CVE-2020-9847 – CVE-2020-9847 is an out-of-bounds read vulnerab... (How to Fix)

Q: What is the severity of CVE-2020-9847?

CVE-2020-9847 has a CVSS score of 8.6 (HIGH). CVE-2020-9847 is an out-of-bounds read vulnerability in macOS that allows malicious applications to potentially escape their sandbox restrictions. This affects macOS systems prior to Catalina 10.15.5. Attackers could leverage this to gain unauthorized access to system resources.

📋 TL;DR

CVE-2020-9847 is an out-of-bounds read vulnerability in macOS that allows malicious applications to potentially escape their sandbox restrictions. This affects macOS systems prior to Catalina 10.15.5. Attackers could leverage this to gain unauthorized access to system resources.

💻 Affected Systems

Products:

macOS

Versions: All versions prior to macOS Catalina 10.15.5

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default macOS configurations are vulnerable. The vulnerability is in the macOS kernel/sandbox implementation.

📦 What is this software?

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious application could fully escape the macOS sandbox, gaining unauthorized access to sensitive system files, user data, and potentially executing arbitrary code with elevated privileges.

🟠

Likely Case

Malicious applications could bypass sandbox restrictions to access restricted files or system resources they shouldn't have access to, potentially leading to data theft or further system compromise.

🟢

If Mitigated

With proper application vetting and security controls, the risk is limited to untrusted applications that manage to bypass macOS Gatekeeper protections.

🌐 Internet-Facing: LOW - This requires local application execution, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Risk exists if users install untrusted applications, but requires local code execution.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious application to be installed and executed on the target system. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Catalina 10.15.5 or later

Vendor Advisory: https://support.apple.com/HT211170

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install macOS Catalina 10.15.5 update. 3. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict Application Installation

all

Configure macOS Gatekeeper to only allow apps from the App Store and identified developers

sudo spctl --master-enable
sudo spctl --enable

Disable Automatic App Opening

all

Prevent automatically opening apps from unidentified developers

defaults write com.apple.LaunchServices LSQuarantine -bool true

🧯 If You Can't Patch

Implement strict application control policies to prevent installation of untrusted applications
Use endpoint detection and response (EDR) solutions to monitor for sandbox escape attempts

🔍 How to Verify

Check if Vulnerable:

Check macOS version: if running macOS Catalina earlier than 10.15.5, system is vulnerable

Check Version:

sw_vers

Verify Fix Applied:

Verify macOS version is 10.15.5 or later using 'sw_vers' command

📡 Detection & Monitoring

Log Indicators:

Unusual sandbox violation logs in system.log
Applications attempting to access restricted system paths

Network Indicators:

None - local exploitation only

SIEM Query:

source="system.log" AND "sandbox" AND "violation" AND process="kernel"

📊 Metadata

CVE ID: CVE-2020-9847

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-125

Published: June 9, 2020

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/HT211170 Vendor Advisory
https://support.apple.com/HT211170 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9847, you might also want to check these: