CVE-2021-1805
📋 TL;DR
CVE-2021-1805 is an out-of-bounds write vulnerability in macOS that allows an application to execute arbitrary code with kernel privileges. This affects macOS Mojave 10.14.6, Catalina 10.15.7, and Big Sur 11.2.0 and earlier versions. Successful exploitation gives attackers complete control over the affected system.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with kernel-level persistence, data theft, and complete control over hardware and software.
Likely Case
Privilege escalation from user to kernel mode, enabling installation of rootkits, backdoors, or disabling security controls.
If Mitigated
Limited impact if systems are fully patched, isolated, or have additional security controls like application allowlisting.
🎯 Exploit Status
Exploitation requires an attacker to have local access or trick a user into running a malicious application. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, macOS Mojave 10.14.6 Security Update 2021-002
Vendor Advisory: https://support.apple.com/en-us/HT212177
Restart Required: Yes
Instructions:
1. Open System Preferences > Software Update. 2. Install all available updates. 3. Restart the system when prompted.
🔧 Temporary Workarounds
Application Restriction
macOSRestrict execution of untrusted applications using macOS security features
sudo spctl --master-enable
sudo spctl --enable --label "Developer ID"
🧯 If You Can't Patch
- Isolate affected systems from network access and sensitive data
- Implement strict application control policies to prevent execution of untrusted code
🔍 How to Verify
Check if Vulnerable:
Check macOS version: if running Mojave 10.14.6, Catalina 10.15.7, or Big Sur 11.2.0 or earlier without security updates, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version is updated to Big Sur 11.2.1, Catalina 10.15.7 Supplemental Update, or Mojave 10.14.6 Security Update 2021-002.📡 Detection & Monitoring
Log Indicators:
- Unexpected kernel extensions loading
- Processes running with root privileges from unusual locations
- Console logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from system processes
- DNS queries to suspicious domains from kernel-level processes
SIEM Query:
source="macos" AND (event_type="process_creation" AND parent_process="kernel_task") OR (event_type="privilege_escalation")