CVE-2020-10003
📋 TL;DR
This vulnerability allows a local attacker to bypass symlink path validation in Apple operating systems, potentially gaining elevated privileges. It affects macOS, iOS, iPadOS, tvOS, and watchOS before specific security updates. Attackers must have local access to the system to exploit this flaw.
💻 Affected Systems
- macOS
- iOS
- iPadOS
- tvOS
- watchOS
📦 What is this software?
Ipados by Apple
Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root/system-level access, allowing complete system compromise and persistence.
Likely Case
Local user gains elevated privileges beyond their normal permissions, potentially accessing sensitive data or modifying system files.
If Mitigated
With proper access controls and patching, impact is limited to denial of service or minimal privilege escalation within user's existing context.
🎯 Exploit Status
Exploit requires local access but is relatively straightforward once local access is obtained. Public disclosure includes technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, tvOS 14.2, watchOS 7.1
Vendor Advisory: https://support.apple.com/en-us/HT211928
Restart Required: Yes
Instructions:
1. Open System Preferences > Software Update. 2. Install available updates. 3. Restart device when prompted. For iOS/iPadOS: Settings > General > Software Update. For tvOS: Settings > System > Software Updates. For watchOS: iPhone Watch app > General > Software Update.
🔧 Temporary Workarounds
Restrict local user access
allLimit local user accounts and implement strict access controls to reduce attack surface.
Monitor symlink creation
linuxImplement file system monitoring for suspicious symlink creation in sensitive directories.
sudo auditctl -w /etc -p wa -k sensitive_symlinks
sudo auditctl -w /usr -p wa -k sensitive_symlinks
🧯 If You Can't Patch
- Implement strict principle of least privilege for all user accounts
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check OS version: macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version, tvOS: Settings > General > About > Version, watchOS: iPhone Watch app > General > About > VersionCheck Version:
macOS: sw_vers -productVersionVerify Fix Applied:
Verify version is equal to or newer than: macOS 11.0.1, iOS 14.2, iPadOS 14.2, tvOS 14.2, watchOS 7.1📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Suspicious symlink creation in system directories
- Failed authorization attempts followed by successful privileged operations
Network Indicators:
- None - local exploitation only
SIEM Query:
source="*audit.log" AND (event_type="SYMLINK" OR event_type="PATH") AND user!="root" AND path IN ("/etc/*", "/usr/*", "/var/*")🔗 References
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://support.apple.com/en-us/HT211928
- https://support.apple.com/en-us/HT211929
- https://support.apple.com/en-us/HT211930
- https://support.apple.com/en-us/HT211931
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://support.apple.com/en-us/HT211928
- https://support.apple.com/en-us/HT211929
- https://support.apple.com/en-us/HT211930
- https://support.apple.com/en-us/HT211931
