Login Sign Up

CVE-2020-9900

7.8 HIGH

📋 TL;DR

This vulnerability allows a local attacker to bypass symlink path validation, potentially gaining elevated privileges on affected Apple devices. It affects iOS, iPadOS, macOS, tvOS, and watchOS before specific patched versions. The attacker must already have local access to the system.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • macOS
  • tvOS
  • watchOS
Versions: Versions before iOS 13.6, iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8
Operating Systems: Apple iOS, Apple iPadOS, Apple macOS, Apple tvOS, Apple watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. No special configuration required.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root/system-level access, allowing complete system compromise and persistence.

🟠

Likely Case

Local user gains elevated privileges beyond their normal permissions, potentially accessing sensitive data or modifying system files.

🟢

If Mitigated

Attack fails due to proper path sanitization in patched systems or lack of local access.

🌐 Internet-Facing: LOW - Requires local access, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Insider threat or compromised local account could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and knowledge of symlink manipulation. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 13.6, iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8

Vendor Advisory: https://support.apple.com/kb/HT211288

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Download and install the latest available update. 4. Restart device when prompted.

🔧 Temporary Workarounds

Restrict local user access

all

Limit local user accounts and implement least privilege principles to reduce attack surface.

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious local activity.
  • Segment networks to limit lateral movement if local account is compromised.

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions list. On macOS: System Preferences > About This Mac. On iOS/iPadOS: Settings > General > About.

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify system version is equal to or newer than patched versions listed in fix_official.patch_version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual symlink creation/modification events
  • Privilege escalation attempts in system logs

Network Indicators:

  • Not applicable - local-only vulnerability

SIEM Query:

source="*system.log*" AND ("symlink" OR "privilege") AND ("escalation" OR "elevation")

📊 Metadata

CVE ID: CVE-2020-9900
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: October 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9900, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)