CVE-2020-9960

7.8 HIGH

Remote Code Execution

📋 TL;DR

CVE-2020-9960 is an out-of-bounds read vulnerability in Apple's audio file processing that could allow arbitrary code execution when processing malicious audio files. This affects macOS, iOS, iPadOS, tvOS, and watchOS users running vulnerable versions. Attackers could potentially gain control of affected devices.

💻 Affected Systems

Products:

macOS
iOS
iPadOS
tvOS
watchOS

Versions: Versions prior to macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0

Operating Systems: macOS, iOS, iPadOS, tvOS, watchOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root privileges and persistent access to the device.

🟠

Likely Case

Application crash or limited code execution within the audio processing context, potentially leading to data theft or further exploitation.

🟢

If Mitigated

Denial of service from application crash if exploit fails or is partially mitigated.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious audio file, but could be delivered via web, email, or messaging.

🏢 Internal Only: LOW - Still requires user interaction with malicious file, though internal file shares could facilitate distribution.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious audio file. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0

Vendor Advisory: https://support.apple.com/en-us/HT211843

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install all available updates. 3. Restart device when prompted.

🔧 Temporary Workarounds

Disable automatic audio file processing

all

Prevent automatic processing of audio files in web browsers and email clients

User education

all

Train users not to open audio files from untrusted sources

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized audio processing applications
Deploy endpoint detection and response (EDR) to monitor for suspicious audio file processing

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions list. On macOS: sw_vers -productVersion

Check Version:

macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify system version matches or exceeds patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Application crashes in audio processing components
Unusual audio file processing from untrusted locations

Network Indicators:

Downloads of audio files from suspicious sources
Unusual outbound connections after audio file processing

SIEM Query:

source="endpoint" event_type="process" process_name IN ("afconvert", "CoreAudio", "audio") AND file_path="*.mp3" OR file_path="*.m4a" OR file_path="*.aac"

📊 Metadata

CVE ID: CVE-2020-9960

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory