CVE-2020-9859
📋 TL;DR
This vulnerability allows a malicious application to execute arbitrary code with kernel privileges on Apple devices, potentially gaining full system control. It affects iOS, iPadOS, macOS, tvOS, and watchOS before specific patched versions. The issue involves memory handling that could be exploited to cause memory consumption issues leading to privilege escalation.
💻 Affected Systems
- iOS
- iPadOS
- macOS
- tvOS
- watchOS
📦 What is this software?
Ipados by Apple
Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level access, allowing attackers to install persistent malware, steal sensitive data, or disable security controls.
Likely Case
Targeted attacks against specific users or organizations to gain elevated privileges and access to protected system resources.
If Mitigated
Limited impact if devices are fully patched and running with standard security configurations and app restrictions.
🎯 Exploit Status
Exploitation requires user to install/run a malicious application. CISA lists this as known exploited vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iOS 13.5.1, iPadOS 13.5.1, macOS Catalina 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6
Vendor Advisory: https://support.apple.com/HT211214
Restart Required: Yes
Instructions:
1. Open Settings app. 2. Go to General > Software Update. 3. Download and install available updates. 4. Restart device when prompted.
🔧 Temporary Workarounds
Restrict App Installation
allOnly allow installation of apps from trusted sources like Apple App Store
Settings > General > Device Management > Trust Enterprise Developer (for enterprise devices only)
Enable Automatic Updates
allConfigure devices to automatically install security updates
Settings > General > Software Update > Automatic Updates > Enable 'Download iOS Updates' and 'Install iOS Updates'
🧯 If You Can't Patch
- Isolate affected devices from critical networks and sensitive data
- Implement strict application control policies to prevent installation of untrusted applications
🔍 How to Verify
Check if Vulnerable:
Check device version in Settings > General > About > VersionCheck Version:
iOS/iPadOS: Settings > General > About > Version; macOS: About This Mac > Overview; tvOS: Settings > General > About; watchOS: Settings > General > AboutVerify Fix Applied:
Verify version is equal to or greater than: iOS/iPadOS 13.5.1, macOS 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6📡 Detection & Monitoring
Log Indicators:
- Unexpected kernel memory allocation patterns
- Processes running with unexpected kernel privileges
- Application crash logs showing memory exhaustion
Network Indicators:
- Unusual outbound connections from system processes
- Traffic to known malicious domains from elevated processes
SIEM Query:
source="apple_system_logs" AND (event="kernel_memory_exhaustion" OR process_privilege="kernel")