-day.

Exploitation Context

Shlayer is the most widespread macOS malware family, responsible for a significant portion of all macOS malware detections. CVE-2021-30657 gave Shlayer the ability to bypass Apple's primary defense against unsigned macOS software — dramatically reducing the "friction" in macOS malware installation. Users who downloaded and opened a Shlayer-infected file (disguised as a software update, pirated software, or media player) would receive no Gatekeeper warning and would observe the malware installing silently. While Shlayer primarily delivers adware, the same Gatekeeper bypass is usable by any macOS malware, and the technique was documented widely enough that other macOS malware families could incorporate it. The November 2021 CISA KEV addition reflects that this remained a relevant threat against unpatched macOS systems months after the patch.

Remediation

1. Update macOS to Big Sur 11.3 or later (or apply the corresponding Security Updates for Catalina and Mojave)
2. Enable automatic macOS updates: System Preferences → Software Update → Automatically keep my Mac up to date
3. Enable Gatekeeper's strictest setting: System Preferences → Security & Privacy → Allow apps downloaded from: "App Store and identified developers" (or "App Store" only for highest security)
4. On macOS Ventura and later, Security & Privacy settings are in System Settings → Privacy & Security
5. For enterprise deployments: use mobile device management (MDM) to enforce macOS security update compliance and Gatekeeper policy settings
6. Avoid disabling Gatekeeper entirely (spctl --master-disable) — doing so permanently removes macOS's application verification controls and leaves the system vulnerable regardless of future Gatekeeper bypass CVEs