cvelistv5 - cve-2020-9870

CVE-2020-9870 (GCVE-0-2020-9870)

Vulnerability from cvelistv5 – Published: 2020-10-16 16:33 – Updated: 2024-08-04 10:43

Summary

Severity ?

No CVSS data available.

CWE

An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code

Assigner

apple

References

URL

Tags

	https://support.apple.com/HT211289	x_refsource_MISC
	https://support.apple.com/HT211288	x_refsource_MISC
	https://support.apple.com/HT211290	x_refsource_MISC

Impacted products

Vendor

Product

Version

Apple

iOS

Affected: unspecified , < iOS 13.6 and iPadOS 13.6 (custom)

	Apple	macOS	Affected: unspecified , < macOS Catalina 10.15.6 (custom)
	Apple	tvOS	Affected: unspecified , < tvOS 13.4.8 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:43:05.407Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT211289"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT211288"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT211290"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "iOS 13.6 and iPadOS 13.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "macOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "macOS Catalina 10.15.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "tvOS",
          "vendor": "Apple",
          "versions": [
            {
              "lessThan": "tvOS 13.4.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-16T16:33:44",
        "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
        "shortName": "apple"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.apple.com/HT211289"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.apple.com/HT211288"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.apple.com/HT211290"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "product-security@apple.com",
          "ID": "CVE-2020-9870",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "iOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "iOS 13.6 and iPadOS 13.6"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "macOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "macOS Catalina 10.15.6"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "tvOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "tvOS 13.4.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apple"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.apple.com/HT211289",
              "refsource": "MISC",
              "url": "https://support.apple.com/HT211289"
            },
            {
              "name": "https://support.apple.com/HT211288",
              "refsource": "MISC",
              "url": "https://support.apple.com/HT211288"
            },
            {
              "name": "https://support.apple.com/HT211290",
              "refsource": "MISC",
              "url": "https://support.apple.com/HT211290"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
    "assignerShortName": "apple",
    "cveId": "CVE-2020-9870",
    "datePublished": "2020-10-16T16:33:44",
    "dateReserved": "2020-03-02T00:00:00",
    "dateUpdated": "2024-08-04T10:43:05.407Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"13.6\", \"matchCriteriaId\": \"87D68071-5235-4B50-90F0-B55B0C668840\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"13.6\", \"matchCriteriaId\": \"0639A5DE-4A59-4F10-A0E7-F6B933E44D47\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"10.15.6\", \"matchCriteriaId\": \"FD0ACF42-C643-4DED-ADF7-4FA29B7578F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"13.4.8\", \"matchCriteriaId\": \"888463CA-9C67-46B2-B197-DDD3A668F980\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code.\"}, {\"lang\": \"es\", \"value\": \"Se abord\\u00f3 un problema l\\u00f3gico con una comprobaci\\u00f3n mejorada.\u0026#xa0;Este problema es corregido en iOS versi\\u00f3n 13.6 y iPadOS versi\\u00f3n 13.6, macOS Catalina versi\\u00f3n 10.15.6, tvOS 13.4.8.\u0026#xa0;Un atacante con capacidad de escritura en memoria ser capaz de omitir los c\\u00f3digos de autenticaci\\u00f3n del puntero y ejecutar c\\u00f3digo arbitrario\"}]",
      "id": "CVE-2020-9870",
      "lastModified": "2024-11-21T05:41:26.483",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-10-16T17:15:15.653",
      "references": "[{\"url\": \"https://support.apple.com/HT211288\", \"source\": \"product-security@apple.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.apple.com/HT211289\", \"source\": \"product-security@apple.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.apple.com/HT211290\", \"source\": \"product-security@apple.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.apple.com/HT211288\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.apple.com/HT211289\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.apple.com/HT211290\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "product-security@apple.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-9870\",\"sourceIdentifier\":\"product-security@apple.com\",\"published\":\"2020-10-16T17:15:15.653\",\"lastModified\":\"2024-11-21T05:41:26.483\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code.\"},{\"lang\":\"es\",\"value\":\"Se abord\u00f3 un problema l\u00f3gico con una comprobaci\u00f3n mejorada.\u0026#xa0;Este problema es corregido en iOS versi\u00f3n 13.6 y iPadOS versi\u00f3n 13.6, macOS Catalina versi\u00f3n 10.15.6, tvOS 13.4.8.\u0026#xa0;Un atacante con capacidad de escritura en memoria ser capaz de omitir los c\u00f3digos de autenticaci\u00f3n del puntero y ejecutar c\u00f3digo arbitrario\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"13.6\",\"matchCriteriaId\":\"87D68071-5235-4B50-90F0-B55B0C668840\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"13.6\",\"matchCriteriaId\":\"0639A5DE-4A59-4F10-A0E7-F6B933E44D47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.15.6\",\"matchCriteriaId\":\"FD0ACF42-C643-4DED-ADF7-4FA29B7578F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"13.4.8\",\"matchCriteriaId\":\"888463CA-9C67-46B2-B197-DDD3A668F980\"}]}]}],\"references\":[{\"url\":\"https://support.apple.com/HT211288\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/HT211289\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/HT211290\",\"source\":\"product-security@apple.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/HT211288\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/HT211289\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.apple.com/HT211290\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

VAR-202010-1272

Vulnerability from variot - Updated: 2023-12-18 10:48

A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. A security vulnerability exists in the Clang component of Apple macOS Catalina versions prior to 10.15.6. An attacker could exploit this vulnerability to bypass security restrictions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

APPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra

macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra are now available and address the following:

Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9884: Yu Zhou(@yuzhou6666) of 小鸡帮 working with Trend Micro Zero Day Initiative CVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab

Audio Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab CVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year Security Lab

Clang Available for: macOS Catalina 10.15.5 Impact: Clang may generate machine code that does not correctly enforce pointer authentication codes Description: A logic issue was addressed with improved validation. CVE-2020-9870: Samuel Groß of Google Project Zero

CoreAudio Available for: macOS High Sierra 10.13.6 Impact: A buffer overflow may result in arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2020-9866: Yu Zhou of 小鸡帮 and Jundong Xie of Ant-financial Light- Year Security Lab

CoreFoundation Available for: macOS Catalina 10.15.5 Impact: A local user may be able to view sensitive user information Description: An issue existed in the handling of environment variables. CVE-2020-9934: an anonymous researcher

Crash Reporter Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud

Grpahics Drivers Available for: macOS Catalina 10.15.5 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9799: ABC Research s.r.o.

Heimdal Available for: macOS Catalina 10.15.5 Impact: A local user may be able to leak sensitive user information Description: This issue was addressed with improved data protection. CVE-2020-9913: Cody Thomas of SpecterOps

ImageIO Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9936: Mickey Jin of Trend Micro

Kernel Available for: macOS Catalina 10.15.5 Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall

Mail Available for: macOS Catalina 10.15.5 Impact: A remote attacker can cause a limited out-of-bounds write, resulting in a denial of service Description: An input validation issue was addressed. CVE-2019-19906

Messages Available for: macOS Catalina 10.15.5 Impact: A user that is removed from an iMessage group could rejoin the group Description: An issue existed in the handling of iMessage tapbacks. CVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP High School North (medium.com/@suryanshmansha)

Model I/O Available for: macOS Catalina 10.15.5 Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security

Security Available for: macOS Catalina 10.15.5 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved restrictions. CVE-2020-9864: Alexander Holodny

Vim Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6 Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed with improved checks. CVE-2019-20807: Guilherme de Almeida Suckevicz

Wi-Fi Available for: macOS Catalina 10.15.5 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud (bugcloud.360.cn)

Additional recognition

USB Audio We would like to acknowledge Andy Davis of NCC Group for their assistance.

Installation note:

macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx0ACgkQBz4uGe3y 0M3aXhAAm0hhJpdR0h7uhbtT6LkOuBAYbn0ivAbaB2wzEgZJNXBi9pwd/eL+I1tZ FsYG2Ux0P7VOXClepKzM/yi2Y9w9JZt/u5jSpps7n4/6k4JpcBT74IBF8A4iUvfQ DZcd58rTYf7PuO28ZW9FcYVhgMrN1oPheg0yr+ZaM+0wJrBfPg5STX9AwtPw5P4B aDMYGqv6EQLRiI/cj18/BnLD9kuYq2/fvO/AVjTzAGWVWmY0jpEaaHoeEgSbocNd qVpobhb8K8aK3PjfocK62hSH9DF0yBQYVsnX+bRmTDqzkWK4FXN6fG2ObiI+9ytq wJ6RPT9N5rkIsru8iqaYW6vo5eS61tCAxSgsOsWsm9+KAaBLOnrLzago3kQbtnTG SQBDDSW5w1iI/+kypdCCE67I67psSxPfrDdPU2wG3arQjnE4xm7S4eOE+9cBlKY+ bsNpFcYgShyZ6GnaJ1yVbZgR2zK97xbKYp8xbEOICeCchO1vF31hlDxsMl09UV1U eYJ3sOqBUxDpUj2vjpP9pB4ocSlHdAENL/5dyWUPlx8wjpnodRX2HsPHonjTqM4y kgwJjHI26LZWU4icKIPvl8875ksw/sCmKpVZlbF0IRPvd58ITt5rSvUTQulKqVs6 ML/l/uIf4shjBmNz0xdQlzsdctxdnPh1ge1kNfH34X4JgPWVWaM= =GCJp -----END PGP SIGNATURE-----

. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC. The preconditions and impact of this issue should be the same as for issue #2042, thus I'm reporting it via our tracker.

Consider the following code from WebKit:

LValue Output::doublePow(LValue xOperand, LValue yOperand)
{
    double (*powDouble)(double, double) = pow;
    return callWithoutSideEffects(B3::Double, powDouble, xOperand, yOperand);
}

This function from the FTL JIT compiler is responsible for lowering a Math.pow invocation (when called with doubles as arguments) by inserting a call to the pow c library function (see man 3 pow). In iOS 13.4.1 on arm64e, this function looks as follows when disassembled:

; __int64 __fastcall JSC::FTL::Output::doublePow(JSC::FTL::Output *__hidden this, JSC::B3::Value *, JSC::B3::Value *)
__ZN3JSC3FTL6Output9doublePowEPNS_2B35ValueES4_
                MOV             X4, X2
                MOV             X3, X1
                ADRP            X16, #_pow_ptr_3@PAGE
                LDR             X16, [X16,#_pow_ptr_3@PAGEOFF]
                PACIZA          X16
                MOV             X2, X16
                MOV             W1, #4
                B               __ZN3JSC3FTL6Output22callWithoutSideEffectsIPFdddEJPNS_2B35ValueEEEES7_NS5_4TypeET_S7_DpT0_ ; JSC::FTL::Output::callWithoutSideEffects<double (*)(double,double),JSC::B3::Value *>(JSC::B3::Type,double (*)(double,double),JSC::B3::Value *,JSC::B3::Value *)
; End of function JSC::FTL::Output::doublePow(JSC::B3::Value *,JSC::B3::Value *)

This code essentially loads a pointer from a static address, then signs it with the PACIZA instruction [2] and passes it on to the callWithoutSideEffects function, which then embeds a call to it into the emitted JIT code. Note that no PAC validation of the loaded function pointer is performed, and in fact, the retrieved pointer is not PAC-signed at all. As the region from which the pointer is loaded is writable, an attacker is able to change the function pointer stored there, causing WebKit to later sign and execute an arbitrary address. The following JavaScript code snippet demonstrates this, assuming the attacker has already achieved arbitrary memory read/write:

// offset from iOS 13.4.1, iPhone Xs
let powImportAddr = Add(jscBase, 0x34e1d570);
memory.writePtr(powImportAddr, new Int64('0x41414141'));

function trigger(x) {
    return Math.pow(x, 13.37);
}
for (let i = 0; i < 10000000; i++) {
    trigger(i + 0.1);
}

This will cause the renderer process to crash with PC at 0x41414141, demonstrating that PAC has been bypassed.

