CVE-2020-9907
Published: 16 October 2020
Summary
CVE-2020-9907 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 33.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
A memory corruption vulnerability, tracked as CVE-2020-9907 and assigned CWE-787, affected iOS prior to 13.6, iPadOS prior to 13.6, and tvOS prior to 13.4.8. The flaw was resolved by removing the vulnerable code path, preventing an application from triggering out-of-bounds writes that could corrupt kernel memory.
An attacker who can persuade a user to run a malicious application on an affected device may exploit the issue to achieve arbitrary code execution with kernel privileges. The CVSS 7.8 vector indicates local attack vector, low complexity, no required privileges, and user interaction, resulting in full confidentiality, integrity, and availability impact within the kernel.
Apple security advisories HT211288 and HT211290 detail the affected platforms and confirm the fixes shipped in the cited releases. The entry also appears in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30686
Vulnerability details
A memory corruption issue was addressed by removing the vulnerable code. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8. An application may be able to execute arbitrary code with kernel privileges.
- CWE(s)
- KEV Date Added
- 27 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protection mechanisms that block the out-of-bounds writes and kernel memory corruption exploited by CVE-2020-9907.
Enforces process isolation between user-space applications and kernel address space, preventing the local arbitrary-code-execution path described in the CVE.
Requires timely application of patches that remove the vulnerable code path, directly addressing the flaw fixed in iOS 13.6 / tvOS 13.4.8.