Login Sign Up

CVE-2020-9901

7.8 HIGH

📋 TL;DR

CVE-2020-9901 is a privilege escalation vulnerability in Apple's path validation logic for symbolic links. A local attacker could exploit improper symlink sanitization to gain elevated privileges on affected Apple devices. This affects iOS, iPadOS, macOS, and tvOS systems before specific security updates.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • macOS
  • tvOS
Versions: Versions before iOS 13.6, iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8
Operating Systems: iOS, iPadOS, macOS, tvOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Tvos by Apple

View all CVEs affecting Tvos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges, potentially compromising the entire system, accessing sensitive data, and installing persistent malware.

🟠

Likely Case

Local user or malware with limited privileges escalates to higher privileges, enabling further system compromise and data access.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated; with strict access controls, exploitation risk is reduced but not eliminated.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Any local user or malware with local access could potentially exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of symlink manipulation; no public exploit code is documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 13.6, iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8

Vendor Advisory: https://support.apple.com/kb/HT211288

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Install the available update. 4. Restart the device when prompted.

🔧 Temporary Workarounds

Restrict local user access

all

Limit local user accounts and implement strict access controls to reduce attack surface.

🧯 If You Can't Patch

  • Implement strict user access controls and monitor for suspicious local activity.
  • Isolate affected systems from critical networks and data.

🔍 How to Verify

Check if Vulnerable:

Check the operating system version against affected versions listed in the Apple security advisory.

Check Version:

On macOS: sw_vers -productVersion; On iOS/iPadOS/tvOS: Settings > General > About > Version

Verify Fix Applied:

Verify the device is running iOS 13.6+, iPadOS 13.6+, macOS Catalina 10.15.6+, or tvOS 13.4.8+.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Suspicious symlink creation or manipulation

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Search for events indicating privilege escalation or symlink-related anomalies on Apple devices.

📊 Metadata

CVE ID: CVE-2020-9901
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: October 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9901, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)