Login Sign Up

CVE-2020-3855

7.1 HIGH

📋 TL;DR

This macOS vulnerability allows malicious applications to overwrite arbitrary files on the system. It affects macOS High Sierra, Mojave, and Catalina before specific security updates. Users who haven't applied Apple's security updates are vulnerable to file system manipulation by untrusted applications.

💻 Affected Systems

Products:
  • macOS
Versions: macOS High Sierra 10.13.x, macOS Mojave 10.14.x, macOS Catalina 10.15.0-10.15.2
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected macOS versions are vulnerable. Requires user to install/run malicious application.

📦 What is this software?

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through overwriting critical system files, privilege escalation, or persistent malware installation.

🟠

Likely Case

Data destruction, configuration tampering, or installation of malicious payloads by user-downloaded malicious applications.

🟢

If Mitigated

Limited impact if only trusted applications from App Store are installed and proper file permissions are enforced.

🌐 Internet-Facing: LOW - Requires local application execution, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Malicious applications could be distributed internally or downloaded by users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user to execute malicious application. No public exploit code available. Apple addressed before widespread exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra

Vendor Advisory: https://support.apple.com/en-us/HT210919

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install available security updates. 3. Restart when prompted. 4. Verify update installed via About This Mac > System Report.

🔧 Temporary Workarounds

Application Restriction

all

Only install applications from App Store or identified developers in System Preferences > Security & Privacy

Gatekeeper Enforcement

all

Ensure Gatekeeper is enabled to block unsigned applications

sudo spctl --master-enable

🧯 If You Can't Patch

  • Implement application allowlisting to only permit trusted applications
  • Enforce principle of least privilege and monitor for unexpected file modifications

🔍 How to Verify

Check if Vulnerable:

Check macOS version: About This Mac > Overview. If version is High Sierra 10.13.x, Mojave 10.14.x, or Catalina 10.15.0-10.15.2 without security updates, system is vulnerable.

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is Catalina 10.15.3 or later, or that Security Update 2020-001 is installed for Mojave/High Sierra.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file modifications in system directories
  • Application installation from untrusted sources

Network Indicators:

  • Downloads of suspicious macOS applications

SIEM Query:

source="macos" AND (event="file_modification" AND path IN ("/System/*", "/Library/*", "/etc/*")) OR (event="app_install" AND developer!="Apple" AND developer!="identified")

📊 Metadata

CVE ID: CVE-2020-3855
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Published: October 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON