CVE-2024-23745
📋 TL;DR
CVE-2024-23745 is a Dirty NIB attack vulnerability in Notion Web Clipper 1.0.3(7) where manipulated .nib files can execute arbitrary commands. Even with Gatekeeper enabled on macOS, modified applications may still run, allowing command execution within the application's context. This affects macOS users running the vulnerable Notion Web Clipper version.
💻 Affected Systems
- Notion Web Clipper
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary command execution with application privileges, potentially leading to data theft, persistence, or lateral movement.
Likely Case
Local privilege escalation or arbitrary code execution within the application's sandbox/context, enabling data access or further exploitation.
If Mitigated
Limited impact if proper application sandboxing and file integrity controls prevent execution of modified files.
🎯 Exploit Status
Exploitation requires local access to manipulate .nib files and bypass Gatekeeper checks. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: N/A
Restart Required: No
Instructions:
No official patch available as vendor considers this a macOS caching issue (CVE-2022-48505) rather than a product vulnerability.
🔧 Temporary Workarounds
Disable or Remove Notion Web Clipper
macOSUninstall the vulnerable application to eliminate the attack surface.
sudo rm -rf /Applications/Notion\ Web\ Clipper.app
Enable Full Disk Access Restrictions
macOSUse macOS Privacy & Security settings to restrict application access to sensitive areas.
🧯 If You Can't Patch
- Implement application allowlisting to prevent execution of unauthorized/modified applications.
- Use endpoint detection and response (EDR) tools to monitor for suspicious file modifications and process execution.
🔍 How to Verify
Check if Vulnerable:
Check if Notion Web Clipper version 1.0.3(7) is installed: ls -la /Applications/ | grep 'Notion Web Clipper'Check Version:
mdls -name kMDItemVersion /Applications/Notion\ Web\ Clipper.appVerify Fix Applied:
Verify application is removed or updated (though no patch exists). Check macOS system logs for Gatekeeper bypass attempts.📡 Detection & Monitoring
Log Indicators:
- Gatekeeper bypass logs in macOS Console
- Unexpected execution of Notion Web Clipper with modified timestamps
Network Indicators:
- Unusual outbound connections from Notion Web Clipper process
SIEM Query:
process_name:"Notion Web Clipper" AND (event_type:"process_execution" OR file_modification:".nib")🔗 References
- https://blog.xpnsec.com/dirtynib/
- https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
- https://github.com/louiselalanne/CVE-2024-23745
- https://blog.xpnsec.com/dirtynib/
- https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
- https://github.com/louiselalanne/CVE-2024-23745