The vulnerable code pattern seems to be widespread, for example, here is a similar piece of code from libxpc:

libxpc:__text:00000001AA9A5F00                 ADRP            X16, #_free_ptr_1@PAGE
libxpc:__text:00000001AA9A5F04                 LDR             X16, [X16,#_free_ptr_1@PAGEOFF]
libxpc:__text:00000001AA9A5F08                 PACIZA          X16

It seems that this problem generally occurs whenever a function from a shared library is referenced as pointer as opposed to being called directly.

I used an IDAPython script to search the dyld shared cache for PAC signing gadgets such as this one. It is still very rudimentary at this point, but I'm attaching it below. The script will search for PAC signing instructions, then output their location as well as the potential \"gadget\" (which includes the four preceding instructions) into a file. Afterwards, that file can be searched for interesting code patterns. There are a few very frequent but safe patterns such as ADRL X16, sub_1AA9A6F94; PACIZA X16 (which signs a constant pointer). They can, for the most part, easily be removed from the output file though (e.g. with \":g/ADRL/d\" in vim). Ideally, in the future the script itself would be able to identify these patterns and skip them.

import idautils
import idaapi
import ida_nalt
import idc

from os.path import expanduser
home = expanduser(\"~\")

mnemonics = ['PACIA', 'PACIZA', 'PACIA1716', 'PACIAZ']

gadgets = []

for seg_ea in idautils.Segments():
    seg_name = idc.get_segm_name(seg_ea)
    seg_start = idc.get_segm_start(seg_ea)
    seg_end = idc.get_segm_end(seg_ea)

    for func_ea in idautils.Functions(seg_start, seg_end):
        for (start_ea, end_ea) in idautils.Chunks(func_ea):
            for head in idautils.Heads(start_ea, end_ea):
                insn = idautils.DecodeInstruction(head)
                if not insn:
                    continue

                if insn.itype == idaapi.ARM_pac:
                    disas = idc.GetDisasm(head)
                    if not any(mn in disas for mn in mnemonics):
                        continue

                    parts = []
                    for ea in range(head - 20, head + 4, 4):
                        parts.append(idc.GetDisasm(ea))
                    gadgets.append('{}:0x{:x}    '.format(seg_name, head) + '; '.join(parts))


with open(home + \"/Desktop/gadgets.txt\", \"w\") as f:
    f.write('\

'.join(gadgets)) f.write('\ ')

print(\"Done, found {} gadgets\".format(len(gadgets)))

[1] https://support.apple.com/guide/security/pointer-authentication-codes-seca5759bf02/web [2] https://developer.arm.com/docs/100076/0100/instruction-set-reference/a64-general-instructions/pacia-paciza-pacia1716-paciasp-paciaz

This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-08-18. Disclosure at an earlier date is possible if agreed upon by all parties.

Related CVE Numbers: CVE-2020-9870.

Found by: saelo@google.com

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202010-1272",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ipados",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "13.6"
      },
      {
        "model": "iphone os",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "13.6"
      },
      {
        "model": "mac os x",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.15.6"
      },
      {
        "model": "tvos",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "13.4.8"
      },
      {
        "model": "mac os x",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apple",
        "version": "10.15.5"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "10.15.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.4.8",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "saelo, Google Security Research",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "158923"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-9870",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-009935",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "VHN-187995",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULMON",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CVE-2020-9870",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "MEDIUM",
            "trust": 0.1,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-009935",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-9870",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-009935",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202007-1068",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-187995",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-9870",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code. Apple macOS Catalina is a set of dedicated operating systems developed by Apple for Mac computers. A security vulnerability exists in the Clang component of Apple macOS Catalina versions prior to 10.15.6. An attacker could exploit this vulnerability to bypass security restrictions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update\n2020-004 Mojave, Security Update 2020-004 High Sierra\n\nmacOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security\nUpdate 2020-004 High Sierra are now available and address the\nfollowing:\n\nAudio\nAvailable for: macOS Catalina 10.15.5\nImpact: Processing a maliciously crafted audio file may lead to\narbitrary code execution\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2020-9884: Yu Zhou(@yuzhou6666) of \u5c0f\u9e21\u5e2e working with Trend Micro\nZero Day Initiative\nCVE-2020-9889: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\n\nAudio\nAvailable for: macOS Catalina 10.15.5\nImpact: Processing a maliciously crafted audio file may lead to\narbitrary code execution\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2020-9888: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\nCVE-2020-9890: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\nCVE-2020-9891: JunDong Xie and XingWei Li of Ant-financial Light-Year\nSecurity Lab\n\nClang\nAvailable for: macOS Catalina 10.15.5\nImpact: Clang may generate machine code that does not correctly\nenforce pointer authentication codes\nDescription: A logic issue was addressed with improved validation. \nCVE-2020-9870: Samuel Gro\u00df of Google Project Zero\n\nCoreAudio\nAvailable for: macOS High Sierra 10.13.6\nImpact: A buffer overflow may result in arbitrary code execution\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2020-9866: Yu Zhou of \u5c0f\u9e21\u5e2e and Jundong Xie of Ant-financial Light-\nYear Security Lab\n\nCoreFoundation\nAvailable for: macOS Catalina 10.15.5\nImpact: A local user may be able to view sensitive user information\nDescription: An issue existed in the handling of environment\nvariables. \nCVE-2020-9934: an anonymous researcher\n\nCrash Reporter\nAvailable for: macOS Catalina 10.15.5\nImpact: A malicious application may be able to break out of its\nsandbox\nDescription: A memory corruption issue was addressed by removing the\nvulnerable code. \nCVE-2020-9865: Zhuo Liang of Qihoo 360 Vulcan Team working with 360\nBugCloud\n\nGrpahics Drivers\nAvailable for: macOS Catalina 10.15.5\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2020-9799: ABC Research s.r.o. \n\nHeimdal\nAvailable for: macOS Catalina 10.15.5\nImpact: A local user may be able to leak sensitive user information\nDescription: This issue was addressed with improved data protection. \nCVE-2020-9913: Cody Thomas of SpecterOps\n\nImageIO\nAvailable for: macOS Catalina 10.15.5\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2020-9936: Mickey Jin of Trend Micro\n\nKernel\nAvailable for: macOS Catalina 10.15.5\nImpact: An attacker in a privileged network position may be able to\ninject into active connections within a VPN tunnel\nDescription: A routing issue was addressed with improved\nrestrictions. \nCVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. \nCrandall\n\nMail\nAvailable for: macOS Catalina 10.15.5\nImpact: A remote  attacker can cause a limited out-of-bounds write,\nresulting in a denial of service\nDescription: An input validation issue was addressed. \nCVE-2019-19906\n\nMessages\nAvailable for: macOS Catalina 10.15.5\nImpact: A user that is removed from an iMessage group could rejoin\nthe group\nDescription: An issue existed in the handling of iMessage tapbacks. \nCVE-2020-9885: an anonymous researcher, Suryansh Mansharamani, of WWP\nHigh School North (medium.com/@suryanshmansha)\n\nModel I/O\nAvailable for: macOS Catalina 10.15.5\nImpact: Processing a maliciously crafted USD file may lead to\nunexpected application termination or arbitrary code execution\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2020-9878: Holger Fuhrmannek of Deutsche Telekom Security\n\nSecurity\nAvailable for: macOS Catalina 10.15.5\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A logic issue was addressed with improved restrictions. \nCVE-2020-9864: Alexander Holodny\n\nVim\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6\nImpact: A remote attacker may be able to cause arbitrary code\nexecution\nDescription: This issue was addressed with improved checks. \nCVE-2019-20807: Guilherme de Almeida Suckevicz\n\nWi-Fi\nAvailable for: macOS Catalina 10.15.5\nImpact: A remote attacker may be able to cause unexpected system\ntermination or corrupt kernel memory\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2020-9918: Jianjun Dai of 360 Alpha Lab working with 360 BugCloud\n(bugcloud.360.cn)\n\nAdditional recognition\n\nUSB Audio\nWe would like to acknowledge Andy Davis of NCC Group for their\nassistance. \n\nInstallation note:\n\nmacOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security\nUpdate 2020-004 High Sierra may be obtained from the Mac App Store or\nApple\u0027s Software Downloads web site:\nhttps://support.apple.com/downloads/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx0ACgkQBz4uGe3y\n0M3aXhAAm0hhJpdR0h7uhbtT6LkOuBAYbn0ivAbaB2wzEgZJNXBi9pwd/eL+I1tZ\nFsYG2Ux0P7VOXClepKzM/yi2Y9w9JZt/u5jSpps7n4/6k4JpcBT74IBF8A4iUvfQ\nDZcd58rTYf7PuO28ZW9FcYVhgMrN1oPheg0yr+ZaM+0wJrBfPg5STX9AwtPw5P4B\naDMYGqv6EQLRiI/cj18/BnLD9kuYq2/fvO/AVjTzAGWVWmY0jpEaaHoeEgSbocNd\nqVpobhb8K8aK3PjfocK62hSH9DF0yBQYVsnX+bRmTDqzkWK4FXN6fG2ObiI+9ytq\nwJ6RPT9N5rkIsru8iqaYW6vo5eS61tCAxSgsOsWsm9+KAaBLOnrLzago3kQbtnTG\nSQBDDSW5w1iI/+kypdCCE67I67psSxPfrDdPU2wG3arQjnE4xm7S4eOE+9cBlKY+\nbsNpFcYgShyZ6GnaJ1yVbZgR2zK97xbKYp8xbEOICeCchO1vF31hlDxsMl09UV1U\neYJ3sOqBUxDpUj2vjpP9pB4ocSlHdAENL/5dyWUPlx8wjpnodRX2HsPHonjTqM4y\nkgwJjHI26LZWU4icKIPvl8875ksw/sCmKpVZlbF0IRPvd58ITt5rSvUTQulKqVs6\nML/l/uIf4shjBmNz0xdQlzsdctxdnPh1ge1kNfH34X4JgPWVWaM=\n=GCJp\n-----END PGP SIGNATURE-----\n\n\n. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC. The preconditions and impact of this issue should be the same as for issue #2042, thus I\u0027m reporting it via our tracker. \n\nConsider the following code from WebKit:\n\n    LValue Output::doublePow(LValue xOperand, LValue yOperand)\n    {\n        double (*powDouble)(double, double) = pow;\n        return callWithoutSideEffects(B3::Double, powDouble, xOperand, yOperand);\n    }\n\nThis function from the FTL JIT compiler is responsible for lowering a Math.pow invocation (when called with doubles as arguments) by inserting a call to the pow c library function (see `man 3 pow`). In iOS 13.4.1 on arm64e, this function looks as follows when disassembled:\n\n    ; __int64 __fastcall JSC::FTL::Output::doublePow(JSC::FTL::Output *__hidden this, JSC::B3::Value *, JSC::B3::Value *)\n    __ZN3JSC3FTL6Output9doublePowEPNS_2B35ValueES4_\n                    MOV             X4, X2\n                    MOV             X3, X1\n                    ADRP            X16, #_pow_ptr_3@PAGE\n                    LDR             X16, [X16,#_pow_ptr_3@PAGEOFF]\n                    PACIZA          X16\n                    MOV             X2, X16\n                    MOV             W1, #4\n                    B               __ZN3JSC3FTL6Output22callWithoutSideEffectsIPFdddEJPNS_2B35ValueEEEES7_NS5_4TypeET_S7_DpT0_ ; JSC::FTL::Output::callWithoutSideEffects\u003cdouble (*)(double,double),JSC::B3::Value *\u003e(JSC::B3::Type,double (*)(double,double),JSC::B3::Value *,JSC::B3::Value *)\n    ; End of function JSC::FTL::Output::doublePow(JSC::B3::Value *,JSC::B3::Value *)\n\nThis code essentially loads a pointer from a static address, then signs it with the PACIZA instruction [2] and passes it on to the callWithoutSideEffects function, which then embeds a call to it into the emitted JIT code. Note that no PAC validation of the loaded function pointer is performed, and in fact, the retrieved pointer is not PAC-signed at all. As the region from which the pointer is loaded is writable, an attacker is able to change the function pointer stored there, causing WebKit to later sign and execute an arbitrary address. The following JavaScript code snippet demonstrates this, assuming the attacker has already achieved arbitrary memory read/write:\n\n    // offset from iOS 13.4.1, iPhone Xs\n    let powImportAddr = Add(jscBase, 0x34e1d570);\n    memory.writePtr(powImportAddr, new Int64(\u00270x41414141\u0027));\n\n    function trigger(x) {\n        return Math.pow(x, 13.37);\n    }\n    for (let i = 0; i \u003c 10000000; i++) {\n        trigger(i + 0.1);\n    }\n\nThis will cause the renderer process to crash with PC at 0x41414141, demonstrating that PAC has been bypassed. \n\nThe vulnerable code pattern seems to be widespread, for example, here is a similar piece of code from libxpc:\n\n    libxpc:__text:00000001AA9A5F00                 ADRP            X16, #_free_ptr_1@PAGE\n    libxpc:__text:00000001AA9A5F04                 LDR             X16, [X16,#_free_ptr_1@PAGEOFF]\n    libxpc:__text:00000001AA9A5F08                 PACIZA          X16\n\nIt seems that this problem generally occurs whenever a function from a shared library is referenced as pointer as opposed to being called directly. \n\nI used an IDAPython script to search the dyld shared cache for PAC signing gadgets such as this one. It is still very rudimentary at this point, but I\u0027m attaching it below. The script will search for PAC signing instructions, then output their location as well as the potential \\\"gadget\\\" (which includes the four preceding instructions) into a file. Afterwards, that file can be searched for interesting code patterns. There are a few very frequent but safe patterns such as `ADRL            X16, sub_1AA9A6F94; PACIZA          X16` (which signs a constant pointer). They can, for the most part, easily be removed from the output file though (e.g. with \\\":g/ADRL/d\\\" in vim). Ideally, in the future the script itself would be able to identify these patterns and skip them. \n\n    import idautils\n    import idaapi\n    import ida_nalt\n    import idc\n\n    from os.path import expanduser\n    home = expanduser(\\\"~\\\")\n\n    mnemonics = [\u0027PACIA\u0027, \u0027PACIZA\u0027, \u0027PACIA1716\u0027, \u0027PACIAZ\u0027]\n\n    gadgets = []\n\n    for seg_ea in idautils.Segments():\n        seg_name = idc.get_segm_name(seg_ea)\n        seg_start = idc.get_segm_start(seg_ea)\n        seg_end = idc.get_segm_end(seg_ea)\n\n        for func_ea in idautils.Functions(seg_start, seg_end):\n            for (start_ea, end_ea) in idautils.Chunks(func_ea):\n                for head in idautils.Heads(start_ea, end_ea):\n                    insn = idautils.DecodeInstruction(head)\n                    if not insn:\n                        continue\n\n                    if insn.itype == idaapi.ARM_pac:\n                        disas = idc.GetDisasm(head)\n                        if not any(mn in disas for mn in mnemonics):\n                            continue\n\n                        parts = []\n                        for ea in range(head - 20, head + 4, 4):\n                            parts.append(idc.GetDisasm(ea))\n                        gadgets.append(\u0027{}:0x{:x}    \u0027.format(seg_name, head) + \u0027; \u0027.join(parts))\n\n\n    with open(home + \\\"/Desktop/gadgets.txt\\\", \\\"w\\\") as f:\n        f.write(\u0027\\\n\u0027.join(gadgets))\n        f.write(\u0027\\\n\u0027)\n\n    print(\\\"Done, found {} gadgets\\\".format(len(gadgets)))\n\n\n[1] https://support.apple.com/guide/security/pointer-authentication-codes-seca5759bf02/web\n[2] https://developer.arm.com/docs/100076/0100/instruction-set-reference/a64-general-instructions/pacia-paciza-pacia1716-paciasp-paciaz\n\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse,\nthe bug report will become visible to the public. The scheduled disclosure\ndate is 2020-08-18. Disclosure at an earlier date is possible if\nagreed upon by all parties. \n\n\nRelated CVE Numbers: CVE-2020-9870. \n\n\n\nFound by: saelo@google.com\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "PACKETSTORM",
        "id": "158457"
      },
      {
        "db": "PACKETSTORM",
        "id": "158923"
      }
    ],
    "trust": 1.98
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-9870",
        "trust": 2.8
      },
      {
        "db": "PACKETSTORM",
        "id": "158923",
        "trust": 0.8
      },
      {
        "db": "JVN",
        "id": "JVNVU94090210",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "158457",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.2430",
        "trust": 0.6
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-49316",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-187995",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "PACKETSTORM",
        "id": "158457"
      },
      {
        "db": "PACKETSTORM",
        "id": "158923"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "id": "VAR-202010-1272",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T10:48:20.234000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "HT211288",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/ht211288"
      },
      {
        "title": "HT211289",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/ht211289"
      },
      {
        "title": "HT211290",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/ht211290"
      },
      {
        "title": "HT211288",
        "trust": 0.8,
        "url": "https://support.apple.com/ja-jp/ht211288"
      },
      {
        "title": "HT211289",
        "trust": 0.8,
        "url": "https://support.apple.com/ja-jp/ht211289"
      },
      {
        "title": "HT211290",
        "trust": 0.8,
        "url": "https://support.apple.com/ja-jp/ht211290"
      },
      {
        "title": "Apple macOS Catalina Clang Fixes for component security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=124553"
      },
      {
        "title": "Apple: macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=aa30f53f014f01d7a0510a965599d2a9"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-20",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.8,
        "url": "https://support.apple.com/ht211288"
      },
      {
        "trust": 1.8,
        "url": "https://support.apple.com/ht211289"
      },
      {
        "trust": 1.8,
        "url": "https://support.apple.com/ht211290"
      },
      {
        "trust": 1.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9870"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9870"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu94090210/index.html"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/158923/pac-bypass-due-to-unprotected-function-pointer-imports.html"
      },
      {
        "trust": 0.6,
        "url": "https://support.apple.com/kb/ht211289"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/158457/apple-security-advisory-2020-07-15-2.html"
      },
      {
        "trust": 0.6,
        "url": "https://support.apple.com/en-us/ht211289"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.2430/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/20.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/185421"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9918"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9878"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-19906"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9889"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9799"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9913"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/downloads/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9864"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9866"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9884"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9934"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9888"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14899"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9885"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9891"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-20807"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9936"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9890"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9865"
      },
      {
        "trust": 0.1,
        "url": "https://developer.arm.com/docs/100076/0100/instruction-set-reference/a64-general-instructions/pacia-paciza-pacia1716-paciasp-paciaz"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/guide/security/pointer-authentication-codes-seca5759bf02/web"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "PACKETSTORM",
        "id": "158457"
      },
      {
        "db": "PACKETSTORM",
        "id": "158923"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "db": "PACKETSTORM",
        "id": "158457"
      },
      {
        "db": "PACKETSTORM",
        "id": "158923"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-10-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "date": "2020-10-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "date": "2020-12-11T07:15:34",
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "date": "2020-07-17T19:23:49",
        "db": "PACKETSTORM",
        "id": "158457"
      },
      {
        "date": "2020-08-19T16:46:39",
        "db": "PACKETSTORM",
        "id": "158923"
      },
      {
        "date": "2020-10-16T17:15:15.653000",
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "date": "2020-07-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-01-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-187995"
      },
      {
        "date": "2020-10-20T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-9870"
      },
      {
        "date": "2020-12-11T07:15:34",
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      },
      {
        "date": "2023-01-09T16:41:59.350000",
        "db": "NVD",
        "id": "CVE-2020-9870"
      },
      {
        "date": "2021-10-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  Apple Product logic vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-009935"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1068"
      }
    ],
    "trust": 0.6
  }
}

