Zero-Click Vulnerabilities in macOS Calendar Risk iCloud Data Exposure

September 17, 2024

A chain of vulnerabilities, including critical, medium, and low-severity bugs, were discovered in macOS that could potentially allow attackers to bypass Apple's renowned security measures and gain access to victims' iCloud data. The vulnerabilities were found in the Calendar application, with the initial issue stemming from the lack of file sanitization attached to Calendar events. Security researcher Mikko Kenttälä found that these vulnerabilities could be exploited to perform remote code execution (RCE) on targeted systems and gain access to sensitive data. In his tests, Kenttälä accessed iCloud Photos. Notably, no user interaction was required at any stage of the exploit, and Apple's Gatekeeper and Transparency, Consent, and Control (TCC) protections could not prevent the attack.

The first bug in the chain, identified as CVE-2022-46723, was given a critical rating of 9.8 out of 10 on the CVSS scale in February 2023. The bug was not only dangerous but also easy to exploit. Attackers could simply send a Calendar invite with a malicious file attached to the victim. Due to macOS's failure to properly scrutinize the filename, the attacker could name it anything, leading to various potential effects. For instance, the attacker could name the file to delete a specific system file. If the file was named the same as an existing file, deleting the Calendar event would result in the system deleting both the malicious file and the original file it mimicked.

An even more hazardous scenario would be an attacker performing path traversal, naming their attachment in a way that would allow it to escape the Calendar's sandbox, where attached files are supposed to be saved, to other locations on the system. Kenttälä used this ability to write files anywhere to exploit an operating system upgrade. He created a file that mimicked a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of additional files during a migration. One of these files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open-source Server Message Block (SMB) protocol, without raising a security flag. Two more files triggered the launch of a malicious app.

This malicious app managed to bypass macOS's Gatekeeper security feature, which is designed to prevent untrusted apps from running on Mac systems. This bypass, labeled CVE-2023-40344, was assigned a medium-severity rating of 5.5 out of 10 on the CVSS scale in January 2024. However, Gatekeeper was not the only macOS security feature that was bypassed in the attack. Using a script launched by the malicious app, Kenttälä was able to replace the configuration file associated with iCloud Photos with a malicious one. This pointed Photos to a custom path, outside the protection of TCC, the protocol macOS uses to ensure apps do not improperly access sensitive data and resources. This re-pointing, identified as CVE-2023-40434, was given a low severity score of 3.3 on the CVSS scale. This vulnerability opened the door for potential theft of photos, which could easily be transferred to foreign servers.

Callie Guenther, senior manager of cyber threat research for Critical Start, explains, 'MacOS's Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data. However, the zero-click vulnerability in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes.' Guenther notes that macOS is not the only system vulnerable to such attacks, as similar vulnerabilities exist in Windows, where security features like Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities. Apple has acknowledged and patched the vulnerabilities in the exploit chain between October 2022 and September 2023.

Latest News

• Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom
• Advanced Persistent Threat Group 'Void Banshee' Exploits Microsoft Zero-Day Vulnerabilities
• CISA Alerts on Windows Flaw Exploited by Void Banshee APT Group
• Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released
• Void Banshee APT Group Exploits Windows MSHTML Spoofing Vulnerability