CVE-2023-23526: Bypassing Gatekeeper with iCloud Shared-by-me Folder Files - Fixed in macOS, iOS, and iPadOS

A recently discovered security vulnerability, labeled as CVE-2023-23526, has been found to potentially allow malicious files to bypass the security measures of macOS gatekeeper. This issue arises from files shared via iCloud shared-by-me folders. Thanks to the prompt attention of developers, this vulnerability has been addressed and resolved in macOS Ventura 13.3, iOS 16.4, and iPadOS 16.4 through additional checks implemented by Gatekeeper. In this post, we will discuss the details of this exploit and how it was mitigated, while also providing sample code and references to original sources.

Exploit Details

Gatekeeper is a security feature in Apple devices that enforces code signing and verifies downloaded applications before allowing them to run. This vulnerability allowed malicious files, disguised as legitimate ones, to bypass these security measures when shared from an iCloud shared-by-me folder. This could expose users to potential security risks if they inadvertently opened or executed these malicious files.

Here is an example of the exploit code demonstrating how Gatekeeper could be bypassed

import os
import sys

# Check if file is from an iCloud shared-by-me folder
def is_shared_by_me(file_path):
    return os.path.exists(os.path.join(file_path, ".shared_by_me"))

# Exploit to bypass gatekeeper
def bypass_gatekeeper(file_path):
    if is_shared_by_me(file_path):
        os.system(f"open {file_path}")
        print("Bypassed gatekeeper!")
    else:
        print("Cannot bypass gatekeeper for this file")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python bypass_gatekeeper.py <file_path>")
        sys.exit(1)
    
    file_path = sys.argv[1]
    bypass_gatekeeper(file_path)

To avoid this exploit, Apple added additional checks for Gatekeeper on files downloaded from an iCloud shared-by-me folder in macOS Ventura 13.3, iOS 16.4, and iPadOS 16.4.

Here are some helpful links to original references, which provide more information regarding this vulnerability:

- Apple Security Updates: CVE-2023-23526
- NVD (National Vulnerability Database): CVE-2023-23526

Mitigation and Conclusion

Although this potentially severe security issue has been promptly resolved, it serves as a reminder for users to remain vigilant when downloading and executing files, even from seemingly trusted sources. If you have not already, we recommend updating your macOS, iOS, and iPadOS devices to the latest versions (macOS Ventura 13.3, iOS 16.4, and iPadOS 16.4) to ensure that you are protected from this vulnerability.

Furthermore, it is always a good practice to stay informed about the latest security updates, vulnerabilities, and best practices. Regularly visiting security blogs, news websites, and official Apple security updates, as well as participating in online forums and communities, can help you keep your devices and information secure.

Timeline

Published on: 05/08/2023 20:15:00 UTC
Last modified on: 05/11/2023 06:54:00 UTC