GSD-2020-9870

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-9870

Aliases

CVE-2020-9870

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-9870",
    "description": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code.",
    "id": "GSD-2020-9870"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-9870"
      ],
      "details": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code.",
      "id": "GSD-2020-9870",
      "modified": "2023-12-13T01:21:52.535239Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "product-security@apple.com",
        "ID": "CVE-2020-9870",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "iOS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "iOS 13.6 and iPadOS 13.6"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "macOS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "macOS Catalina 10.15.6"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "tvOS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "tvOS 13.4.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apple"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://support.apple.com/HT211289",
            "refsource": "MISC",
            "url": "https://support.apple.com/HT211289"
          },
          {
            "name": "https://support.apple.com/HT211288",
            "refsource": "MISC",
            "url": "https://support.apple.com/HT211288"
          },
          {
            "name": "https://support.apple.com/HT211290",
            "refsource": "MISC",
            "url": "https://support.apple.com/HT211290"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "10.15.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.4.8",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "product-security@apple.com",
          "ID": "CVE-2020-9870"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.apple.com/HT211288",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.apple.com/HT211288"
            },
            {
              "name": "https://support.apple.com/HT211289",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.apple.com/HT211289"
            },
            {
              "name": "https://support.apple.com/HT211290",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.apple.com/HT211290"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-09T16:41Z",
      "publishedDate": "2020-10-16T17:15Z"
    }
  }
}

CERTFR-2020-AVI-452

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Apple. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	iOS versions antérieures à 13.6
Apple	macOS	macOS Catalina versions antérieures à 10.15.6
Apple	macOS	macOS High Sierra sans le correctif de sécurité 2020-004
Apple	N/A	iPadOS versions antérieures à 13.6
Apple	macOS	macOS Mojave sans le correctif de sécurité 2020-004
Apple	N/A	tvOS versions antérieures à 13.4.8
Apple	Safari	Safari versions antérieures à 13.1.2
Apple	N/A	watchOS versions antérieures à 6.2.8

References

Title

Publication Time

Tags

Bulletin de sécurité Apple HT211289 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211288 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211292 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211291 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211290 du 15 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "iOS versions ant\u00e9rieures \u00e0 13.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS Catalina versions ant\u00e9rieures \u00e0 10.15.6",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS High Sierra sans le correctif de s\u00e9curit\u00e9 2020-004",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "iPadOS versions ant\u00e9rieures \u00e0 13.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS Mojave sans le correctif de s\u00e9curit\u00e9 2020-004",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "tvOS versions ant\u00e9rieures \u00e0 13.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Safari versions ant\u00e9rieures \u00e0 13.1.2",
      "product": {
        "name": "Safari",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "watchOS versions ant\u00e9rieures \u00e0 6.2.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-9885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9885"
    },
    {
      "name": "CVE-2020-9878",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9878"
    },
    {
      "name": "CVE-2019-19906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19906"
    },
    {
      "name": "CVE-2020-9933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9933"
    },
    {
      "name": "CVE-2020-9870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9870"
    },
    {
      "name": "CVE-2020-9890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9890"
    },
    {
      "name": "CVE-2020-9934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9934"
    },
    {
      "name": "CVE-2020-9910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9910"
    },
    {
      "name": "CVE-2019-20807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20807"
    },
    {
      "name": "CVE-2020-9936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9936"
    },
    {
      "name": "CVE-2020-9911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9911"
    },
    {
      "name": "CVE-2020-9865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9865"
    },
    {
      "name": "CVE-2020-9799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9799"
    },
    {
      "name": "CVE-2020-9894",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9894"
    },
    {
      "name": "CVE-2020-9895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9895"
    },
    {
      "name": "CVE-2020-9914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9914"
    },
    {
      "name": "CVE-2020-9931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9931"
    },
    {
      "name": "CVE-2020-9866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9866"
    },
    {
      "name": "CVE-2020-9916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9916"
    },
    {
      "name": "CVE-2020-9923",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9923"
    },
    {
      "name": "CVE-2019-14899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14899"
    },
    {
      "name": "CVE-2020-9912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9912"
    },
    {
      "name": "CVE-2020-9893",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9893"
    },
    {
      "name": "CVE-2020-9922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9922"
    },
    {
      "name": "CVE-2020-9862",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9862"
    },
    {
      "name": "CVE-2020-9864",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9864"
    },
    {
      "name": "CVE-2020-9925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9925"
    },
    {
      "name": "CVE-2020-9913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9913"
    },
    {
      "name": "CVE-2020-9888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9888"
    },
    {
      "name": "CVE-2020-9907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9907"
    },
    {
      "name": "CVE-2020-9917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9917"
    },
    {
      "name": "CVE-2020-9889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9889"
    },
    {
      "name": "CVE-2020-9909",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9909"
    },
    {
      "name": "CVE-2020-9891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9891"
    },
    {
      "name": "CVE-2020-9903",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9903"
    },
    {
      "name": "CVE-2020-9918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9918"
    },
    {
      "name": "CVE-2020-9884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9884"
    },
    {
      "name": "CVE-2020-9915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9915"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-452",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-20T00:00:00.000000"
    },
    {
      "description": "Ajout de l\u0027identifiant CVE-2020-9922.",
      "revision_date": "2021-04-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211289 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211289"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211288 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211288"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211292 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211292"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211291 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211291"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211290 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211290"
    }
  ]
}

CERTFR-2020-AVI-452

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	iOS versions antérieures à 13.6
Apple	macOS	macOS Catalina versions antérieures à 10.15.6
Apple	macOS	macOS High Sierra sans le correctif de sécurité 2020-004
Apple	N/A	iPadOS versions antérieures à 13.6
Apple	macOS	macOS Mojave sans le correctif de sécurité 2020-004
Apple	N/A	tvOS versions antérieures à 13.4.8
Apple	Safari	Safari versions antérieures à 13.1.2
Apple	N/A	watchOS versions antérieures à 6.2.8

References

Title

Publication Time

Tags

Bulletin de sécurité Apple HT211289 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211288 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211292 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211291 du 15 juillet 2020	None	vendor-advisory
Bulletin de sécurité Apple HT211290 du 15 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "iOS versions ant\u00e9rieures \u00e0 13.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS Catalina versions ant\u00e9rieures \u00e0 10.15.6",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS High Sierra sans le correctif de s\u00e9curit\u00e9 2020-004",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "iPadOS versions ant\u00e9rieures \u00e0 13.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "macOS Mojave sans le correctif de s\u00e9curit\u00e9 2020-004",
      "product": {
        "name": "macOS",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "tvOS versions ant\u00e9rieures \u00e0 13.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Safari versions ant\u00e9rieures \u00e0 13.1.2",
      "product": {
        "name": "Safari",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "watchOS versions ant\u00e9rieures \u00e0 6.2.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-9885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9885"
    },
    {
      "name": "CVE-2020-9878",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9878"
    },
    {
      "name": "CVE-2019-19906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19906"
    },
    {
      "name": "CVE-2020-9933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9933"
    },
    {
      "name": "CVE-2020-9870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9870"
    },
    {
      "name": "CVE-2020-9890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9890"
    },
    {
      "name": "CVE-2020-9934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9934"
    },
    {
      "name": "CVE-2020-9910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9910"
    },
    {
      "name": "CVE-2019-20807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20807"
    },
    {
      "name": "CVE-2020-9936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9936"
    },
    {
      "name": "CVE-2020-9911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9911"
    },
    {
      "name": "CVE-2020-9865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9865"
    },
    {
      "name": "CVE-2020-9799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9799"
    },
    {
      "name": "CVE-2020-9894",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9894"
    },
    {
      "name": "CVE-2020-9895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9895"
    },
    {
      "name": "CVE-2020-9914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9914"
    },
    {
      "name": "CVE-2020-9931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9931"
    },
    {
      "name": "CVE-2020-9866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9866"
    },
    {
      "name": "CVE-2020-9916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9916"
    },
    {
      "name": "CVE-2020-9923",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9923"
    },
    {
      "name": "CVE-2019-14899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14899"
    },
    {
      "name": "CVE-2020-9912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9912"
    },
    {
      "name": "CVE-2020-9893",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9893"
    },
    {
      "name": "CVE-2020-9922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9922"
    },
    {
      "name": "CVE-2020-9862",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9862"
    },
    {
      "name": "CVE-2020-9864",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9864"
    },
    {
      "name": "CVE-2020-9925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9925"
    },
    {
      "name": "CVE-2020-9913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9913"
    },
    {
      "name": "CVE-2020-9888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9888"
    },
    {
      "name": "CVE-2020-9907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9907"
    },
    {
      "name": "CVE-2020-9917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9917"
    },
    {
      "name": "CVE-2020-9889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9889"
    },
    {
      "name": "CVE-2020-9909",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9909"
    },
    {
      "name": "CVE-2020-9891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9891"
    },
    {
      "name": "CVE-2020-9903",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9903"
    },
    {
      "name": "CVE-2020-9918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9918"
    },
    {
      "name": "CVE-2020-9884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9884"
    },
    {
      "name": "CVE-2020-9915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9915"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-452",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-20T00:00:00.000000"
    },
    {
      "description": "Ajout de l\u0027identifiant CVE-2020-9922.",
      "revision_date": "2021-04-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211289 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211289"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211288 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211288"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211292 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211292"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211291 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211291"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT211290 du 15 juillet 2020",
      "url": "https://support.apple.com/en-us/HT211290"
    }
  ]
}

