CVE-2020-9972 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2020-9972?

CVE-2020-9972 has a CVSS score of 7.8 (HIGH). This vulnerability allows arbitrary code execution or application crashes when processing malicious USD files on Apple devices. It affects iOS and iPadOS users who open untrusted USD files. Attackers could exploit this to take control of affected devices.

📋 TL;DR

This vulnerability allows arbitrary code execution or application crashes when processing malicious USD files on Apple devices. It affects iOS and iPadOS users who open untrusted USD files. Attackers could exploit this to take control of affected devices.

💻 Affected Systems

Products:

iPhone
iPad
iPod touch

Versions: iOS and iPadOS versions before 14.0

Operating Systems: iOS, iPadOS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running vulnerable iOS/iPadOS versions are affected when processing USD files.

📦 What is this software?

Ipad Os by Apple

View all CVEs affecting Ipad Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, and persistent access.

🟠

Likely Case

Application crashes (denial of service) when processing malicious files, with potential for limited code execution.

🟢

If Mitigated

No impact if devices are patched or don't process untrusted USD files.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious USD file. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 14.0, iPadOS 14.0

Vendor Advisory: https://support.apple.com/en-us/HT211850

Restart Required: Yes

Instructions:

1. Go to Settings > General > Software Update. 2. Download and install iOS/iPadOS 14.0 or later. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Disable USD file processing

all

Prevent opening USD files from untrusted sources

User education

all

Train users not to open USD files from unknown sources

🧯 If You Can't Patch

Restrict USD file processing to trusted sources only
Implement application whitelisting to block USD file execution

🔍 How to Verify

Check if Vulnerable:

Check iOS/iPadOS version in Settings > General > About > Version

Check Version:

Settings > General > About > Version

Verify Fix Applied:

Verify version is 14.0 or higher in Settings > General > About > Version

📡 Detection & Monitoring

Log Indicators:

Application crashes related to USD file processing
Unexpected process terminations

Network Indicators:

Downloads of USD files from untrusted sources

SIEM Query:

Process termination events with USD-related applications on iOS/iPadOS devices

📊 Metadata

CVE ID: CVE-2020-9972

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: December 8, 2020

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/kb/HT212003 Vendor Advisory
https://support.apple.com/kb/HT212005 Vendor Advisory
https://support.apple.com/kb/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/kb/HT212003 Vendor Advisory
https://support.apple.com/kb/HT212005 Vendor Advisory
https://support.apple.com/kb/HT212011 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9972, you might also want to check these: