CVE-2020-27907 – This is a memory corruption vulnerability in ma... (How to Fix)

Q: What is the severity of CVE-2020-27907?

CVE-2020-27907 has a CVSS score of 7.8 (HIGH). This is a memory corruption vulnerability in macOS kernel that allows an application to execute arbitrary code with kernel privileges. It affects macOS Catalina, Mojave, and Big Sur systems. Successful exploitation gives attackers complete control over the affected system.

📋 TL;DR

This is a memory corruption vulnerability in macOS kernel that allows an application to execute arbitrary code with kernel privileges. It affects macOS Catalina, Mojave, and Big Sur systems. Successful exploitation gives attackers complete control over the affected system.

💻 Affected Systems

Products:

macOS

Versions: macOS Catalina, macOS Mojave, macOS Big Sur (pre-fix versions)

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected macOS versions are vulnerable.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level persistence, data theft, and ability to bypass all security controls.

🟠

Likely Case

Local privilege escalation allowing malware to gain kernel privileges and establish persistence.

🟢

If Mitigated

Limited impact if systems are fully patched and have proper endpoint protection.

🌐 Internet-Facing: LOW (requires local access or malicious application execution)

🏢 Internal Only: MEDIUM (requires local access, but internal users could exploit)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to run malicious application. No public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1

Vendor Advisory: https://support.apple.com/en-us/HT211931

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install available security updates. 3. Restart when prompted.

🔧 Temporary Workarounds

Application Control

all

Restrict execution of untrusted applications using MDM or endpoint security tools.

🧯 If You Can't Patch

Implement strict application allowlisting to prevent execution of untrusted code.
Use network segmentation to isolate vulnerable systems and limit lateral movement.

🔍 How to Verify

Check if Vulnerable:

Check macOS version: System Preferences > About This Mac. If version is older than patched versions listed, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version matches patched versions: Big Sur 11.1+, Catalina with Security Update 2020-001, Mojave with Security Update 2020-007.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected kernel extensions loading
Processes running with root privileges from unusual locations

Network Indicators:

Unusual outbound connections from kernel processes

SIEM Query:

Process creation events where parent process is kernel_task or processes gaining root privileges unexpectedly

📊 Metadata

CVE ID: CVE-2020-27907

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27907, you might also want to check these: