CVE-2020-27938 – CVE-2020-27938 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2020-27938?

CVE-2020-27938 has a CVSS score of 7.8 (HIGH). CVE-2020-27938 is a privilege escalation vulnerability in macOS that allows malicious applications to gain elevated system privileges. This affects macOS Catalina, Mojave, and Big Sur systems. Attackers could exploit this to bypass security restrictions and execute arbitrary code with higher privileges.

📋 TL;DR

CVE-2020-27938 is a privilege escalation vulnerability in macOS that allows malicious applications to gain elevated system privileges. This affects macOS Catalina, Mojave, and Big Sur systems. Attackers could exploit this to bypass security restrictions and execute arbitrary code with higher privileges.

💻 Affected Systems

Products:

macOS

Versions: macOS Catalina, macOS Mojave, macOS Big Sur (pre-fix versions)

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard macOS installations of affected versions are vulnerable. No special configuration required.

📦 What is this software?

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains root privileges, installs persistent malware, accesses sensitive data, and controls the entire system.

🟠

Likely Case

Local privilege escalation allowing malware to bypass sandbox restrictions, install additional payloads, or access protected system resources.

🟢

If Mitigated

Limited impact if proper application sandboxing and least privilege principles are enforced, though the vulnerability still provides a foothold for further exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring user interaction to run malicious applications.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to escalate privileges on compromised endpoints.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to execute malicious application. Apple has addressed this in security updates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave

Vendor Advisory: https://support.apple.com/en-us/HT212011

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install available security updates. 3. Restart the system when prompted.

🔧 Temporary Workarounds

Application Restriction

all

Restrict execution of untrusted applications using Gatekeeper and application whitelisting

sudo spctl --master-enable
sudo spctl --enable --label "Developer ID"

🧯 If You Can't Patch

Implement strict application control policies to prevent execution of untrusted applications
Use endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check macOS version: if running Catalina, Mojave, or Big Sur without the security updates listed, system is vulnerable

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is updated to patched versions: Big Sur 11.2+, Catalina with Security Update 2021-001+, Mojave with Security Update 2021-001+

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events in system logs
Suspicious application execution with elevated privileges

Network Indicators:

Unusual outbound connections following local privilege escalation

SIEM Query:

source="macos_system_logs" AND (event="privilege_escalation" OR process="sudo" OR process="su") AND user!="authorized_user"

📊 Metadata

CVE ID: CVE-2020-27938

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/en-us/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT212147 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT212147 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27938, you might also want to check these: