Researcher chains multiple old macOS flaws to compromise iCloud with no user interaction

A zero-click remote code execution (RCE) vulnerability in macOS Calendar, which allowed for the theft of iCloud data, was discovered by researcher Mikko Kenttälä.

This exploit chain bypassed key macOS security features, including the Calendar sandbox, Gatekeeper, and Transparency, Consent, and Control (TCC) protections, enabling attackers to access sensitive data without user interaction.

Details of the Exploit Chain

1. The initial vulnerability in this chain, tracked as CVE-2022-46723 (CVSS score 9.8) is  a lack of sanitization of filenames for files attached to Calendar events in February 2023. An attacker could exploit this by sending a calendar invite containing a malicious file. Due to inadequate filename validation, attackers could manipulate the filename to carry out arbitrary actions, such as deleting specific system files or executing path traversal to escape the Calendar sandbox. Kenttälä exploited this flaw by crafting a file that mimicked a system file and triggered the deletion of both the malicious and the legitimate files. He also leveraged the vulnerability to gain arbitrary file write capabilities, allowing him to create a malicious Siri-suggested calendar event that could execute further payloads during an operating system upgrade, specifically during the migration to macOS Ventura. This method included mounting a network share from Samba without triggering a security flag and launching a malicious app.
2. The exploit chain proceeded to bypassing macOS’s Gatekeeper feature, which is designed to prevent untrusted apps from running. This was achieved through CVE-2023-40344 (CVSS score 5.5), a flaw disclosed in January 2024.
3. The attack manipulated the TCC framework by replacing the configuration file associated with iCloud Photos, redirecting it to a custom path outside of TCC's protection. This allowed for the exfiltration of photos to remote servers. This part of the attack exploited a low severity flaw tracked as CVE-2023-40434 (CVSS score 3.3).

The combination of these vulnerabilities demonstrated a critical flaw sequence in macOS security measures designed to protect user data. The attack chain effectively bypassed macOS's Gatekeeper, which manages the execution of untrusted software, and the TCC framework, which regulates app access to sensitive data.

Apple acknowledged these vulnerabilities and released patches incrementally between October 2022 and September 2023 to address each flaw in the exploit chain. Users are advised to update their macOS systems to the latest version to protect against these exploits.