CVE-2021-30805
📋 TL;DR
CVE-2021-30805 is a critical memory corruption vulnerability in macOS that allows an application to execute arbitrary code with kernel privileges. This affects macOS Big Sur, Catalina, and Mojave systems. Successful exploitation gives attackers complete control over the affected system.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with kernel-level privileges, allowing attackers to install persistent malware, steal sensitive data, or pivot to other systems.
Likely Case
Local privilege escalation where a malicious application gains kernel privileges to bypass security controls and access protected resources.
If Mitigated
Limited impact if systems are fully patched and have application allowlisting or other privilege restrictions in place.
🎯 Exploit Status
Exploitation requires local access or ability to run a malicious application. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Big Sur 11.5, Security Update 2021-004 Catalina, Security Update 2021-005 Mojave
Vendor Advisory: https://support.apple.com/en-us/HT212600
Restart Required: Yes
Instructions:
1. Open System Preferences > Software Update. 2. Install available updates. 3. Restart the system when prompted.
🔧 Temporary Workarounds
Application Restriction
allRestrict execution of untrusted applications using application allowlisting or parental controls.
🧯 If You Can't Patch
- Implement strict application control policies to prevent execution of untrusted applications.
- Isolate vulnerable systems from critical network segments and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check macOS version: System Preferences > About This Mac. If version is Big Sur < 11.5, Catalina without Security Update 2021-004, or Mojave without Security Update 2021-005, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version is Big Sur 11.5 or later, or that Security Update 2021-004/005 is installed in System Preferences > Software Update > Update History.📡 Detection & Monitoring
Log Indicators:
- Unexpected kernel extensions loading
- Suspicious process spawning with elevated privileges
- Console.app logs showing memory corruption errors
Network Indicators:
- Unusual outbound connections from system processes
- Network traffic to known malicious domains from kernel-level processes
SIEM Query:
source="macos" AND (event_type="process_creation" AND parent_process="kernel_task") OR (event_type="kernel_extension" AND status="loaded")