GHSA-899C-G9FR-8CCX

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2023-01-09 18:30

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-9870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code.",
  "id": "GHSA-899c-g9fr-8ccx",
  "modified": "2023-01-09T18:30:24Z",
  "published": "2022-05-24T17:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9870"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT211288"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT211289"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT211290"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2020-9870

Vulnerability from fkie_nvd - Published: 2020-10-16 17:15 - Updated: 2024-11-21 05:41

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
product-security@apple.com	https://support.apple.com/HT211288	Vendor Advisory
product-security@apple.com	https://support.apple.com/HT211289	Vendor Advisory
product-security@apple.com	https://support.apple.com/HT211290	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT211288	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT211289	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT211290	Vendor Advisory

Impacted products

Vendor	Product	Version
apple	ipados	*
apple	iphone_os	*
apple	mac_os_x	*
apple	tvos	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "87D68071-5235-4B50-90F0-B55B0C668840",
              "versionEndExcluding": "13.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0639A5DE-4A59-4F10-A0E7-F6B933E44D47",
              "versionEndExcluding": "13.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD0ACF42-C643-4DED-ADF7-4FA29B7578F7",
              "versionEndExcluding": "10.15.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "888463CA-9C67-46B2-B197-DDD3A668F980",
              "versionEndExcluding": "13.4.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code."
    },
    {
      "lang": "es",
      "value": "Se abord\u00f3 un problema l\u00f3gico con una comprobaci\u00f3n mejorada.\u0026#xa0;Este problema es corregido en iOS versi\u00f3n 13.6 y iPadOS versi\u00f3n 13.6, macOS Catalina versi\u00f3n 10.15.6, tvOS 13.4.8.\u0026#xa0;Un atacante con capacidad de escritura en memoria ser capaz de omitir los c\u00f3digos de autenticaci\u00f3n del puntero y ejecutar c\u00f3digo arbitrario"
    }
  ],
  "id": "CVE-2020-9870",
  "lastModified": "2024-11-21T05:41:26.483",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-10-16T17:15:15.653",
  "references": [
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211288"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211289"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211290"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211288"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211289"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/HT211290"
    }
  ],
  "sourceIdentifier": "product-security@apple.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-49316

Vulnerability from cnvd - Published: 2020-08-29

Title

Apple macOS Catalina Clang组件逻辑缺陷漏洞

Description

Apple macOS Catalina是美国苹果（Apple）公司的一套专为Mac计算机所开发的专用操作系统。 Apple macOS Catalina 10.15.6之前版本中的Clang组件存在安全漏洞。攻击者可利用该漏洞绕过安全限制。

Severity

中

Patch Name

Apple macOS Catalina Clang组件逻辑缺陷漏洞的补丁

Patch Description

Apple macOS Catalina是美国苹果（Apple）公司的一套专为Mac计算机所开发的专用操作系统。 Apple macOS Catalina 10.15.6之前版本中的Clang组件存在安全漏洞。攻击者可利用该漏洞绕过安全限制。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://support.apple.com/zh-cn/HT211289

Reference

https://support.apple.com/zh-cn/HT211289

Impacted products

Name
Apple macOS Catalina <10.15.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-9870",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-9870"
    }
  },
  "description": "Apple macOS Catalina\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u4e3aMac\u8ba1\u7b97\u673a\u6240\u5f00\u53d1\u7684\u4e13\u7528\u64cd\u4f5c\u7cfb\u7edf\u3002\n\nApple macOS Catalina 10.15.6\u4e4b\u524d\u7248\u672c\u4e2d\u7684Clang\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.apple.com/zh-cn/HT211289",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49316",
  "openTime": "2020-08-29",
  "patchDescription": "Apple macOS Catalina\u662f\u7f8e\u56fd\u82f9\u679c\uff08Apple\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u4e3aMac\u8ba1\u7b97\u673a\u6240\u5f00\u53d1\u7684\u4e13\u7528\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nApple macOS Catalina 10.15.6\u4e4b\u524d\u7248\u672c\u4e2d\u7684Clang\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apple macOS Catalina Clang\u7ec4\u4ef6\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apple macOS Catalina \u003c10.15.6"
  },
  "referenceLink": "https://support.apple.com/zh-cn/HT211289",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-06",
  "title": "Apple macOS Catalina Clang\u7ec4\u4ef6\u903b\u8f91\u7f3a\u9677\u6f0f\u6d1e"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-9870 (GCVE-0-2020-9870)

VAR-202010-1272

GSD-2020-9870

CERTFR-2020-AVI-452

Solution

CERTFR-2020-AVI-452

Solution

GHSA-899C-G9FR-8CCX

FKIE_CVE-2020-9870

CNVD-2020-49316

Tags

Sightings

Nomenclature