A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS’s brand name security protections and ultimately compromise victims’ iCloud data.
The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kenttälä discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data — in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither Apple’s Gatekeeper nor Transparency, Consent, and Control (TCC) protections could stop it.
Zero-Click Exploit Chain in macOS
The all-important first bug in the chain — CVE-2022-46723 — was awarded a “critical” 9.8 out of 10 CVSS score back in February 2023.
It wasn’t just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.
For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.
More dangerous was the potential for an attacker to perform path traversal, naming their attachment in such a way that would allow it to escape the Calendar’s sandbox, where attached files are supposed to be saved, to other locations on the system.
Kenttälä used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.
Undermining Apple’s Native Security Controls
The malicious app snuck in without raising any alarm, thanks to a bypass in macOS’s Gatekeeper security feature — the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.
Gatekeeper, though, wasn’t the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kenttälä successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps don’t improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 — with a “low” 3.3 CVSS severity score — opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with “trivial modifications.”
“MacOS’s Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data,” explains Callie Guenther, senior manager of cyber threat research for Critical Start. “However, the zero-click vulnerability in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes.” Guenther notes, though, that macOS isn’t uniquely vulnerable to these types of attacks: “Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities.”
For example, she adds, “Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries — especially APT groups — find ways to bypass these defenses.”
Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.
Don’t miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!