CVE-2023-42920
📋 TL;DR
This CVE describes a dylib hijacking vulnerability in FileMaker Pro and Claris Pro applications on macOS. Attackers can place malicious dynamic libraries in specific locations that the applications load, potentially executing arbitrary code. This affects macOS users running vulnerable versions of these applications.
💻 Affected Systems
- FileMaker Pro.app
- Claris Pro.app
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the application user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the application user, allowing access to application data and limited system resources.
If Mitigated
Limited impact if applications run with minimal privileges and proper file system permissions prevent unauthorized library placement.
🎯 Exploit Status
Requires local access to place malicious dylib and knowledge of application's library search paths. User may need to launch the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest versions from Claris/FileMaker (specific version numbers not provided in references)
Vendor Advisory: https://support.claris.com/s/article/FileMaker-Security-Information?language=en_US
Restart Required: Yes
Instructions:
1. Open FileMaker Pro or Claris Pro application. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install latest version. 4. Restart the application after installation.
🔧 Temporary Workarounds
Restrict application library paths
macOSUse macOS sandboxing or file system permissions to prevent writing to directories where application searches for dylibs
🧯 If You Can't Patch
- Run applications with minimal user privileges to limit impact of successful exploitation
- Monitor for suspicious dylib files in application directories and common hijacking locations
🔍 How to Verify
Check if Vulnerable:
Check FileMaker/Claris Pro version against latest patched version from vendor advisoryCheck Version:
Open FileMaker Pro/Claris Pro > Go to FileMaker Pro/Claris Pro menu > About FileMaker Pro/Claris ProVerify Fix Applied:
Verify application version matches or exceeds patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected dylib loading events in application logs
- File creation in application library directories
Network Indicators:
- Unusual outbound connections from FileMaker/Claris processes post-launch
SIEM Query:
process.name:"FileMaker Pro" OR process.name:"Claris Pro" AND file.path:"*.dylib" AND event.action:"load"