CVE-2020-9967

7.8 HIGH

Denial of Service

📋 TL;DR

CVE-2020-9967 is a kernel memory corruption vulnerability in Apple's XNU network stack that allows remote attackers to cause system crashes or corrupt kernel memory through heap overflow. This affects multiple Apple operating systems including macOS, iOS, iPadOS, tvOS, and watchOS. Attackers can potentially achieve remote code execution or denial of service.

💻 Affected Systems

Products:

macOS
iOS
iPadOS
tvOS
watchOS

Versions: Versions prior to macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0

Operating Systems: macOS, iOS, iPadOS, tvOS, watchOS

Default Config Vulnerable: ⚠️ Yes

Notes: All systems running affected versions with network connectivity are vulnerable by default.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote kernel-level code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote denial of service causing system crashes and instability, potentially leading to data loss and service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and firewalls, potentially only affecting exposed services.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication via network packets.

🏢 Internal Only: MEDIUM - Requires network access but could be exploited internally via malicious packets.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Public exploit details available via Packet Storm Security. Exploitation requires crafting malicious network packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0

Vendor Advisory: https://support.apple.com/en-us/HT211843

Restart Required: Yes

Instructions:

1. Go to System Preferences > Software Update. 2. Install all available updates. 3. Restart the system when prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks using firewalls and VLANs.

Disable Unnecessary Services

all

Turn off network services not required for operation to reduce attack surface.

🧯 If You Can't Patch

Implement strict network access controls and firewall rules to limit exposure
Monitor systems for unusual network activity and crash reports

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions list. On macOS: sw_vers -productVersion

Check Version:

macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify system version is equal to or newer than patched versions listed in fix_official.patch_version

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash reports
Unexpected system reboots

Network Indicators:

Malformed network packets to vulnerable ports
Unusual network traffic patterns

SIEM Query:

source="kernel" AND ("panic" OR "crash") AND dest_ip IN [affected_systems]

📊 Metadata

CVE ID: CVE-2020-9967

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163501/XNU-Network-Stack-Kernel-Heap-Overflow.html Third Party Advisory,VDB Entry
https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory
http://packetstormsecurity.com/files/163501/XNU-Network-Stack-Kernel-Heap-Overflow.html Third Party Advisory,VDB Entry
https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory